So, what would be the best way to address the situation like this? I mean when the task doesn't explicitly says what kind of traceroute it will be. Could we make do with a class-map matching ICMP and UDP with a range of ports applied to a policy map in one direction (INSIDE-OUTSIDE) and a class-map matching ICMP port-unreachable and time-exceeded and applied to a policy map for the return path (OUTSIDE-INSIDE) with the action to pass.
Eugene On Aug 6, 2012, at 4:08 AM, "Alexei Monastyrnyi" <[email protected]<mailto:[email protected]>> wrote: Mike, for Unix-style traceroute it would UDP for outgoing traffic, not ICMP. Hence you would face a slight problem here inspecting UDP on its way out and poking holes for ICMP unreachable/ttl-expired coming back. So they must be passing (or inspecting which males less sense but still a working solution) UDP 33434-33524. Cheers A. On 8/6/2012 4:34 AM, Mike Rojas wrote: Couple of questions. I saw an exercise that they asked you to permit (Truly hate that word when it comes to ZONE BASED FIREWALL) trace route from outside to inside, on the solution they put that they need to inspect from inside to outside ICMP but from outside to inside they put pass on it. Life experience teach me that if you have something being inspected but from the other zone pair, it is passing it, the firewall will drop it. I dont know why they do it like that. I just put inspect on it. Another thing is with servers, when they tell you to allow only to one server on port 443 and 80. If you do it with only an access list, it says "all protocols will be inspected" which sounds fine by me, but I know I have to narrow it down using ACL plus the protocol. On the solution it was using TCP+the ACL, it was not inspecting the protocol. Mike _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
