Jack,
this might be a problem of interpretation.
Telnet is a protocol, that is talked by a client and a server.
We use the client to talk to many other servers because of its
versatility/simplicity. Problem is, the server is the one that
initiates "telnet" exchange.
So try putting a real telnet server on port 80 and see if the
connection goes through. Telnet client connecting to anything
else does not do any data exchange by itself, so your observation
is right. But when you "telnet" to an http server, you
are not using "telnet protocol".
-Carlos
Jack Router wrote:
> Thanks for the info. I did some tests but "match request port-misuse any" is
> not preventing telnet on port 80. Is it because there is just no
> "port-misuse" ? There is a real http server on R5 and telnet 80 acts as a
> real http client so firewall sees nothing wrong here.
> Does it make sense ?
>
>
> On 14 December 2010 17:08, Tyson Scott <tscott_at_ipexpert.com> wrote:
>
>> class-map type inspect http L7
>> match request port-misuse any
>> !
>> policy-map type inspect http L7
>> class L7
>> log
>> reset
>> !
>> policy-map type inspect pmOUTSIDE2DMZ
>> class type inspect cmOUTSIDE-R5
>> inspect
>> service-policy http L7
>>
>> Regards,
>>
>> Tyson Scott - CCIE #13513 R&S, Security, and SP
>> Managing Partner / Sr. Instructor - IPexpert, Inc.
>> Mailto: tscott_at_ipexpert.com
>>
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> Jack
>> Router
>> Sent: Tuesday, December 14, 2010 5:00 PM
>> To: ccielab_at_groupstudy.com
>> Subject: Zone Bazed Firewall and deep packet inspection
>>
>> Hello,
>>
>> I am playing with ZBF in my lab. It works OK but I can not figure out how
>> to
>> configure deep packet inspetcion. Here is the setup:
>>
>> DMZ OUTSIDE
>> R4--|
>> |--(F0/1)R1(S1/1)--R3
>> R5--|
>>
>> So far I configured ZBF on R1 to allow access from OUTSIDE to R5, http
>> only.
>> This config works OK. I can telnet from R3 to R5 on port 80.
>>
>> My question is how to add deep packet inspectin so only real http traffic
>> will pass. Telnet on port 80 should be denied.
>>
>> class-map type inspect match-all cmOUTSIDE-R5
>> match protocol http
>> match access-group name R5
>>
>> policy-map type inspect pmOUTSIDE2DMZ
>> class type inspect cmOUTSIDE-R5
>> inspect
>>
>> zone-pair security zOD source OUTSIDE destination DMZ
>> service-policy type inspect pmOUTSIDE2DMZ
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
-- Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina Blogs and organic groups at http://www.ccie.netReceived on Thu Dec 16 2010 - 07:02:04 ART
This archive was generated by hypermail 2.2.0 : Sat Jan 01 2011 - 09:37:49 ART