11-18-2008 07:22 AM - edited 03-04-2019 12:23 AM
I have inherited a large mpls enterprise network. Many of the 100+ sites have a vpn failover. The IOS version is 12.4 Adv Security on 1760/2801 routers. Here is one example:
interface Ethernet0/1
description BrightHouse cable $FW_OUTSIDE$
ip address x.x.x.254 255.255.255.252
ip access-group 103 in
ip verify unicast reverse-path
no ip redirects
ip nbar protocol-discovery
ip inspect standard in
ip route-cache flow
full-duplex
no cdp enable
crypto map myset
After reading up on IOS firewall it seems that it should applied outbound instead of inbound since it connection would be initialed from the inside going out?? Any input would be greatly appreciated!
Solved! Go to Solution.
11-18-2008 07:45 AM
I agree that it should be applied outbound. The firewall will track connection states and the majority of traffic is 'inside' to 'outside'. You can apply it inbound, but only if you'll be hosting services and generally the service would need to change ports (ie passive ftp), otherwise an ACL should suffice on the outside interface.
Hope that helps.
11-18-2008 08:59 AM
Yes, it should be "ip inspect standard out".
"ip inspect standard in" will inspect traffic initiated from outside in, but you need to inspect traffic that is initiated from inside out.
Be careful what traffic you allow into the network on access-list 103. That traffic can be initiated from outside and not be inspected by the firewall.
Cheers:
Istvan
11-18-2008 07:45 AM
I agree that it should be applied outbound. The firewall will track connection states and the majority of traffic is 'inside' to 'outside'. You can apply it inbound, but only if you'll be hosting services and generally the service would need to change ports (ie passive ftp), otherwise an ACL should suffice on the outside interface.
Hope that helps.
11-18-2008 08:57 AM
Thanks for the input - just wanted a second pair of eyes to verify I was interpreting it correctly.
11-18-2008 08:59 AM
Yes, it should be "ip inspect standard out".
"ip inspect standard in" will inspect traffic initiated from outside in, but you need to inspect traffic that is initiated from inside out.
Be careful what traffic you allow into the network on access-list 103. That traffic can be initiated from outside and not be inspected by the firewall.
Cheers:
Istvan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: