ip inspect generic tcp or udp

Unanswered Question
Jul 14th, 2009


When we are using Cisco IOS firewall on ISR we can enable generic ip inspection as tcp or udp. When this is done why is it necessary to inspect application protocols like say telnet,http, Kazza_Version2 etc. as all these protocols are tcp (protocol number 5) which we are inspecting. Why is it necessary to inspect ports for say 23,or 80 or SMTP 25?

Please share the experience.

Any explanation on cisco.com or on any other URL is highly appereciable.

Thanks in advance.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Istvan_Rabai Tue, 07/14/2009 - 05:57

Hi Subodh,

Generic tcp or udp inspection inspects traffic for conformance to RFCs describing tcp and udp protocols.

When you enable the application level inspection, the inspection engine inspects packets deeper, into the application level, in addition to generic tcp or udp protocol inspection of the same packet.

For example, when you inspect http traffic, you can inspect for java applets.

When you inspect smtp, the inspection engine inspects for the format and contents of mails passing through the firewall.

All this results in a more thorough and scrupulous inspection of packets passing through the firewall in order to protect the internal parts of the network from attacks or intrusions.



Joseph W. Doherty Tue, 07/14/2009 - 06:05

If you enable generic inspection (TCP or UDP), then there isn't a point in also having granular protocol inspection for the same base protocol (TCP/UDP). The purpose of granular protocol inspection is to be more restrictive than generic.

From config guide:

"The Cisco IOS Firewall performs inspections for TCP and UDP traffic. For example, TCP inspections include Telnet traffic (port 23, by default) as well as all other applications on TCP such as Hypertext Transfer Protocol (HTTP), e-mail, instant message (IM) chatter, and so on. Therefore, there is no easy way to inspect Telnet traffic alone and deny all other TCP traffic.

The Granular Protocol Inspection feature allows you to specify TCP or UDP ports using the PAM table. As a result, the Cisco IOS Firewall can restrict traffic inspections to specific applications, thereby permitting a higher degree of granularity in selecting which protocols are to be permitted and denied as shown in Figure 32. "


Above from: http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_gran_protcl_insp_ps6350_TSD_Products_Configuration_Guide_Chapter.html


Reading Istvan's post, I could see where our two posts might cause confusion.

Istvan is correct, that specific application inspections can provide a higher level of security when used with generic inspection. For example, such exists for some you ask about HTTP (http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_http_insp_eng_ps6350_TSD_Products_Configuration_Guide_Chapter.html) and SMTP (http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_email_insp_eng_ps6350_TSD_Products_Configuration_Guide_Chapter.html and http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_esmtp_fwall_supp_ps6350_TSD_Products_Configuration_Guide_Chapter.html), but not for telnet (I believe). Also granular "knows" telnet, http, smtp, esmtp, but only at the "port" number.


This Discussion