I have some confusion with this exercise.
the task reads:
- Configure two security zones on R3: VLAN123 and VLAN34.
CMP traffic initiated from VLAN123 zone should match the following output:
%FW-6-PASS_PKT: (target:class)-(VLAN123_TO_VLAN34:ICMP) Passing icmp pkt 220.127.116.11:0 => 18.104.22.168:0 with ip ident 0
Inspect HTTP traffic on ports 80 and 21 destined for R4's Loopback0 address.
The task seem straightforward - configure a zone-pair from source vlan123 to destination vlan34 and then inspect ICMP and HTTP.
The answer shows that the class-maps call ACLs for ICMP and HTTP. I do not understand why that is necessary if we can just "match protocol" in the class-map.
I get that we need to map port 21 to HTTP with an ACL specifying R4's loopback.
also, the answer shows TWO zone-pairs, one for each direction, but the task does not say to do that, so I dont understand why it is necessary. what is the point of the inspection policy if there is a zone-pair required in both directions just to let a ping go from R1 to R4 and back? Isnt the zone-pair supposed to be a stateful inspection?
Somebody please explain why the extra config is required.