IOS Firewall / IP inspect

Answered Question

I have inherited a large mpls enterprise network. Many of the 100+ sites have a vpn failover. The IOS version is 12.4 Adv Security on 1760/2801 routers. Here is one example:

interface Ethernet0/1

description BrightHouse cable $FW_OUTSIDE$

ip address x.x.x.254 255.255.255.252

ip access-group 103 in

ip verify unicast reverse-path

no ip redirects

ip nbar protocol-discovery

ip inspect standard in

ip route-cache flow

full-duplex

no cdp enable

crypto map myset


After reading up on IOS firewall it seems that it should applied outbound instead of inbound since it connection would be initialed from the inside going out?? Any input would be greatly appreciated!



Correct Answer by Istvan_Rabai about 8 years 5 months ago

Yes, it should be "ip inspect standard out".


"ip inspect standard in" will inspect traffic initiated from outside in, but you need to inspect traffic that is initiated from inside out.


Be careful what traffic you allow into the network on access-list 103. That traffic can be initiated from outside and not be inspected by the firewall.


Cheers:

Istvan


Correct Answer by Collin Clark about 8 years 5 months ago

I agree that it should be applied outbound. The firewall will track connection states and the majority of traffic is 'inside' to 'outside'. You can apply it inbound, but only if you'll be hosting services and generally the service would need to change ports (ie passive ftp), otherwise an ACL should suffice on the outside interface.


Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Collin Clark Tue, 11/18/2008 - 07:45
User Badges:
  • Purple, 4500 points or more

I agree that it should be applied outbound. The firewall will track connection states and the majority of traffic is 'inside' to 'outside'. You can apply it inbound, but only if you'll be hosting services and generally the service would need to change ports (ie passive ftp), otherwise an ACL should suffice on the outside interface.


Hope that helps.

Correct Answer
Istvan_Rabai Tue, 11/18/2008 - 08:59
User Badges:
  • Gold, 750 points or more

Yes, it should be "ip inspect standard out".


"ip inspect standard in" will inspect traffic initiated from outside in, but you need to inspect traffic that is initiated from inside out.


Be careful what traffic you allow into the network on access-list 103. That traffic can be initiated from outside and not be inspected by the firewall.


Cheers:

Istvan


Actions

This Discussion