ZBPF Routed Mode task
In WB1, and in the solution of ZBPF routed mode, we were asked to allow icmp except src/dst 18.104.22.168/16 within the OUTSIDE zone.
In the solution, here is the below:
ip access-list extended OUTSIDE_TO_OUTSIDE
deny icmp 22.214.171.124 0.0.255.255 126.96.36.199 0.0.255.255
permit icmp any any
class-map type inspect match-all OUTSIDE_TO_OUTSIDE_ICMP
match protocol icmp
match access-group name OUTSIDE_TO_OUTSIDE
My question is:
If ACL OUTSIDE_TO_OUTSIDE matches ICMP, why do we need the "match protocol icmp" command within the class-map?