https://community.cisco.com/t5/network-security/zone-based-firewall-question/m-p/1326613#M811903 <P>Hello... here is the question...</P><P></P><P>Based on the following configuration which option is correct?</P><P></P><P>class-map type inspect match-all myprotocols</P><P> match protocol http</P><P>match protocol dns</P><P></P><P>policy-map type inspect myfwpolicy</P><P> class type inspect myprotocols</P><P> inspect</P><P></P><P>zone security private</P><P>zone security public</P><P></P><P>int fa0/0</P><P> zone-member security private</P><P></P><P>int fa0/1</P><P> zone-member security public</P><P></P><P>zone-pair security priv-to-pub source private destination public</P><P> service-policy type inspect myfwpolicy</P><P></P><P>What will result from this config?</P><P></P><P>a) all traffic from the private zone to the public zone will be dropped</P><P>b)all traffic from the private zone to the public zone will be permitted but not inspected</P><P>c)all traffic from the private zone to the public zone will be permitted and inspected</P><P>d)all traffic from the public zone to the private zone will be permitted but not inspected</P><P>e) only HTTP and DNS traffic from the private zone to the public zone will be permitted and inspected</P><P>f)only HTTP and DNS traffic from the public zone to the private zone will be permitted and inspected</P><P></P><P>The test says that the correct answer is A but I say is E.</P><P></P><P>which one is right?</P><P>Thanks</P> Mon, 11 Mar 2019 16:00:49 GMT allanc16 2019-03-11T16:00:49Z https://community.cisco.com/t5/network-security/zone-based-firewall-question/m-p/1326613#M811903 <P>Hello... here is the question...</P><P></P><P>Based on the following configuration which option is correct?</P><P></P><P>class-map type inspect match-all myprotocols</P><P> match protocol http</P><P>match protocol dns</P><P></P><P>policy-map type inspect myfwpolicy</P><P> class type inspect myprotocols</P><P> inspect</P><P></P><P>zone security private</P><P>zone security public</P><P></P><P>int fa0/0</P><P> zone-member security private</P><P></P><P>int fa0/1</P><P> zone-member security public</P><P></P><P>zone-pair security priv-to-pub source private destination public</P><P> service-policy type inspect myfwpolicy</P><P></P><P>What will result from this config?</P><P></P><P>a) all traffic from the private zone to the public zone will be dropped</P><P>b)all traffic from the private zone to the public zone will be permitted but not inspected</P><P>c)all traffic from the private zone to the public zone will be permitted and inspected</P><P>d)all traffic from the public zone to the private zone will be permitted but not inspected</P><P>e) only HTTP and DNS traffic from the private zone to the public zone will be permitted and inspected</P><P>f)only HTTP and DNS traffic from the public zone to the private zone will be permitted and inspected</P><P></P><P>The test says that the correct answer is A but I say is E.</P><P></P><P>which one is right?</P><P>Thanks</P> Mon, 11 Mar 2019 16:00:49 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-question/m-p/1326613#M811903 allanc16 2019-03-11T16:00:49Z https://community.cisco.com/t5/network-security/zone-based-firewall-question/m-p/1326614#M811904 <HTML><HEAD></HEAD><BODY><P>E is the correct answer.</P><P></P><P>Alex Yeung</P></BODY></HTML> Thu, 30 Jul 2009 14:49:59 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-question/m-p/1326614#M811904 Alex Yeung 2009-07-30T14:49:59Z https://community.cisco.com/t5/network-security/zone-based-firewall-question/m-p/1326615#M811905 <HTML><HEAD></HEAD><BODY><P>I knew it !!! Thanks a lot!!</P><P></P><P>I have the SNRS exam today so I want to clear that out.. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Thu, 30 Jul 2009 14:54:36 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-question/m-p/1326615#M811905 allanc16 2009-07-30T14:54:36Z https://community.cisco.com/t5/network-security/zone-based-firewall-question/m-p/1326616#M811907 <HTML><HEAD></HEAD><BODY><P>Hi Allan, </P><P>the correct answer is A, because your class-map is defined with "match-all" statemant witch says that the traffic must match both rules. In your case the traffic must be http and dns at the same time witch is impossible. To correct this you have to do:</P><P>class-map type inspect match-any my protocols</P><P>match protocol http</P><P>match protocol dns</P><P></P><P>Now the correct answer will be "E" </P><P></P><P>Best Regards </P><P>Tihomir Yosifov </P></BODY></HTML> Fri, 06 Nov 2009 07:39:00 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-question/m-p/1326616#M811907 zenon_electronics 2009-11-06T07:39:00Z