Now if I want to do the same with ZFW will be it correct? I want to stop hosts located in INSIDE zone to download and java-based web content except for the content from host 10.0.0.100
Access-list 1 permit host 10.0.0.100 ! class-map type inspect http match-all HTTP-JAVA-CM match response body java-applet ! policy-map type inspect http HTTP-JAVA-PM class type inspect http HTTP-JAVA-CM reset ! class-map type inspect match-all HTTP-TRAFF-CM match protocol http match access-group 1 ! policy-map type inspect OUTSIDE-INSIDE-PM class type inspect HTTP-TRAFF inspect service-policy http HTTP-JAVA-PM class class-default zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE service-policy type inspect OUTSIDE-INSIDE-PM Eugene From: Kingsley Charles [mailto:[email protected]] Sent: Wednesday, August 22, 2012 10:24 PM To: Eugene Pefti Cc: ccie security Subject: Re: [OSL | CCIE_Security] Java list blocking Use deny to block the destinations from where java-applets should be blocked Snippet from http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_cbac_fw/configuration/12-4t/config-cbac-fw.html#GUID-5FF43CE6-BC53-41F6-9BBE-3F5ADCEA19B3 ! The following access list defines "friendly" and "hostile" sites for Java ! applet blocking. Because Java applet blocking is defined in the inspection ! rule "myfw" and references access list 51, applets will be actively denied ! if they are from any of the "deny" addresses and allowed only if they are from ! either of the two "permit" networks. With regards Kings CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security) On Thu, Aug 23, 2012 at 7:23 AM, Eugene Pefti <[email protected]<mailto:[email protected]>> wrote: Guys, Strange situation. Two conflicting sources of information. Yusuf lab 2, task 2.4 asks to configure java blocking with CBAC and the solution is to use the permit ACL giving the following explanation: "To allow the trusted site for Java traffic, you need to use a permit statement in the java-list ACL. It is a common misconception to use a deny statement. The implicit deny statement drops Java packets from any other site automatically" I'm totally OK with it and this is what I thought is the right way. Then I'm listening to IPX audio training on the same topic and I hear quite an opposite. Brandon Carol says the following: "We create an ACL Access-list 12 deny 10.1.1.100 Access-list 12 permit any Denies will be our exemptions for people that do not get filtered by the java list and the permit for everybody else and they would in fact be filtered by the java list" I'm trying to test it in my lab and configured it with both deny and permit statements and to my surprise it is allowed regardless of the action in the ACL. I'm trying to access ACS server because its GUI is java-based from the Test PC through the router with CBAC http inspect configured as follows: ip inspect name CBAC http java-list 1 Eugene _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
