On Mon, Feb 28, 2011 at 9:51 PM, Narbik Kocharians <narbikk_at_gmail.com>wrote:
> Don't try to compare it to an ASA, but when you compare it to CBAC, ZBFW is
> much better.
>
>
>
narbik can plz explain how advantageous zbf is over cbac. (zbf simplifies
configuration burden ..what else zbf gives that cbac lacks ?
thanks
>
> On Mon, Feb 28, 2011 at 9:31 AM, Babatunde Sanda <sbabatunde1_at_ca.rr.com>wrote:
>
>> Use the argument match-any.
>>
>> Example:
>>
>> Class-map type inspect match-any TEST
>> > Match access-group inside
>> > match protocol http
>> > match protocol ssh
>> > match protocol telnet
>> > match protocol snmp
>> > match protocol ftp
>> > match protocol icmp
>> > match protocol tcp
>> > match protocol udp
>> >
>>
>> Babatunde Sanda B.Sc (Acct.) CCNP, CCVP, CCNA(R,S,V), MCSA, N+, A+.
>> :: Sent from my Iphone. Apologies for errors and brevity. ::
>>
>> On Feb 28, 2011, at 5:38 AM, Chris Proctor <chris_at_cwproctor.net> wrote:
>>
>> > I'm coming from an ASA/PIX command set mentality for firewalls. I
>> > don't see for the life of me why I have to specify each and every
>> > inspect and ACL pairing instead of the "global policy" setup like on the
>> > ASA.
>> >
>> > It really does feel like Dante's trip through hell. Everything is
>> > nested and recursing through potentially thousands of lines of config.
>> >
>> > I'd like to know how to do the following (example):
>> >
>> > permit access-group inside
>> > match protocol http
>> > match protocol ssh
>> > match protocol telnet
>> > match protocol snmp
>> > match protocol ftp
>> > match protocol icmp
>> > match protocol tcp
>> > match protocol udp
>> > inspect with best inspector for protocol
>> >
>> > Can this be done without using more than one class?
>> >
>> > Thanks!
>> >
>> > On 2/28/2011 6:56 AM, imran ali wrote:
>> >>
>> >>
>> >> On Mon, Feb 28, 2011 at 9:44 AM, Chris Proctor <chris_at_cwproctor.net
>> >> <mailto:chris_at_cwproctor.net>> wrote:
>> >>
>> >> Well, after beating my head against this for awhile I have come to
>> >> three conclusions (call it venting if you will):
>> >> 1.) Security zones are cool
>> >> 2.) Inspect maps are overly complex pieces of crap
>> >>
>> >> cant agree with u here ..did u studied cisoc doc first before jumping
>> >> to any vendor book ?
>> >>
>> >> 3.) Specialized inspect maps are even bigger pieces of crap
>> >>
>> >> partially agree with u
>> >>
>> >> I find myself hoping they won't get too carried away with this
>> >> subject. Working out all of the possible regex's, etc and nesting
>> >> of relationships could easily take me 20 hours for a complex
>> >> enough configuration. Can anyone tell me if I'm wasting my time
>> >> going through the lower levels of hell here?
>> >>
>> >> --
>> >> Chris Proctor
>> >>
>> >>
>> >> --
>> >> This message was scanned by ESVA and is believed to be clean.
>> >>
>> >>
>> >> Blogs and organic groups at http://www.ccie.net <
>> http://www.ccie.net/>
>> >>
>> >>
>> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> This message was scanned by ESVA and is believed to be clean.
>> >> Click here to report this message as spam.
>> >> <
>> https://mail-relay.cwproctor.net/cgi-bin/learn-msg.cgi?id=1C77F28006.A5F2C
>> >
>> >
>> >
>> >
>> > --
>> > Chris Proctor
>> >
>> >
>> > --
>> > This message was scanned by ESVA and is believed to be clean.
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> *Narbik Kocharians
> *CCSI#30832, CCIE# 12410 (R&S, SP, Security)
> www.MicronicsTraining.com <http://www.micronicstraining.com/>
> Sr. Technical Instructor
> *Ask about our FREE Lab Voucher with our Boot Camps*
> YES! We take Cisco Learning Credits!
> Training & Remote Racks available
Blogs and organic groups at http://www.ccie.net
Received on Mon Feb 28 2011 - 22:29:25 ART
This archive was generated by hypermail 2.2.0 : Tue Mar 01 2011 - 07:01:50 ART