https://community.cisco.com/t5/network-security/zone-based-firewall-inspection-question/m-p/2383188#M306460 <HTML><HEAD></HEAD><BODY><P>I agree with jcarvaja, the first option you posted is the better option.&nbsp; you are already defining that the protocol is TCP in the ACL so no need to define it again in the class map.</P><P></P><P>-- <BR />Please remember to rate and select a correct answer</P></BODY></HTML> Fri, 03 Jan 2014 10:04:32 GMT Marius Gunnerud 2014-01-03T10:04:32Z https://community.cisco.com/t5/network-security/zone-based-firewall-inspection-question/m-p/2383186#M306458 <P>Hi Everyone,</P><P>I am thinking on best way of&nbsp; doing class-map for inspection of traffic coming on <SPAN style="font-size: 10pt;">a not well-known </SPAN><SPAN style="font-size: 10pt;">TCP port.</SPAN></P><P><SPAN style="font-size: 10pt;">My question is whether do it via an access-list only, like</SPAN></P><P></P><P>access-list in-traff permit tcp host x.x.x.x host y.y.y.y eq 2085</P><P><SPAN style="font-size: 10pt;">class-map type inspect match-any IN-cmap</SPAN></P><P> match access-group name in-traff</P><P></P><P>Or, it would be better to do it like this:</P><P></P><P>access-list in-traff permit tcp host x.x.x.x host y.y.y.y eq 2085</P><P>class-map type inspect match-all IN-cmap</P><P>match protocol tcp </P><P>match access-group name in-traff</P><P></P><P>Since I have tcp mentioned on ACL already, I am wondering if match protcol tcp would really do any deeper inspection.</P><P></P><P>Thanks!</P><P></P><P></P><P></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P> Tue, 12 Mar 2019 03:24:06 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-inspection-question/m-p/2383186#M306458 Mr Brightside 2019-03-12T03:24:06Z https://community.cisco.com/t5/network-security/zone-based-firewall-inspection-question/m-p/2383187#M306459 <HTML><HEAD></HEAD><BODY><P>Hello Farhad,</P><P></P><P>I will go with the First option (ACL only).</P><P></P><P>There is no need to go any further as there will be no advantages of a deeper inspection as this is not a well known protocol (And just for you to know on both the match protocol TCP and match access-group name you are matching at layer 4 so it's redundant)</P><P></P><P></P><P>Looking for some Networking Assistance?&nbsp; <BR /><SPAN>Contact me directly at </SPAN><A class="jive-link-email-small" href="mailto:jcarvaja@laguiadelnetworking.com">jcarvaja@laguiadelnetworking.com</A><SPAN> </SPAN><BR /> <BR />I will fix your problem ASAP. <BR /> <BR />Cheers, <BR /> <BR />Julio Carvajal Segura <BR /><A class="jive-link-external-small" href="http://laguiadelnetworking.com">http://laguiadelnetworking.com</A></P></BODY></HTML> Fri, 03 Jan 2014 08:45:53 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-inspection-question/m-p/2383187#M306459 Julio Carvajal 2014-01-03T08:45:53Z https://community.cisco.com/t5/network-security/zone-based-firewall-inspection-question/m-p/2383188#M306460 <HTML><HEAD></HEAD><BODY><P>I agree with jcarvaja, the first option you posted is the better option.&nbsp; you are already defining that the protocol is TCP in the ACL so no need to define it again in the class map.</P><P></P><P>-- <BR />Please remember to rate and select a correct answer</P></BODY></HTML> Fri, 03 Jan 2014 10:04:32 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-inspection-question/m-p/2383188#M306460 Marius Gunnerud 2014-01-03T10:04:32Z