Hello Krishna Mmm, I see a problem there:
class-map type inspect match-all test match protocol http match protocol https match access-group name test You will be expecting a packet that comes with protocols http and https on the same packet, hence it will drop all http/https traffic. Mike. Date: Mon, 6 Aug 2012 09:13:11 +1000 Subject: Re: [OSL | CCIE_Security] Zone based firewall From: [email protected] To: [email protected] hi Mike, please find the solution . class-map type inspect match-all test match protocol http match protocol https match access-group name test !!policy-map type inspect test class type inspect test inspect ip access-list extended test permit tcp any any eq 443 permit tcp any any eq www deny ip any any! interface FastEthernet0/0 no ip address zone-member security internal duplex auto speed auto!interface FastEthernet0/1 no ip address zone-member security external duplex auto speed auto zone security internalzone security externalzone-pair security internal source external destination internal service-policy type inspect test i tried it will inspect the 443 and 80 traffic. regardskrishna On Mon, Aug 6, 2012 at 4:34 AM, Mike Rojas <[email protected]> wrote: Couple of questions. I saw an exercise that they asked you to permit (Truly hate that word when it comes to ZONE BASED FIREWALL) trace route from outside to inside, on the solution they put that they need to inspect from inside to outside ICMP but from outside to inside they put pass on it. Life experience teach me that if you have something being inspected but from the other zone pair, it is passing it, the firewall will drop it. I dont know why they do it like that. I just put inspect on it. Another thing is with servers, when they tell you to allow only to one server on port 443 and 80. If you do it with only an access list, it says "all protocols will be inspected" which sounds fine by me, but I know I have to narrow it down using ACL plus the protocol. On the solution it was using TCP+the ACL, it was not inspecting the protocol. Mike _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
