IP Inspect vs. established

I am a novice with Cisco routers, so please forgive me if this question is a bit odd. I have a Cisco 871 router where the WAN interface is on the FastEthernet4 interface. What are the primary differences between associating an ip inspect rule for outgoing packets on this interface versus having an access-list that allows "established" packets through the interface. So, for example, I can have an ip inspect rule that states "ip inpsect DEFAULT100 out" and apply it to the FastEthernet4 interface via "ip inspect DEFAULT100 out." Or, I can simply have an ACL rule that states "access-list 100 permit tcp any any established" and apply it to the FastEthernet4 interface via "ip access-group 100 in." These both seem to accomplish the same thing--namely allowing client-initiated traffic back through the WAN interface into the internal network. What are the advantages/ disadvantages to each approach. I imagine the ip inspect rule takes more processing, but is more "diligent" about what types of packets it will allow through the interface into the internal network. Again, this is just a guess and I will defer to more knowledgeable users. Any insight that someone can provide is appreciated. I'm more interested out of curiosity than anything. Thanks.


Reply to
Loading thread data ...

Inspect is likely to be the best choice. It's certainly what I use.

Benifits of Inspect are it can (and does) examine upper layer (>L3) protocols.

Limitations of established are:- Does not work for UDP or other non TCP traffic Does not work for active ftp and other upper layer protocols (H.323?). Potential attack with SYN + ACK packet you depend on client IP stack to resist Potential other attacks - packets with no session you depend on client IP stack to resist

Beware - inspect http - turns on java blocking. Probably not what you want.

Just to add confusion - you can also consider reflexive access-lists. This works like inspect in that it creates a list of allowed inbound traffic dynamically but has no upper layer examination.

Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.