Hi, I've been working through WB Vol1 and have several questions and comments about section 2 (IOS Firewall):
1- Task 3 reflexive: - Solution has an IPv4 ACL entry for port 81; I don't see this in the question - Solution matches from any when question says from VLAN62 2- Task 5 CBAC: for HTTP port-map, I added an ACL to be more specific; should it include pre-NAT or post-NAT addresses or both? access-list 1 permit 172.41.41.198 access-list 1 permit 172.41.41.199 access-list 1 permit 10.10.11.199 access-list 1 permit 10.10.11.198 ip port-map http port tcp 8080 10080 list 1 3- Task 6 zone-based firewall: Solution: ip port-map http port tcp 9080 for IPv4 and an ACL for IPv6. I used a different approach; are my solutions valid or I'm missing something? For IPv4, I created a user-defined PAM not to match port 80 and 9080: ip port-map user-http9080 port tcp 9080 For IPv6, I don't have the option to create a user-defined port-map in IOS 15.2, I thought of doing a combination of ACL and adding to the system defined HTTP port-map. So this config matches both ports 80 and 9080: ipv6 port-map http port 9080 ipv6 access-list R5_ACL6 permit ip any host 5::5 class-map type inspect match-all OUT_DMZ_R5-6 match protocol http match access-group name R5_ACL6 I guess the ACL could be changed to permit tcp any host 5::5 eq 9080 in order to be more specific. Thanks, Patrick
*** Notice de confidentialité*** Ce message ainsi que les éventuelles pièces jointes constituent une correspondance privée et confidentielle à l'attention exclusive du destinataire désigné ci-dessus. Si vous n'êtes pas le destinataire du présent message ou une personne susceptible de pouvoir le lui délivrer, il vous est signifié que toute divulgation, distribution ou copie de cette transmission est strictement interdite. Si vous avez reçu ce message par erreur, nous vous remercions d'en informer l'expéditeur par téléphone ou de lui retourner le présent message, puis d'effacer immédiatement ce message de votre système. Merci! ***Disclaimer*** This e-mail and any attachments is a confidential correspondence intended only for use of the individual or entity named above. If you are not the intended recipient or the agent responsible for delivering the message to the intended recipient, you are hereby notified that any disclosure, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender by phone or by replying to this message, and then please delete this message from your system. Thank You!
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
