Eugene Check with Proctor.
For traceroute, use pass action on both sides. That would be safe. Make sure, pass action is on top as if that traffic in being inspected, it will be dropped. For example, if you are inspecting all "ip" traffic that would be an issue. With regards Kings CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security) On Mon, Aug 6, 2012 at 11:00 PM, Eugene Pefti <[email protected]>wrote: > So, what would be the best way to address the situation like this? I > mean when the task doesn't explicitly says what kind of traceroute it will > be. > Could we make do with a class-map matching ICMP and UDP with a range of > ports applied to a policy map in one direction (INSIDE-OUTSIDE) and a > class-map matching ICMP port-unreachable and time-exceeded and applied to a > policy map for the return path (OUTSIDE-INSIDE) with the action to pass. > > Eugene > > On Aug 6, 2012, at 4:08 AM, "Alexei Monastyrnyi" <[email protected]> > wrote: > > Mike, > for Unix-style traceroute it would UDP for outgoing traffic, not ICMP. > Hence you would face a slight problem here inspecting UDP on its way out > and poking holes for ICMP unreachable/ttl-expired coming back. > > So they must be passing (or inspecting which males less sense but still a > working solution) UDP 33434-33524. > > Cheers > A. > > > On 8/6/2012 4:34 AM, Mike Rojas wrote: > > Couple of questions. > > I saw an exercise that they asked you to permit (Truly hate that word when > it comes to ZONE BASED FIREWALL) trace route from outside to inside, on the > solution they put that they need to inspect from inside to outside ICMP but > from outside to inside they put pass on it. > > Life experience teach me that if you have something being inspected but > from the other zone pair, it is passing it, the firewall will drop it. I > dont know why they do it like that. I just put inspect on it. > > Another thing is with servers, when they tell you to allow only to one > server on port 443 and 80. If you do it with only an access list, it says > "all protocols will be inspected" which sounds fine by me, but I know I > have to narrow it down using ACL plus the protocol. On the solution it was > using TCP+the ACL, it was not inspecting the protocol. > > Mike > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
