Julio,

Refering to the following doc, I think you're wrong. L7 inspection uses "parameter-maps" or something like that.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

Actually that doc is too tough to me and I can't get the answer from it. I know it's there, but it's very hard to me to find it.

Hello,

No I am not.. 101 % sure about it!.

You use parameter-maps, L7 class maps and L7 policy-maps in order to do specific L7 tasks such as blocking files that contains certaing strings or block websites, etc. etc.

But still matching traffic with a match protocol and using the keyword inspect will be a l7 action as the router will get into the content of the packets to make sure the protocol is honored.

Hey remember to rate all of the helpful posts,

If you do not know how, just let me know.

Regards

Have u looked at the example in the above maintioned link ?

1. Define class-maps that describe the traffic that you want to permit             between zones, according to policies described earlier:

   conf t
    class-map type inspect match-any internet-traffic-class
     match protocol http  match protocol https  match protocol dns  match protocol icmp

2. Configure a policy-map to inspect traffic on the class-maps you             just defined:

   conf t
    policy-map type inspect private-internet-policy
     class type inspect internet-traffic-class
      inspect

3. Configure the private and Internet zones and assign router             interfaces to their respective zones:

   conf t
   zone security private
   zone security internet
   int bvi1            
   zone-member security private
   int fastethernet 0
   zone-member security internet

4. Configure the zone-pair and apply the appropriate             policy-map.

   Note: You only need to configure the private Internet zone pair at                 present in order to inspect connections sourced in the private zone traveling                 to the Internet zone:

   conf t
    zone-pair security private-internet source private destination internet
     service-policy type inspect private-internet-policy

   This completes the configuration of the Layer 7 inspection policy             on the private Internet zone-pair to allow HTTP, HTTPS, DNS, and ICMP             connections from the clients zone to the servers zone and to apply application             inspection to HTTP traffic to assure that unwanted traffic is not allowed to             pass on TCP 80, HTTP’s service port.

1. Define class-maps that describe the traffic that you want to permit             between zones, according to policies described earlier:

   conf t
    class-map type inspect match-any L4-inspect-class
    match protocol tcp match protocol udp match protocol icmp

2. Configure policy-maps to inspect traffic on the class-maps you just             defined:

   conf t
    policy-map type inspect clients-servers-policy
    class type inspect L4-inspect-class
     inspect

3. Configure the clients and servers zones and assign router             interfaces to their respective zones:

   conf t
   zone security clients
   zone security servers
   int vlan 1            
   zone-member security clients
   int vlan 2
   zone-member security servers

4. Configure the zone-pair and apply the appropriate             policy-map.

   Note: You only need to configure the clients-servers zone-pair at                 present, to inspect connections sourced in the clients zone traveling to the                 servers zone:

   conf t
    zone-pair security clients-servers source clients destination servers
     service-policy type inspect clients-servers-policy

   This completes the configuration of the Layer 4 inspection policy             for the clients-servers zone-pair to allow all TCP, UDP, and ICMP connections             from the client zone to the server zone. The policy does not apply fixup for             subordinate channels, but provides an example of simple policy to accommodate             most application connections.

Obviously, "Inspect" is used for both L4 (tcp, udp) and L7 (http, dns) inspection.

So, It depends on the protocol being inspected, not on the keyword "inspect".

But I'm not sure what's going on with icmp ? It is in both cases matched and inspected.

Cadet,

This is a very helpful reply from you. the following line reveals the mystery of "inspect" within ZFW:

If you do not specify a protocol name (for example, if you use the            policy-map              type              inspect command), you will create a Layer 3 or Layer 4 policy map, which can only be an inspect type policy map.

In short, it depends on the "type inspect" in the policy-map, not on the "match" in the class-map neither on the "action" in the policy-map.

This implements a L4 inspection

class-map type inspect match-all c-name   match protocol httppolicy-map type inspect p-name  class type inspect c-name

    inspect

And this implements a L7 inspection:

class-map type inspect http match-any c-name-httpmethods

   match request method bpropfind

   match request method bproppatch

   match request method connect

   match request method index

   match request method notify

policy-map type inspect http p-name-app-http

   class type inspect http c-name-httpmethods

   log

   reset

Thank you !     

Hello Oydious,

Obviously, "Inspect" is used for both L4 (tcp, udp) and L7 (http, dns) inspection.

So, It depends on the protocol being inspected, not on the keyword "inspect".

But I'm not sure what's going on with icmp ? It is in both cases matched and inspected.

Answer/

Here is were most people get confused.

Using class-maps:

You can match traffic at layer 7,layer 3 or Layer4.

Using match access-list = Layer 4 or layer 3 depending on the structure.

Using match protocol = Matching layer 7 ( layer 4 if match protocol tcp,udp)

Now, what happens if you want to inspect FTP packets to open additional channels?

You should use a class-map matching the protocol (L7) and then inspect it otherwise the Router will only care about matching the TCP port 21 for FTP.

I know, it might be difficult to understand it but after taking cases for more than 2 years on TAC regarding this feature I can ensure that I know what I am talking about

So when talking about Class-maps you can match L7 or L4, what to use will depend on the protocol and what you want to do.

!!!

HI Julio,

So why does Cisco seem to tell the opposite, it's very confusing from them especially when using protocol is only using PAM to get the match instead of an access-list. I didn't say I don't believe you because you seem to have much experience about this but in this case the Cisco documentation is rather misleading( not to say the least).

To add to the confusion this link says exactly what you're telling:  http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml#stateful-1

If you're still working with TAC it could be interesting pointing out to Cisco that their docs are inconsistent and/or misleading about this subject.

Regards

Alain

Don't forget to rate helpful posts.

Hi Julio,

I'm doing fine,thanks and I hope you too 

I wish you the best in your new position.

Thanks for the explanation and  sorry for misleading the OP with this link content which is very confusing.

Regards

Alain

Don't forget to rate helpful posts.

Hello Cadet,

Thank U man,

It's always a pleasure to help.

Regards,

Jcarvaja

Great Example... Jcarvaja

I've got it

Would you please post your answer here too:

https://learningnetwork.cisco.com/thread/61307?tstart=0

It's the same question, but no one could answer it yet.

thanks a lot !

Hello,

Sure, I will.

Was a pleasure to help