Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Zone Based Firewall inspection question

Hi Everyone,

I am thinking on best way of  doing class-map for inspection of traffic coming on a not well-known TCP port.

My question is whether do it via an access-list only, like

access-list in-traff permit tcp host x.x.x.x host y.y.y.y eq 2085

class-map type inspect match-any IN-cmap

match access-group name in-traff

Or, it would be better to do it like this:

access-list in-traff permit tcp host x.x.x.x host y.y.y.y eq 2085

class-map type inspect match-all IN-cmap

match protocol tcp

match access-group name in-traff

Since I have tcp mentioned on ACL already, I am wondering if match protcol tcp would really do any deeper inspection.

Thanks!


2 ACCEPTED SOLUTIONS

Accepted Solutions

Zone Based Firewall inspection question

Hello Farhad,

I will go with the First option (ACL only).

There is no need to go any further as there will be no advantages of a deeper inspection as this is not a well known protocol (And just for you to know on both the match protocol TCP and match access-group name you are matching at layer 4 so it's redundant)

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
VIP Green

Zone Based Firewall inspection question

I agree with jcarvaja, the first option you posted is the better option.  you are already defining that the protocol is TCP in the ACL so no need to define it again in the class map.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
2 REPLIES

Zone Based Firewall inspection question

Hello Farhad,

I will go with the First option (ACL only).

There is no need to go any further as there will be no advantages of a deeper inspection as this is not a well known protocol (And just for you to know on both the match protocol TCP and match access-group name you are matching at layer 4 so it's redundant)

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
VIP Green

Zone Based Firewall inspection question

I agree with jcarvaja, the first option you posted is the better option.  you are already defining that the protocol is TCP in the ACL so no need to define it again in the class map.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
106
Views
0
Helpful
2
Replies
CreatePlease login to create content