Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
408
Views
0
Helpful
3
Replies

IOS Firewall / IP inspect

Go to solution
nelsonm
Level 1
Level 1

‎11-18-2008 07:22 AM - edited ‎03-04-2019 12:23 AM

I have inherited a large mpls enterprise network. Many of the 100+ sites have a vpn failover. The IOS version is 12.4 Adv Security on 1760/2801 routers. Here is one example:

interface Ethernet0/1

description BrightHouse cable $FW_OUTSIDE$

ip address x.x.x.254 255.255.255.252

ip access-group 103 in

ip verify unicast reverse-path

no ip redirects

ip nbar protocol-discovery

ip inspect standard in

ip route-cache flow

full-duplex

no cdp enable

crypto map myset

After reading up on IOS firewall it seems that it should applied outbound instead of inbound since it connection would be initialed from the inside going out?? Any input would be greatly appreciated!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎11-18-2008 07:45 AM

I agree that it should be applied outbound. The firewall will track connection states and the majority of traffic is 'inside' to 'outside'. You can apply it inbound, but only if you'll be hosting services and generally the service would need to change ports (ie passive ftp), otherwise an ACL should suffice on the outside interface.

Hope that helps.

View solution in original post

0 Helpful

Go to solution
Istvan_Rabai
Level 7
Level 7

‎11-18-2008 08:59 AM

Yes, it should be "ip inspect standard out".

"ip inspect standard in" will inspect traffic initiated from outside in, but you need to inspect traffic that is initiated from inside out.

Be careful what traffic you allow into the network on access-list 103. That traffic can be initiated from outside and not be inspected by the firewall.

Cheers:

Istvan

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎11-18-2008 07:45 AM

I agree that it should be applied outbound. The firewall will track connection states and the majority of traffic is 'inside' to 'outside'. You can apply it inbound, but only if you'll be hosting services and generally the service would need to change ports (ie passive ftp), otherwise an ACL should suffice on the outside interface.

Hope that helps.

0 Helpful

Go to solution
nelsonm
Level 1
Level 1
In response to Collin Clark

‎11-18-2008 08:57 AM

Thanks for the input - just wanted a second pair of eyes to verify I was interpreting it correctly.

0 Helpful

Go to solution
Istvan_Rabai
Level 7
Level 7

‎11-18-2008 08:59 AM

Yes, it should be "ip inspect standard out".

"ip inspect standard in" will inspect traffic initiated from outside in, but you need to inspect traffic that is initiated from inside out.

Be careful what traffic you allow into the network on access-list 103. That traffic can be initiated from outside and not be inspected by the firewall.

Cheers:

Istvan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card