05-20-2008 02:39 PM - edited 03-05-2019 11:06 PM
Can anyone explain the difference between the following commands
ip inspect name outbound http
ip inspect name outbound https
ip inspect name outbound dns
ip inspect name outbound icmp
compared to
ip inspect name outbound tcp
ip inspect name outbound udp
Wouldn't these two latter commands encompass the http, https, dns, icmp commands above?
05-20-2008 03:36 PM
yes the last two would include HTTP, HTTPS and DNS. As they are TCP (I DNS can sometimes be used with UDP also) ICMP is seperate so you would still need
ip inspect name outbound icmp
The reason that you might not want all TCP traffic is that you might have another device already providing an ip inspection. Or a packet could be dropped because IOS thinks it's "not quite right" when it's perfectly valid etc.
05-20-2008 07:30 PM
there is a big difference in functionality of those commands.
tcp/udp inspection simply maintains state for tcp/udp connections, whereas the more specific entries check for things specific to http/https/dns.
05-21-2008 12:16 AM
Thanks for your help
If I created inspect rules for DNS, HTTP etc, would those protocols not listed still be allowed through the firewall if the ACL allows it?
05-21-2008 12:26 AM
As SRUE said, with the layer-4 protocol specific entries in there the IOS router performs application inspection. If you just specify TCP/UDP then the router doesn't look deeper into the packets and certain protocols won't work - H.323 & SIP for example negotiate additional connections over the signalling channel to set up the RTP streams.
Andy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: