Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Zone based firewall question

Hello... here is the question...

Based on the following configuration which option is correct?

class-map type inspect match-all myprotocols

match protocol http

match protocol dns

policy-map type inspect myfwpolicy

class type inspect myprotocols

inspect

zone security private

zone security public

int fa0/0

zone-member security private

int fa0/1

zone-member security public

zone-pair security priv-to-pub source private destination public

service-policy type inspect myfwpolicy

What will result from this config?

a) all traffic from the private zone to the public zone will be dropped

b)all traffic from the private zone to the public zone will be permitted but not inspected

c)all traffic from the private zone to the public zone will be permitted and inspected

d)all traffic from the public zone to the private zone will be permitted but not inspected

e) only HTTP and DNS traffic from the private zone to the public zone will be permitted and inspected

f)only HTTP and DNS traffic from the public zone to the private zone will be permitted and inspected

The test says that the correct answer is A but I say is E.

which one is right?

Thanks

3 REPLIES
Cisco Employee

Re: Zone based firewall question

E is the correct answer.

Alex Yeung

New Member

Re: Zone based firewall question

I knew it !!! Thanks a lot!!

I have the SNRS exam today so I want to clear that out.. :)

New Member

Re: Zone based firewall question

Hi Allan,

the correct answer is A, because your class-map is defined with "match-all" statemant witch says that the traffic must match both rules. In your case the traffic must be http and dns at the same time witch is impossible. To correct this you have to do:

class-map type inspect match-any my protocols

match protocol http

match protocol dns

Now the correct answer will be "E"

Best Regards

Tihomir Yosifov

376
Views
0
Helpful
3
Replies