[nsp] IOS Firewall Issues
rpcbind at speakeasy.net
rpcbind at speakeasy.net
Tue Apr 8 14:44:39 EDT 2003
> In addition, you will want to limit the amount of traffic you inspect.
> If you inspect to much, you can actually trick the router to thinking it
> is under attack and it will deny that traffic access.
Short of limiting protocol inspection, is anyone aware of a way (or future
feature) to apply an acl to inspected traffic? There's atleast a couple of
instances when due to traffic volume, etc it was desirable to have ip inspect
skip a set of addresses altogether, relying on traditional acl'ing instead..
ip inspect name <name> list <acl>
On the subject, it'd be handy if ranges for 'ip inspect name <name> <service>
timeout' matched 'ip nat translation timeout'. 12 hours is alot for an idle
session, but being able to do 72 hour timeouts would be nice for things left
doing nothing over a weekend..
More information about the cisco-nsp
mailing list