1. Home
  2. Cisco Systems
  3. IP inspect specfics

IP inspect specfics

Hi there

I have read a reasonable amount about the IOS ip inspect function, but I'd really appreciate it if someone could verify a few things that are still unclear for me.

Consider a firewall router with three interfaces - one to the LAN, one to the Internet, and one to the DMZ. Just to note, ip inspect can be enabled in each direction on every interface, so theoretically there could be a maximum of 6 ip inspect rules used on this router.

If I understand ip inspect correctly, if "ip inspect xxxx out" is used, packets are inspected when going in the direction of the final parameter, which in this case is "out"-wards. Is this true - ie incoming packets to this interface will not be inspected using this command, although it may have created an incoming permit ACL to allow the traffic to return?

How many ACLs can a single ip inspect command open and on how many interfaces? Consider that incoming and outgoing "deny all" ACLs are created on both sides of the LAN and the Internet interfaces, and an "ip inspect in" is used on the LAN interface. A "incoming" permit statement ACL is configured on the LAN interface too, to allow internal clients to access any host at port 80. When a client browses the web, will ip inspect create 3 ACLs to allow packets out through the Internet NIC and back through the Internet and LAN NICs, will it create 2 ACLs for the return traffic, meaning that it get blocked at the outgoing ACL on the Internet NIC unless an ACL is written to allow this traffic out, or will it create only one return ACL to allow the traffic back in the other direction of the LAN NIC.

Basically I want to know if ip inspect will create all ACLs on all interfaces for the packet to reach its destination and return, or if it can only add ACLs to the NIC on which it is configured.

I hope my explanation is not too confusing!

Depending upon the answers to this, the answer to my next question may be obvious, but.... Would it be practical and advatagous to have incoming and outgoing ip inspect rules on all interfaces of this router (so in total 6 ip inspect rules) or would this become an administrative nightmare when new requests to allow outgoing traffic are made from users?

Thank you kindly in advance for your wise words!

Best wishes Paul

Reply to
Paul D
Loading thread data ...

On Catalyst 6500 series switches, you must enter the "mls ip inspect" command to permit traffic through any ACLs that would deny the traffic through other ports. On other platforms, if you enter the ip inspect command on a port, CBAC modifies ACLs on other ports to permit the inspected traffic to flow through the network device. Refer to the "Additional CBAC Configuration" section for more information.

As to your second question, it totally depends on what you're trying to achieve.

Reply to
Brad

Hello Brad - thanks for your response. Although the ip inspect function may work in a similar way, note that I am not usimg mls.

The platform I'm using is 3640 with IOS FW/IDS

My question is not answered in the documentation, as far as I can see - ie. can a single ip inspect statement configured on a single interface create ACLs on more than one interface?

Thanks Paul

Reply to
Paul D

No, I think you misunderstand what ip inspect does. You create the ACLs and ip inspect will open them up to let traffic through.

Reply to
Brad

Sorry - I used the word ACL rather than ACL rule(s)...

Can a single ip inspect statement configured on a single interface create ACL rules on more than one interface?

See the amended question below:

Consider that incoming and outgoing "deny all" ACLs are created on both sides of the LAN and the Internet interfaces, and an "ip inspect in" is used on the LAN interface. An "incoming" permit statement ACL is configured on the LAN interface too, to allow internal clients to access any host at port

  1. When a client browses the web, will ip inspect...

1) ..create 3 ACL rules to allow packets out through the Internet NIC and back through the Internet and LAN NICs

2) ..create 2 ACL rules for the return traffic on the Internet and LAN NICs, meaning that it will get blocked at the outgoing ACL on the Internet NIC unless an ACL rule is written to allow this traffic out 3) ...or will it create only one return ACL rule to allow the traffic back in the other direction of the LAN NIC?

Do you understand what I mean?

Reply to
Paul D

Packets entering the router/firewall are inspected by ip inspect only if they first pass the inbound access list at the interface. If a packet is denied by the access list, the packet is simply dropped and not inspected by ip inspect

Reply to
Brad

I'm sorry that I am not making myself clear - I already understand ip inspect with regard to what you said in your last message.

However, if there are ACLs with deny all in both directions on the LAN and Internet inferfaces, except that there is a rule permitting incoming (to the router) www traffic on the LAN interface, and there is an "ip inspect...in" statement on the LAN interface, will ip inspect open up ports on both the LAN and Internet interfaces or just the LAN interface?

Thanks for your patience!

Paul

Reply to
Paul D

Sorry about the confusion. I've never used a configuration like that before but the CBAC should open up the ACLs on both the LAN and Internet interfaces as long as the flow was initiated from the inside. If I get a chance, I'll try it in my lab to see if it really works.

Reply to
Brad

Thank you, Brad, that would be really good of you. I've only got production routers, so I'm unable to test this. I'm glad thzt you have realised what I meant, and that you don't think it's an obvious question. Thank you - and I look forward to hearing from you again!

Best regards Paul

Reply to
Paul D

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.