Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
382
Views
0
Helpful
2
Replies

Zone Based Firewall inspection question

Go to solution
Mr Brightside
Level 1
Level 1

‎01-02-2014 07:31 AM - edited ‎03-11-2019 08:24 PM

Hi Everyone,

I am thinking on best way of  doing class-map for inspection of traffic coming on a not well-known TCP port.

My question is whether do it via an access-list only, like

access-list in-traff permit tcp host x.x.x.x host y.y.y.y eq 2085

class-map type inspect match-any IN-cmap

match access-group name in-traff

Or, it would be better to do it like this:

access-list in-traff permit tcp host x.x.x.x host y.y.y.y eq 2085

class-map type inspect match-all IN-cmap

match protocol tcp

match access-group name in-traff

Since I have tcp mentioned on ACL already, I am wondering if match protcol tcp would really do any deeper inspection.

Thanks!


Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎01-03-2014 12:45 AM

Hello Farhad,

I will go with the First option (ACL only).

There is no need to go any further as there will be no advantages of a deeper inspection as this is not a well known protocol (And just for you to know on both the match protocol TCP and match access-group name you are matching at layer 4 so it's redundant)

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Julio Carvajal

‎01-03-2014 02:04 AM

I agree with jcarvaja, the first option you posted is the better option.  you are already defining that the protocol is TCP in the ACL so no need to define it again in the class map.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎01-03-2014 12:45 AM

Hello Farhad,

I will go with the First option (ACL only).

There is no need to go any further as there will be no advantages of a deeper inspection as this is not a well known protocol (And just for you to know on both the match protocol TCP and match access-group name you are matching at layer 4 so it's redundant)

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Julio Carvajal

‎01-03-2014 02:04 AM

I agree with jcarvaja, the first option you posted is the better option.  you are already defining that the protocol is TCP in the ACL so no need to define it again in the class map.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card