[c-nsp] Problem with IP Inspect

Randy randy_94108 at yahoo.com
Sat Jul 23 00:55:37 EDT 2011


Hello Joseph,

If you wish it to work against an inbound acl, CBAC has to be outbound.

CBAC, quite simply put, inspects traffic as applicable to an interface ACL.
If the ACL is inbound-on-an-interface, "ip inspect CBAC would be OUT; so it can punch a hole in the INBOUND ACL for return-traffic.
Conversely, if you have an OUTBOUND ACL it would be "ip inspect CBAC in"; once again for return traffic.
That is how a poor-man's-firewall works.
Regards,
./Randy


--- On Fri, 7/22/11, Joseph Mays <mays at win.net> wrote:

> From: Joseph Mays <mays at win.net>
> Subject: Re: [c-nsp] Problem with IP Inspect
> To: cisco-nsp at puck.nether.net
> Date: Friday, July 22, 2011, 4:29 PM
> Tried your suggestion, thanks.
> Created a the following ACL...
> 
> ip access-list extended FaInboundACL
> permit ip any any
> 
> Added it to the inbound traffic on the LAN interface....
> 
> interface FastEthernet0/0
> description Win.net Chestnut St Office LAN
> ip address 216.24.33.1 255.255.255.0
> ip access-group FaInboundACL in
> ip verify unicast reverse-path
> no ip redirects
> no ip unreachables
> ip route-cache same-interface
> speed 100
> full-duplex
> no cdp enable
> 
> Not surprisingly, no effect, web browsing and everything
> work normally. I then added the "ip inspect" ...
> 
> 
> interface FastEthernet0/0
> description Win.net Chestnut St Office LAN
> ip address 216.24.33.1 255.255.255.0
> ip access-group FaInboundACL in
> ip verify unicast reverse-path
> no ip redirects
> no ip unreachables
> ip inspect WinnetOffice in
> ip route-cache same-interface
> speed 100
> full-duplex
> no cdp enable
> 
> And web browsing from the LAN stops working again.
> 
> ----- Original Message ----- From: "Kevin Graham" <kgraham at industrial-marshmallow.com>
> To: "Joseph Mays" <mays at win.net>
> Cc: <cisco-nsp at puck.nether.net>
> Sent: Friday, July 22, 2011 6:32 PM
> Subject: Re: [c-nsp] Problem with IP Inspect
> 
> 
> 
> On Jul 22, 2011, at 1:23 PM, "Joseph Mays" <mays at win.net>
> wrote:
> 
> >  There is no way turning on ip inspection should
> break communications anywhere in the absence of an ACL list,
> is there?
> 
> IIRC, ip inspect is creating a pseudo-acl, so you're being
> bitten by the default deny. You should apply a "permit ip
> any any" ACL inbound on that interface. (Adding more
> specific permits and making sure ACE counters aren't
> excessively increasing is also a really good way of making
> sure inspection is handling the traffic you intended it to
> during initial deployment without breaking anything).
> 
> 
> 
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/ 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 



More information about the cisco-nsp mailing list