Hello Krishna 

Mmm, I see a problem there: 

class-map type inspect match-all test match protocol http match protocol https 
match access-group name test

You will be expecting a packet that comes with protocols http and https on the 
same packet, hence it will drop all http/https traffic. 

Mike. 



Date: Mon, 6 Aug 2012 09:13:11 +1000
Subject: Re: [OSL | CCIE_Security] Zone based firewall
From: [email protected]
To: [email protected]

hi Mike,
please find the solution .
class-map type inspect match-all test match protocol http match protocol https 
match access-group name test
!!policy-map type inspect test class type inspect test  inspect
ip access-list extended test permit tcp any any eq 443 permit tcp any any eq www
 deny   ip any any!
interface FastEthernet0/0 no ip address zone-member security internal duplex 
auto speed auto!interface FastEthernet0/1
 no ip address zone-member security external duplex auto speed auto
zone security internalzone security externalzone-pair security internal source 
external destination internal
 service-policy type inspect test

i tried it will inspect the 443 and 80 traffic.

regardskrishna

On Mon, Aug 6, 2012 at 4:34 AM, Mike Rojas <[email protected]> wrote:





Couple of questions. 

I saw an exercise that they asked you to permit (Truly hate that word when it 
comes to ZONE BASED FIREWALL) trace route from outside to inside, on the 
solution they put that they need to inspect from inside to outside ICMP but 
from outside to inside they put pass on it. 


Life experience teach me that if you have something being inspected but from 
the other  zone pair, it is passing it, the firewall will drop it. I dont know 
why they do it like that. I just put inspect on it. 

Another thing is with servers, when they tell you to allow only to one server 
on port 443 and 80. If you do it with only an access list, it says "all 
protocols will be inspected" which sounds fine by me, but I know I have to 
narrow it down using ACL plus the protocol. On the solution it was using 
TCP+the ACL, it was not inspecting the protocol. 


Mike 
                                          

_______________________________________________

For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com



Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

                                          
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to