Cisco Systems IP Inspect vs. established
Bookmark this page:  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
IP Inspect vs. established Vincent 03-12-09
Posted by Vincent on March 12, 2009, 9:59 pm
Please log in for more thread options
I am a novice with Cisco routers, so please forgive me if this
question is a bit odd.  I have a Cisco 871 router where the WAN
interface is on the FastEthernet4 interface.  What are the primary
differences between associating an ip inspect rule for outgoing
packets on this interface versus having an access-list that allows
"established" packets through the interface.  So, for example, I can
have an ip inspect rule that states "ip inpsect DEFAULT100 out" and
apply it to the FastEthernet4 interface via "ip inspect DEFAULT100
out."  Or, I can simply have an ACL rule that states "access-list 100
permit tcp any any established" and apply it to the FastEthernet4
interface via "ip access-group 100 in."  These both seem to accomplish
the same thing--namely allowing client-initiated traffic back through
the WAN interface into the internal network.  What are the advantages/
disadvantages to each approach.  I imagine the ip inspect rule takes
more processing, but is more "diligent" about what types of packets it
will allow through the interface into the internal network.  Again,
this is just a guess and I will defer to more knowledgeable users.
Any insight that someone can provide is appreciated.  I'm more
interested out of curiosity than anything.  Thanks.

Vincent

Posted by bod43 on March 12, 2009, 10:44 pm
Please log in for more thread options

Inspect is likely to be the best choice. It's certainly
what I use.

Benifits of Inspect are it can (and does) examine upper
layer (>L3) protocols.

Limitations of established are:-
Does not work for UDP or other non TCP traffic
Does not work for active ftp and other upper layer
  protocols (H.323?).
Potential attack with SYN + ACK packet
  you depend on client IP stack to resist
Potential other attacks - packets with no session
  you depend on client IP stack to resist

Beware - inspect http - turns on java blocking.
Probably not what you want.

Just to add confusion - you can also consider
reflexive access-lists.
This works like inspect in that it creates a list of allowed
inbound traffic dynamically but has no upper layer
examination.


Similar ThreadsPosted
IP Inspect vs. established March 12, 2009, 9:59 pm
ACL: Reflective versus established January 24, 2010, 4:10 am
IP Inspect May 18, 2006, 7:13 pm
ipsec tunnel established but no pinging December 27, 2006, 5:09 pm
PIX Ipsec VPN - SA established, no traffic passes May 3, 2007, 2:34 pm
HTTP Inspect November 11, 2005, 3:05 pm
HTTP INSPECT November 11, 2005, 3:11 pm
IP INSPECT question January 21, 2010, 6:28 am
CBAC / IP Inspect Confusion December 6, 2005, 6:27 am
2621XM - np ip inspect causes failure December 13, 2005, 10:36 am
IP Inspect and Browsing issues October 13, 2007, 2:08 pm
inspect pptp - disruptive? February 14, 2008, 1:35 pm
ASA, static, icmp and inspect FTP August 22, 2008, 5:11 am
NAT and access lists and IP INSPECT January 22, 2010, 6:24 am
DNS Fixup/Inspect Pix/ASA 7.0 or greater breaking email October 7, 2006, 6:47 pm
Latest PostsForumRSS
NEWS: Samsung takes on the Apple iPad with the 7 inch Galaxy... Wireless Networking
c3560 port configuration Cisco Systems
Broadband 2010: A Big Slowdown [telecom] General Telecommunications Forum
Control Hot Water Circ Pump With X10? General Home Automation
Official Course CCNP TSHOOT 642-832 / Foundation Learning Gu... Cisco Certification
Speedflow Communications Honored for Innovation Voice-Over-IP
USB _to_ RJ45 (not from) connection Ethernet LAN
FAQ: Maximizing cable modem or DSL speed Cable Modems
CASH FOR CISCO - I BUY USED AND NEW EQUIPMENT & LOTS MOR... Telecom Technical
FAQ: Maximizing cable modem or DSL speed Digital Subscriber Line
How to set up Meridian 1 to "provide clock" to a C... Nortel Networks
New Discovery about WDM LAN and Telecom Cabling
Control Hot Water Circ Pump With X10? Home Automation
Text file to automate restoring a dropped VPN connection. Virtual Private Networks
Home Theater Installation Home Theater
Re: The Turkic Languages in a Nutshell Fiber Optics
sip Video Conferencing
Residential Cabling Guide Home Cabling Guide

Finally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language!

Click Here to learn more