What does the "ip inspect" command do?

Unanswered Question
Nov 11th, 2007
User Badges:

I have a Cisco 837 router for home use on my ADSL line, there are no firewall rules inplace as far as my knowledge goes. What does the "ip inspect" rule do and do I need to add it to the ethernet inteface inbound?



version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ADSL

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable password 7 ****

!

no aaa new-model

!

resource policy

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.2.1 192.168.2.10

!

ip dhcp pool client

import all

network 192.168.2.0 255.255.255.0

default-router 192.168.2.100

dns-server 190.217.138.197 187.186.189.16

lease 0 2

!

!

no ip cef

!

!

!

username *** password ***

!

!

!

!

!

interface Ethernet0

ip address 192.168.2.100 255.255.255.0

no ip unreachables

ip nat inside

ip virtual-reassembly

hold-queue 100 out

!

interface Ethernet2

no ip address

shutdown

hold-queue 100 out

!

interface ATM0

no ip address

no ip unreachables

no ip mroute-cache

atm vc-per-vp 64

no atm ilmi-keepalive

dsl operating-mode auto

cdp enable

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

!

interface FastEthernet1

duplex auto

speed auto

!

interface FastEthernet2

duplex auto

speed auto

!

interface FastEthernet3

duplex auto

speed auto

!

interface FastEthernet4

duplex auto

speed auto

!

interface Dialer1

ip address negotiated

no ip unreachables

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname ***

ppp chap password ***

ppp pap sent-username *** password ***

ppp ipcp dns request

ppp ipcp wins request

!

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

no ip http secure-server

!

ip nat inside source list 102 interface Dialer1 overload

!

logging trap debugging

logging facility local4

logging source-interface Ethernet0

access-list 102 permit ip 192.168.2.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

control-plane

!

!

line con 0

no modem enable

transport output telnet

line aux 0

transport output telnet

line vty 0 4

exec-timeout 5 0

login local

transport input telnet ssh

transport output all

!

scheduler max-task-time 5000

end


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
johnd2310 Sun, 11/11/2007 - 11:07
User Badges:
  • Silver, 250 points or more

hi,


The "ip inspect" does stateful packet inspection. You might want to apply it to the adsl interface outbound. That way it will inspect traffic leaving your network and open the necessary ports for the return traffic. Have a look at the following:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_implementation_design_guide09186a00800fd670.html

whiteford Sun, 11/11/2007 - 11:13
User Badges:

Thanks John,


1.) I've seen example applying it to the ethernet 0 inbound, any ideas why?


2.) So does it just inspect, what exactly is that?


3.) Also from the config above, I don't seem to have any firewall rules (unless I'm missing something). I want to be able to go outbound to the internet with no blocking (http, https, ftp, telnet, work VPN etc), but block the usual inbound traffic, should I have an access list?


Thanks

Richard Burts Mon, 11/12/2007 - 14:49
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


Has our discussion about ip inspect in the WAN forum clarified your understanding of this or do you still have questions?


HTH


Rick

Actions

This Discussion