Re: Zone based firewall from dara tomar on 2010-06-24 (Ccielab archives 06/2010)

From: dara tomar <wish2ie_at_gmail.com>
Date: Thu, 24 Jun 2010 09:59:22 +0530

Hi,

As well the second option should take care of the passive FTP sessions,
while the first will only nab the active FTP session.

Thanks,
Dara

On Thu, Jun 24, 2010 at 2:25 AM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:

> I agree with Tyson's point. Although this stupid exam is not about
> "recommended best practices"! :-)
>
> So keep an open mind.
>
> Sadiq
>
> On Wed, Jun 23, 2010 at 8:48 PM, Tyson Scott <tscott_at_ipexpert.com> wrote:
>
> > The design recommendation is to match the protocol in the class map.
> The
> > reason for doing this is to prevent unnecessary packet inspection for
> > traffic that doesn't apply. The second option is the better choice.
> >
> > Regards,
> >
> > Tyson Scott - CCIE #13513 R&S, Security, and SP
> > Managing Partner / Sr. Instructor - IPexpert, Inc.
> > Mailto: tscott_at_ipexpert.com
> >
> >
> >
> > -----Original Message-----
> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> > Maarten Vervoorn
> > Sent: Wednesday, June 23, 2010 8:12 AM
> > To: Cisco certification
> > Subject: Zone based firewall
> >
> > Hi,
> >
> > A question regarding zone based firewall.
> > When you are questioned to inspect FTP traffic to a specific
> > destination will both anwsers below give you the points?
> >
> > 1:
> > ip access-list ext FTP
> > permit tcp any host 172.16.1.1 eq ftp
> > permit tcp any host 172.16.1.1 eq ftp-data
> > !
> > class-map type inspect FTP
> > match access-group name FTP
> > !
> > policy-map ty inspect INT-EXT
> > class FTP
> > inspect
> > --------------------------------------------------
> > 2:
> > ip access-list ext R1
> > permit ip any host 172.16.1.1
> > !
> > class-map type inspect match-all FTP
> > match protocol ftp
> > match access-group name R1
> > !
> > policy-map ty inspect INT-EXT
> > class FTP
> > inspect
> > --------------------------------------------------
> >
> > Kind regards,
> >
> > Maarten
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> CCIE #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Jun 24 2010 - 09:59:22 ART

This archive was generated by hypermail 2.2.0 : Sun Aug 01 2010 - 09:11:38 ART