Re: Zone Bazed Firewall and deep packet inspection from Jack Router on 2010-12-15 (Ccielab archives 12/2010)

From: Jack Router <pan.router_at_gmail.com>
Date: Tue, 14 Dec 2010 23:47:19 -0500

Thanks for the info. I did some tests but "match request port-misuse any" is
not preventing telnet on port 80. Is it because there is just no
"port-misuse" ? There is a real http server on R5 and telnet 80 acts as a
real http client so firewall sees nothing wrong here.
Does it make sense ?

On 14 December 2010 17:08, Tyson Scott <tscott_at_ipexpert.com> wrote:

> class-map type inspect http L7
> match request port-misuse any
> !
> policy-map type inspect http L7
> class L7
> log
> reset
> !
> policy-map type inspect pmOUTSIDE2DMZ
> class type inspect cmOUTSIDE-R5
> inspect
> service-policy http L7
>
> Regards,
>
> Tyson Scott - CCIE #13513 R&S, Security, and SP
> Managing Partner / Sr. Instructor - IPexpert, Inc.
> Mailto: tscott_at_ipexpert.com
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Jack
> Router
> Sent: Tuesday, December 14, 2010 5:00 PM
> To: ccielab_at_groupstudy.com
> Subject: Zone Bazed Firewall and deep packet inspection
>
> Hello,
>
> I am playing with ZBF in my lab. It works OK but I can not figure out how
> to
> configure deep packet inspetcion. Here is the setup:
>
> DMZ OUTSIDE
> R4--|
> |--(F0/1)R1(S1/1)--R3
> R5--|
>
> So far I configured ZBF on R1 to allow access from OUTSIDE to R5, http
> only.
> This config works OK. I can telnet from R3 to R5 on port 80.
>
> My question is how to add deep packet inspectin so only real http traffic
> will pass. Telnet on port 80 should be denied.
>
> class-map type inspect match-all cmOUTSIDE-R5
> match protocol http
> match access-group name R5
>
> policy-map type inspect pmOUTSIDE2DMZ
> class type inspect cmOUTSIDE-R5
> inspect
>
> zone-pair security zOD source OUTSIDE destination DMZ
> service-policy type inspect pmOUTSIDE2DMZ
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Dec 14 2010 - 23:47:19 ART

This archive was generated by hypermail 2.2.0 : Sat Jan 01 2011 - 09:37:49 ART