Use deny to block the destinations from where java-applets should be blocked
Snippet from http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_cbac_fw/configuration/12-4t/config-cbac-fw.html#GUID-5FF43CE6-BC53-41F6-9BBE-3F5ADCEA19B3 ! The following access list defines "friendly" and "hostile" sites for Java ! applet blocking. Because Java applet blocking is defined in the inspection ! rule "myfw" and references access list 51, applets will be actively denied ! if they are from any of the "deny" addresses and allowed only if they are from ! either of the two "permit" networks. With regards Kings CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security) On Thu, Aug 23, 2012 at 7:23 AM, Eugene Pefti <[email protected]>wrote: > Guys,**** > > Strange situation. Two conflicting sources of information. Yusuf lab 2, > task 2.4 asks to configure java blocking with CBAC and the solution is to > use the permit ACL giving the following explanation:**** > > ** ** > > “To allow the trusted site for Java traffic, you need to use a *permit > *statement > in the java-list ACL. It is a common misconception**** > > to use a *deny *statement. The implicit *deny *statement drops Java > packets from any other site automatically”**** > > ** ** > > I’m totally OK with it and this is what I thought is the right way.**** > > ** ** > > Then I’m listening to IPX audio training on the same topic and I hear > quite an opposite. Brandon Carol says the following:**** > > ** ** > > “We create an ACL **** > > Access-list 12 deny 10.1.1.100 **** > > Access-list 12 permit any**** > > Denies will be our exemptions for people that do not get filtered by the > java list and the permit for everybody else and they would in fact be > filtered by the java list”**** > > ** ** > > I’m trying to test it in my lab and configured it with both deny and > permit statements and to my surprise it is allowed regardless of the action > in the ACL.**** > > I’m trying to access ACS server because its GUI is java-based from the > Test PC through the router with CBAC http inspect configured as follows:** > ** > > ** ** > > ip inspect name CBAC http java-list 1**** > > ** ** > > ** ** > > Eugene**** > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
