class-map type inspect http L7
match request port-misuse any
!
policy-map type inspect http L7
class L7
log
reset
!
policy-map type inspect pmOUTSIDE2DMZ
class type inspect cmOUTSIDE-R5
inspect
service-policy http L7
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Managing Partner / Sr. Instructor - IPexpert, Inc.
Mailto: tscott_at_ipexpert.com
-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Jack
Router
Sent: Tuesday, December 14, 2010 5:00 PM
To: ccielab_at_groupstudy.com
Subject: Zone Bazed Firewall and deep packet inspection
Hello,
I am playing with ZBF in my lab. It works OK but I can not figure out how to
configure deep packet inspetcion. Here is the setup:
DMZ OUTSIDE
R4--|
|--(F0/1)R1(S1/1)--R3
R5--|
So far I configured ZBF on R1 to allow access from OUTSIDE to R5, http only.
This config works OK. I can telnet from R3 to R5 on port 80.
My question is how to add deep packet inspectin so only real http traffic
will pass. Telnet on port 80 should be denied.
class-map type inspect match-all cmOUTSIDE-R5
match protocol http
match access-group name R5
policy-map type inspect pmOUTSIDE2DMZ
class type inspect cmOUTSIDE-R5
inspect
zone-pair security zOD source OUTSIDE destination DMZ
service-policy type inspect pmOUTSIDE2DMZ
Blogs and organic groups at http://www.ccie.net
Received on Tue Dec 14 2010 - 17:08:36 ART
This archive was generated by hypermail 2.2.0 : Sat Jan 01 2011 - 09:37:49 ART