Re: Zone Based firewall comment

Don't try to compare it to an ASA, but when you compare it to CBAC, ZBFW is
much better.

On Mon, Feb 28, 2011 at 9:31 AM, Babatunde Sanda <sbabatunde1_at_ca.rr.com>wrote:

> Use the argument match-any.
>
> Example:
>
> Class-map type inspect match-any TEST
> > Match access-group inside
> > match protocol http
> > match protocol ssh
> > match protocol telnet
> > match protocol snmp
> > match protocol ftp
> > match protocol icmp
> > match protocol tcp
> > match protocol udp
> >
>
> Babatunde Sanda B.Sc (Acct.) CCNP, CCVP, CCNA(R,S,V), MCSA, N+, A+.
> :: Sent from my Iphone. Apologies for errors and brevity. ::
>
> On Feb 28, 2011, at 5:38 AM, Chris Proctor <chris_at_cwproctor.net> wrote:
>
> > I'm coming from an ASA/PIX command set mentality for firewalls. I
> > don't see for the life of me why I have to specify each and every
> > inspect and ACL pairing instead of the "global policy" setup like on the
> > ASA.
> >
> > It really does feel like Dante's trip through hell. Everything is
> > nested and recursing through potentially thousands of lines of config.
> >
> > I'd like to know how to do the following (example):
> >
> > permit access-group inside
> > match protocol http
> > match protocol ssh
> > match protocol telnet
> > match protocol snmp
> > match protocol ftp
> > match protocol icmp
> > match protocol tcp
> > match protocol udp
> > inspect with best inspector for protocol
> >
> > Can this be done without using more than one class?
> >
> > Thanks!
> >
> > On 2/28/2011 6:56 AM, imran ali wrote:
> >>
> >>
> >> On Mon, Feb 28, 2011 at 9:44 AM, Chris Proctor <chris_at_cwproctor.net
> >> <mailto:chris_at_cwproctor.net>> wrote:
> >>
> >> Well, after beating my head against this for awhile I have come to
> >> three conclusions (call it venting if you will):
> >> 1.) Security zones are cool
> >> 2.) Inspect maps are overly complex pieces of crap
> >>
> >> cant agree with u here ..did u studied cisoc doc first before jumping
> >> to any vendor book ?
> >>
> >> 3.) Specialized inspect maps are even bigger pieces of crap
> >>
> >> partially agree with u
> >>
> >> I find myself hoping they won't get too carried away with this
> >> subject. Working out all of the possible regex's, etc and nesting
> >> of relationships could easily take me 20 hours for a complex
> >> enough configuration. Can anyone tell me if I'm wasting my time
> >> going through the lower levels of hell here?
> >>
> >> --
> >> Chris Proctor
> >>
> >>
> >> --
> >> This message was scanned by ESVA and is believed to be clean.
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net <
> http://www.ccie.net/>
> >>
> >>
> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> --
> >> This message was scanned by ESVA and is believed to be clean.
> >> Click here to report this message as spam.
> >> <
> https://mail-relay.cwproctor.net/cgi-bin/learn-msg.cgi?id=1C77F28006.A5F2C
> >
> >
> >
> >
> > --
> > Chris Proctor
> >
> >
> > --
> > This message was scanned by ESVA and is believed to be clean.
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
*Narbik Kocharians
*CCSI#30832, CCIE# 12410 (R&S, SP, Security)
www.MicronicsTraining.com <http://www.micronicstraining.com/>
Sr. Technical Instructor
*Ask about our FREE Lab Voucher with our Boot Camps*
YES! We take Cisco Learning Credits!
Training & Remote Racks available
Blogs and organic groups at http://www.ccie.net