Cisco Systems CBAC / IP Inspect Confusion
Bookmark this page:  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
CBAC / IP Inspect Confusion rafael_romano299 12-06-05
Posted by on December 6, 2005, 6:27 am
Please log in for more thread options
We have recently installed a new Cisco 837 router running IOS version
12.3(2)XC2 and an issue relating to CBAC / 'ip inspect' command has
come to light.

When the 'ip inspect' command is applied outbound only on the Dialer0
interface, we are able to access/browse the Internet from the internal
network successfully but cannot receive incoming mail. Outgoing e-mail
is fine.

However, when the 'ip inspect' command (outbound) is removed from the
Dialer0 interface altogether, we are able to receive incoming mail but
cannot get to the Internet at all.

We've worked around this by applying the 'ip inspect' commands to the
Dialer0 interface both in AND outbound so as not to disrupt service but
think that surely this must only be a temporary measure due to the
increased security risk.

This router is configured in practically exactly the same way as
another 837 also running IOS version 12.3(2)XC2. With the 'ip inspect'
command applied outbound only on the Dialer0 interface of this second
router, we see none of the same issues and everything works fine.

I think that this may be a symptom of a misconfiguration rather than a
problem in itself but I don't know what. Could it be NAT or route maps?

I will post config if anyone wants to have a look.

Thank you in advance for you help & suggestions.


Posted by on December 6, 2005, 11:28 am
Please log in for more thread options
You put an Access-list on the Dialer0 that
permits incoming mail and keep the Inspect.

access-l 100 permit tcp any  host my.mail.server eq 25

int d0
access-g 100 in

substitute the EXTERNAL address of the mail server
for "my.mail.server".


Posted by slim on December 6, 2005, 7:40 pm
Please log in for more thread options
anybody43@hotmail.com wrote:

Correct me if I'm wrong, but isn't the point of "ip inspect" to get
around manually defining ACL's? In fact, I believe in 12.3T, a feature
called "firewall ACL bypass" was introduced. If I understand it
correctly, that feature is to eliminate redundant ACL processing - an
inbound pass, inspect, and outbound pass, with the idea being that if
inspect "sees" the traffic, the other two ACL processes are assumed to
be performed.

I ask this because I'm starting to work with the firewall feature set
myself, and too have noticed odd behavior. In my case, with inspect on,
RTP flows between IP phones work. Shut it down, and I get one-way audio.
All of this with no ACL's. However, I have to explicitly define ACL's
for skinny even though it's configured to be inspected. Very odd, and I
don't understand the inconsistency.

Any insights would be appreciated!

Similar ThreadsPosted
CBAC / IP Inspect Confusion December 6, 2005, 6:27 am
IOS upgrade confusion January 29, 2007, 11:00 am
VTP Transparent mode confusion September 21, 2005, 12:11 pm
HSRP neighbors confusion January 11, 2007, 7:31 pm
Confusion regarding logical vs. physical drawings July 18, 2005, 8:20 am
PIX 515 Inbound/Outbound access list confusion March 7, 2006, 9:20 pm
IP Inspect May 18, 2006, 7:13 pm
ISR CBAC prolem January 22, 2006, 6:52 am
Proxy and CBAC. August 28, 2006, 6:03 am
Cisco 837 - CBAC Bug. November 22, 2005, 4:58 am
CBAC 7200 October 4, 2006, 5:41 am
HTTP Inspect November 11, 2005, 3:05 pm
HTTP INSPECT November 11, 2005, 3:11 pm
IP Inspect vs. established March 12, 2009, 9:59 pm
IP INSPECT question January 21, 2010, 6:28 am
Latest PostsForumRSS
NEWS: Samsung takes on the Apple iPad with the 7 inch Galaxy... Wireless Networking
c3560 port configuration Cisco Systems
Broadband 2010: A Big Slowdown [telecom] General Telecommunications Forum
Control Hot Water Circ Pump With X10? General Home Automation
Official Course CCNP TSHOOT 642-832 / Foundation Learning Gu... Cisco Certification
Speedflow Communications Honored for Innovation Voice-Over-IP
USB _to_ RJ45 (not from) connection Ethernet LAN
FAQ: Maximizing cable modem or DSL speed Cable Modems
CASH FOR CISCO - I BUY USED AND NEW EQUIPMENT & LOTS MOR... Telecom Technical
FAQ: Maximizing cable modem or DSL speed Digital Subscriber Line
How to set up Meridian 1 to "provide clock" to a C... Nortel Networks
New Discovery about WDM LAN and Telecom Cabling
Control Hot Water Circ Pump With X10? Home Automation
Text file to automate restoring a dropped VPN connection. Virtual Private Networks
Home Theater Installation Home Theater
Re: The Turkic Languages in a Nutshell Fiber Optics
sip Video Conferencing
Residential Cabling Guide Home Cabling Guide

Finally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language!

Click Here to learn more