07-30-2009 06:39 AM - edited 03-11-2019 09:00 AM
Hello... here is the question...
Based on the following configuration which option is correct?
class-map type inspect match-all myprotocols
match protocol http
match protocol dns
policy-map type inspect myfwpolicy
class type inspect myprotocols
inspect
zone security private
zone security public
int fa0/0
zone-member security private
int fa0/1
zone-member security public
zone-pair security priv-to-pub source private destination public
service-policy type inspect myfwpolicy
What will result from this config?
a) all traffic from the private zone to the public zone will be dropped
b)all traffic from the private zone to the public zone will be permitted but not inspected
c)all traffic from the private zone to the public zone will be permitted and inspected
d)all traffic from the public zone to the private zone will be permitted but not inspected
e) only HTTP and DNS traffic from the private zone to the public zone will be permitted and inspected
f)only HTTP and DNS traffic from the public zone to the private zone will be permitted and inspected
The test says that the correct answer is A but I say is E.
which one is right?
Thanks
07-30-2009 07:49 AM
E is the correct answer.
Alex Yeung
07-30-2009 07:54 AM
I knew it !!! Thanks a lot!!
I have the SNRS exam today so I want to clear that out.. :)
11-05-2009 11:39 PM
Hi Allan,
the correct answer is A, because your class-map is defined with "match-all" statemant witch says that the traffic must match both rules. In your case the traffic must be http and dns at the same time witch is impossible. To correct this you have to do:
class-map type inspect match-any my protocols
match protocol http
match protocol dns
Now the correct answer will be "E"
Best Regards
Tihomir Yosifov
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide