Mike,
for Unix-style traceroute it would UDP for outgoing traffic, not ICMP.
Hence you would face a slight problem here inspecting UDP on its way out
and poking holes for ICMP unreachable/ttl-expired coming back.
So they must be passing (or inspecting which males less sense but still
a working solution) UDP 33434-33524.
Cheers
A.
On 8/6/2012 4:34 AM, Mike Rojas wrote:
Couple of questions.
I saw an exercise that they asked you to permit (Truly hate that word
when it comes to ZONE BASED FIREWALL) trace route from outside to
inside, on the solution they put that they need to inspect from inside
to outside ICMP but from outside to inside they put pass on it.
Life experience teach me that if you have something being inspected
but from the other zone pair, it is passing it, the firewall will
drop it. I dont know why they do it like that. I just put inspect on it.
Another thing is with servers, when they tell you to allow only to one
server on port 443 and 80. If you do it with only an access list, it
says "all protocols will be inspected" which sounds fine by me, but I
know I have to narrow it down using ACL plus the protocol. On the
solution it was using TCP+the ACL, it was not inspecting the protocol.
Mike
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
