[c-nsp] IOS 12.4 firewall feature set: does "inspect foo OUT" work?
Furnish, Trever G
TGFurnish at herffjones.com
Fri Dec 15 17:52:23 EST 2006
Having trouble finding current documentation for the IOS firewall
feature set -- what I find applies to 12.2 and I'm running 12.4(6)XE2.
Any have any better documentation than what's listed here:
http://www.cisco.com/en/US/customer/products/sw/secursw/ps1018/tsd_produ
cts_support_series_home.html
OR, anyone have any idea why inspecting FTP would only work when it's
applied inbound, not outbound? Is the behavior below broken on the part
of the router, or is my understanding broken?
If I have these inspection sets:
ip inspect name dmz-out ftp
ip inspect name inside-in ftp
...and I apply the dmz-out inspection to the dmz interface outbound,
then the data portion of the FTP connection doesn't work:
interface g0/1
description dmz
ip inspect dmz-out
ip access-group dmz-in in
...but if I instead remove the dmz-out inspection and apply the
inside-in inspection to the inside interface inbound, then the data
portion of the FTP connection DOES work.
interface g0/0
description inside
ip inspect inside-in
ip access-group inside-in in
--
Trever Furnish, tgfurnish at herffjones.com
Herff Jones, Inc. Unix / Network Administrator
Phone: 317.612.3519
Any sufficiently advanced technology is indistinguishable from Unix.
More information about the cisco-nsp
mailing list