What does the IP inspect command do?

Unanswered Question
May 6th, 2008

Hello,

On my Cisco 877 router I can't see any outbound permit rules, so I wondered how my home PC's got onto tthe internet? The only thing I can see is many IP inspect rules:

ip inspect name outbound tcp

ip inspect name outbound udp

ip inspect name outbound ftp

ip inspect name outbound http

ip inspect name outbound icmp

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp router-traffic

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

Do these open dynamic outbound rules based on interested traffic, then close the rule after use?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
stephenshaw Tue, 05/06/2008 - 04:57

Hi,

this config shows two different "rules" which consist of "outbound" and "SDM_LOW." These need to be applied to an interface and designated as inbound or outbound. Once, this is done, a dynamic ACL is created for the session and essentially acts as a stateful firewall. Sometimes you can see the rules if you do a 'show access-list' command but because they are dynamic you may not see the rules.

Steve

whiteford Tue, 05/06/2008 - 05:44

Right I've now got:

ip inspect name outbound tcp router-traffic

ip inspect name outbound udp

ip inspect name outbound ftp

ip inspect name outbound http

ip inspect name outbound icmp

ip inspect name outbound cuseeme

ip inspect name outbound dns

ip inspect name outbound h323

ip inspect name outbound https

ip inspect name outbound imap

ip inspect name outbound pop3

ip inspect name outbound netshow

ip inspect name outbound rcmd

ip inspect name outbound realaudio

ip inspect name outbound rtsp

ip inspect name outbound esmtp

ip inspect name outbound sqlnet

ip inspect name outbound streamworks

ip inspect name outbound tftp

ip inspect name outbound vdolive

On the dialer 1:

interface Dialer1

ip inspect outbound out

Is it normal to this many inspect or is this too many?

Is it normal to just have it on the dialer 1 as outbound only? I have seen some examples where hey have IP Inspect's on there VLAN as inbound too?

thotsaphon Tue, 05/06/2008 - 10:32

Hi Andy,

IMHO,I would inspect whatever protocols I want to allow from the trust zone(Internal).

For the very very simple network It's ok to do as follows:

ip inspect name outbound http

ip inspect name outbound https

ip inspect name outbound dns

ip inspect name outbound icmp

you can apply either the inbound interface or the outbound interface.

Note: Don't forget to use ACLs to deny all traffics except the particular traffics you want to access from the outside to the inside.

F.E.

ip access-list ex allow-some.

permit tcp any eq 25 host a.b.c.d eq 25

deny ip any any

!

interface dialer 0

ip inspect outbound out

ip access-list allow-some in.

!

Please check this link out!

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/product_implementation_design_guide09186a00800fd670.html

Hopes this helps

Thot

Actions

This Discussion