RE: Zone based firewall

Isn't it really the goal to learn best practices although it is good to know
options. I would recommend always matching on the protocol, except with non
IP protocols like ESP, as it is not supported. Always remember to do the
command "ip inspect log drop-pkt". That is the most important command when
doing ZFW.

Regards,

Tyson Scott - CCIE #13513 R&S, Security, and SP

Managing Partner / Sr. Instructor - IPexpert, Inc.

Mailto: <mailto:tscott_at_ipexpert.com> tscott_at_ipexpert.com

From: Maarten Vervoorn [mailto:mr.vervoorn_at_gmail.com]
Sent: Thursday, June 24, 2010 1:42 AM
To: dara tomar
Cc: Sadiq Yakasai; Tyson Scott; Cisco certification
Subject: Re: Zone based firewall

Thanks for you responses.

So its best to match on protocols. All the time?

Most of the times no matter which protocol http smtp etc. You can choose an
ACL or protocol. My question basicly is does both anwsers ACL or protocol
give you the points. Or should I ask the proctor for it?

Thanks,

Maarten

2010/6/24 dara tomar <wish2ie_at_gmail.com>

Hi,

As well the second option should take care of the passive FTP sessions,
while the first will only nab the active FTP session.

Thanks,

Dara

On Thu, Jun 24, 2010 at 2:25 AM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:

I agree with Tyson's point. Although this stupid exam is not about
"recommended best practices"! :-)

So keep an open mind.

Sadiq

On Wed, Jun 23, 2010 at 8:48 PM, Tyson Scott <tscott_at_ipexpert.com> wrote:

> The design recommendation is to match the protocol in the class map. The
> reason for doing this is to prevent unnecessary packet inspection for
> traffic that doesn't apply. The second option is the better choice.
>
> Regards,
>
> Tyson Scott - CCIE #13513 R&S, Security, and SP
> Managing Partner / Sr. Instructor - IPexpert, Inc.
> Mailto: tscott_at_ipexpert.com
>
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Maarten Vervoorn
> Sent: Wednesday, June 23, 2010 8:12 AM
> To: Cisco certification
> Subject: Zone based firewall
>
> Hi,
>
> A question regarding zone based firewall.
> When you are questioned to inspect FTP traffic to a specific
> destination will both anwsers below give you the points?
>
> 1:
> ip access-list ext FTP
> permit tcp any host 172.16.1.1 eq ftp
> permit tcp any host 172.16.1.1 eq ftp-data
> !
> class-map type inspect FTP
> match access-group name FTP
> !
> policy-map ty inspect INT-EXT
> class FTP
> inspect
> --------------------------------------------------
> 2:
> ip access-list ext R1
> permit ip any host 172.16.1.1
> !
> class-map type inspect match-all FTP
> match protocol ftp
> match access-group name R1
> !
> policy-map ty inspect INT-EXT
> class FTP
> inspect
> --------------------------------------------------
>
> Kind regards,
>
> Maarten
>
>
> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

--
CCIE #19963
Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>