ZBPF Transparent Mode lab exercise from Technologies Workbook

Hello, 

I have some confusion with this exercise.

the task reads:

"

  • Configure two security zones on R3: VLAN123 and VLAN34.
  • CMP traffic initiated from VLAN123 zone should match the following output:

    %FW-6-PASS_PKT: (target:class)-(VLAN123_TO_VLAN34:ICMP) Passing icmp pkt 136.1.99.1:0 => 150.1.4.4:0 with ip ident 0

  • Inspect HTTP traffic on ports 80 and 21 destined for R4's Loopback0 address.


The task seem straightforward - configure a zone-pair from source vlan123 to destination vlan34 and then inspect ICMP and HTTP.


The answer shows that the class-maps call ACLs for ICMP and HTTP.  I do not understand why that is necessary if we can just "match protocol" in the class-map.



I get that we need to map port 21 to HTTP with an ACL specifying R4's loopback.



also, the answer shows TWO zone-pairs, one for each direction, but the task does not say to do that, so I dont understand why it is necessary.  what is the point of the inspection policy if there is a zone-pair required in both directions just to let a ping go from R1 to R4 and back?  Isnt the zone-pair supposed to be a stateful inspection?



Somebody please explain why the extra config is required.


-Lance

Comments

  • Hi,  

        You can just match on protocol, correct; the solution just gives you another way of matching it. Based on the log, ICMP traffic needs to match a pass action, thus for PING to wotk, you need policies both ways between zones with pass action for ICMP; also based on the last task requirement which says "Configure R3 to log for traffic not matching any of the configured class-maps", you need the log action in the default class-map in both directions.

    Regards,

    Cristian.

Sign In or Register to comment.