05-06-2008 12:21 AM - edited 03-03-2019 09:49 PM
Hello,
On my Cisco 877 router I can't see any outbound permit rules, so I wondered how my home PC's got onto tthe internet? The only thing I can see is many IP inspect rules:
ip inspect name outbound tcp
ip inspect name outbound udp
ip inspect name outbound ftp
ip inspect name outbound http
ip inspect name outbound icmp
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp router-traffic
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
Do these open dynamic outbound rules based on interested traffic, then close the rule after use?
05-06-2008 04:57 AM
Hi,
this config shows two different "rules" which consist of "outbound" and "SDM_LOW." These need to be applied to an interface and designated as inbound or outbound. Once, this is done, a dynamic ACL is created for the session and essentially acts as a stateful firewall. Sometimes you can see the rules if you do a 'show access-list' command but because they are dynamic you may not see the rules.
Steve
05-06-2008 05:44 AM
Right I've now got:
ip inspect name outbound tcp router-traffic
ip inspect name outbound udp
ip inspect name outbound ftp
ip inspect name outbound http
ip inspect name outbound icmp
ip inspect name outbound cuseeme
ip inspect name outbound dns
ip inspect name outbound h323
ip inspect name outbound https
ip inspect name outbound imap
ip inspect name outbound pop3
ip inspect name outbound netshow
ip inspect name outbound rcmd
ip inspect name outbound realaudio
ip inspect name outbound rtsp
ip inspect name outbound esmtp
ip inspect name outbound sqlnet
ip inspect name outbound streamworks
ip inspect name outbound tftp
ip inspect name outbound vdolive
On the dialer 1:
interface Dialer1
ip inspect outbound out
Is it normal to this many inspect or is this too many?
Is it normal to just have it on the dialer 1 as outbound only? I have seen some examples where hey have IP Inspect's on there VLAN as inbound too?
05-06-2008 10:32 AM
Hi Andy,
IMHO,I would inspect whatever protocols I want to allow from the trust zone(Internal).
For the very very simple network It's ok to do as follows:
ip inspect name outbound http
ip inspect name outbound https
ip inspect name outbound dns
ip inspect name outbound icmp
you can apply either the inbound interface or the outbound interface.
Note: Don't forget to use ACLs to deny all traffics except the particular traffics you want to access from the outside to the inside.
F.E.
ip access-list ex allow-some.
permit tcp any eq 25 host a.b.c.d eq 25
deny ip any any
!
interface dialer 0
ip inspect outbound out
ip access-list allow-some in.
!
Please check this link out!
Hopes this helps
Thot
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide