What is wrong with the configuration?

Refer to the exhibit.

A network engineer is trying to configure a router as a zone-based firewall and needs to allow
DHCP traffic to and from the router on the outside interface. After applying the configuration to the
router, he notices that his configuration is not working.
What is wrong with the configuration?

Refer to the exhibit.

A network engineer is trying to configure a router as a zone-based firewall and needs to allow
DHCP traffic to and from the router on the outside interface. After applying the configuration to the
router, he notices that his configuration is not working.
What is wrong with the configuration?

A.
The UDP ports in access list 111 and access list 112 are incorrect.

B.
The wrong action has been configured on the policy map.

C.
The zone pair configuration is incorrect.

D.
The inside and outside references are incorrect.

Explanation:

Show Hint

Leave a Reply 7

Your email address will not be published. Required fields are marked *

Connie Balfour

Connie Balfour

I truly wanted to write down a brief message so as to thank you for all the pleasant tips and hints you are posting at this website. My considerable internet look up has now been honored with brilliant points to write about with my contacts. I would assert that many of us visitors actually are really endowed to dwell in a really good website with many marvellous people with useful principles. I feel very grateful to have used your entire webpages and look forward to so many more amazing times reading here. Thank you again for all the details.

http://bit.ly/1Miqkki

Reply

mige

mige

spam, don’t click

Reply

Fe

Fe

C is the correct answer

Attaching a Policy Map to a Zone Pair
SUMMARY STEPS

1. enable

2. configure terminal

3. zone security zone-name

4. exit

5. zone security zone-name

6. exit

7. zone-pair security zone-pair-name [source zone-name destination [zone-name]]

8. service-policy type inspect policy-map-name

9. exit

10. interface type number

11. zone-member security zone-name

12. end
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-data-zbf-xe-book/sec-data-nest-cmap.html

Reply

starts7777

starts7777

This example configuration shows how to prevent all UDP traffic from a zone into your router’s self zone except for DHCP packets. Use an access-list with specific ports in order to allow just DHCP traffic; in this example, UDP port 67 and UDP port 68 are specified to be matched. A class-map that references the access-list has the pass action applied.
access-list extended 111
10 permit udp any any eq 67

access-list extended 112
10 permit udp any any eq 68

class-map type inspect match-any self-to-out
match access-group 111
class-map type inspect match-any out-to-self
match access-group 112

zone security outside
zone security inside

interface Ethernet0/1
zone-member security outside
interface Ethernet0/2
zone-member security inside

policy-map type inspect out-to-self
class type inspect out-to-self
pass
class class-default
drop
policy-map type inspect self-to-out
class type inspect self-to-out
pass
class class-default
drop

zone-pair security out-to-self source outside destination self
service-policy type inspect out-to-self
zone-pair security self-to-out source self destination outside
service-policy type inspect self-to-out

http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/116117-configure-dhcp-zbf-00.html

Reply

starts7777

starts7777

A.
The UDP ports in access list 111 and access list 112 are incorrect.

Reply

Jodee Biederwolf

Jodee Biederwolf

I would like to thank you for the efforts you’ve put in writing this website. I’m hoping the same high-grade site post from you in the upcoming as well. In fact your creative writing abilities has inspired me to get my own site now. Really the blogging is spreading its wings fast. Your write up is a good example of it.

http://www.LSwL3dxW3V.com/LSwL3dxW3V

Reply