match protocol http will do the job
Date: Wed, 8 Jun 2011 20:56:00 +0800 From: [email protected] To: [email protected] CC: [email protected] Subject: Re: [OSL | CCIE_Security] Doubts on Zone based firewall hi Guys some additional basic doubts... when it's being asked to inspect http traffic for example, will we need : - only "match protocol http" ? - or we need both "match protocol http" and "match protocol tcp" ? i'm confuse whether tcp or udp always need to be there or not when application layer protocol is required to be inspected. thanks in advance Regards KY On Tue, May 17, 2011 at 7:50 PM, Nick Montante <[email protected]> wrote: I understand your point, Bruno, but the inspection only occurs on the traffic matched in your ACL. If you have an ACL matching telnet, and your class-map matches this ACL, inspection will only occur for TCP/23. I believe that ZFW will identify that traffic as telnet (since it is coming across TCP/23) and will inspect it as such. From: Bruno [mailto:[email protected]] Sent: Tuesday, May 17, 2011 7:47 AM To: Nick Montante Cc: Kingsley Charles; Kok Yong CHEONG; [email protected] Subject: Re: [OSL | CCIE_Security] Doubts on Zone based firewall Well, If I read "all protocols will be inspected" only wanting to have like telnet specifically, I would say that it is for sure something I do not want I would still go with match protocol xxxx as required. On Tue, May 17, 2011 at 8:38 AM, Nick Montante <[email protected]> wrote: My understanding is that a “match protocol” statement is not required; however, if you do not match any traffic using NBAR and you only match it in your ACL, it will still work as expected but it will throw a warning when configured (and at boot) that “no protocol was specified, so all protocols will be inspected”. From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Tuesday, May 17, 2011 7:11 AM To: Bruno Cc: Kok Yong CHEONG; [email protected] Subject: Re: [OSL | CCIE_Security] Doubts on Zone based firewall I don't think so. All the above given config should work. "match protocol" is not mandatory for a class-map. With regards Kings On Tue, May 17, 2011 at 3:30 PM, Bruno <[email protected]> wrote: Keep in mind that ZBF requires at least one match protocol statement on class-maps. With that said, some options you said will not work On Tue, May 17, 2011 at 4:40 AM, Kingsley Charles <[email protected]> wrote: If you are matching the protocol in the access-list, then you need not specify "match protocol xxx". With regards Kings On Tue, May 17, 2011 at 1:02 PM, Kok Yong CHEONG <[email protected]> wrote: hi Thank for your input, for example of smtp, based on your explanation, there isn't need to "match protocol smtp " then ? since the access-list already mentioned the port 25 which also means matching smtp protocol from the access-list ? my main doubt was that do i need to specify "match protocol xxx" since i've already kind of mention it in the ACL with "access-list 122 permit tcp any host 192.1.1.200 eq 25" thanks in advance regards KY On Tue, May 17, 2011 at 2:35 PM, Kingsley Charles <[email protected]> wrote: Option A is simple and will work. Option B can be configured as following in either of two ways: access-list 121 permit ip any host 192.1.1.100 access-list 122 permit ip any host 192.1.1.200 class-map type inspect match-all CM-I-D-SMTP match access-group 122 match protocol smtp class-map type inspect match-all CM-I-D-WEB match access-group 121 match protocol http policy-map type inspect PM-I-D class type inspect CM-I-D-WEB inspect class type inspect CM-I-D-SMTP inspect or access-list 121 permit tcp any host 192.1.1.100 eq 80 access-list 122 permit tcp any host 192.1.1.200 eq 25 class-map type inspect match-all CM-I-D-SMTP match access-group 122 class-map type inspect match-all CM-I-D-WEB match access-group 121 policy-map type inspect PM-I-D class type inspect CM-I-D-WEB inspect class type inspect CM-I-D-SMTP inspect With regards Kings On Tue, May 17, 2011 at 11:33 AM, Kok Yong CHEONG <[email protected]> wrote: hi Guys I'd like to clear by doubts on ZBF. a practice question like: configure zone policy coming in from internet to DMZ as follows: 1) allow web access to a server 192.1.1.100 located on the DMZ zone 2) allows smtp access to server 192.1.1.200 located in DMZ zone will the config be (a) or (b) : (a) access-list 124 permit tcp any host 192.1.1.100 eq 80 access-list 124 permit tcp any host 192.1.1.200 eq 25 class-map type inspect C-I-D match access-group 124 policy-map type inspect P-I-D class type C-I-D inspect OR ---------------------------------------------------------------------------------------------------------- (b) access-list 121 permit tcp any host 192.1.1.100 eq 80 access-list 122 permit tcp any host 192.1.1.200 eq 25 class-map type inspect match-all CM-I-D-SMTP match access-group 122 match protocol smtp ------> why do we still need to mention SMTP ? class-map type inspect match-all CM-I-D-WEB match access-group 121 match protocol http ------> why do we still need to mention http ? policy-map type inspect PM-I-D class type inspect CM-I-D-WEB inspect class type inspect CM-I-D-SMTP inspect ---------------------------------------------------------------------------------------------------------- my main doubt for (b) is why do we need "match protocol smtp", since it never mentioned layer 7 inspection. I would expect the access-list is sufficient to define the traffic as http traffic already ? or we need both the acl and protocol to make it complete ? appreciate your effort to enlighten me.. thanks in advance regards KY _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional This communication is the property of ClarkDietrich Building Systems LLC and maycontain confidential or privileged information. Unauthorized use of thiscommunication is strictly prohibited and may be unlawful. If you have receivedthis communication in error, please immediately notify the sender by reply anddestroy all copies of the communication and any attachments. -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional This communication is the property of ClarkDietrich Building Systems LLC and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply and destroy all copies of the communication and any attachments. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
