Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
753
Views
0
Helpful
2
Replies

IP inspect in-out on same interface

jmaat
Level 1
Level 1

‎08-21-2009 01:26 AM - edited ‎03-06-2019 07:21 AM

Hi,

I am having a Cisco 2851 router with IOS firewall software(c2800nm-advipservicesk9-mz.124-15.T6.bin). I need to have two access-groups (one for in, and one for out) on the same interface.

Traffic initiated from this interface (so matched by the "in" access-list) is blocked by the "out" access-list. But in my opinion it shouldn't be blocked because the inspect configuration should permit it. Does somebody know what the problem is?

ip inspect name ABC udp

ip inspect name ABC x11

ip inspect name ABC tcp

!

interface GigabitEthernet0/0.12

description ABC_vlan

encapsulation dot1Q 12

ip address 1.2.3.4 255.255.254.0

ip access-group ABC_in in

ip access-group ABC_out out

ip inspect ABC in

ip inspect ABC out

!

ip access-list extended ABC_in

permit tcp 1.2.3.0 0.0.1.255 2.2.2.0 255.255.254.0 eq 6000

permit tcp 1.2.3.0 0.0.1.255 2.2.2.0 255.255.254.0 eq 3389

deny ip any any log

ip access-list extended ABC_out

permit tcp host 4.3.2.1 host 1.2.3.4 0.0.1.255 eq 445

deny ip any any log

abc#show ip inspect sess

Established Sessions

Session 47B88C00 (1.2.3.4:48318)=>(2.2.2.2:6000) x11 SIS_OPEN

!

abc#show log

Aug 21 11:21:45.411 CET: %SEC-6-IPACCESSLOGP: list ABC_out denied tcp 2.2.2.2(6000) -> 1.2.3.4(48318), 1 packet

*Modified the IP addresses, to fictual addresses *

Labels:
0 Helpful
2 Replies 2

Peter Paluch
Cisco Employee
Cisco Employee

‎08-21-2009 02:54 PM

Hello,

Do you need to have the "ip inspect" in both directions on your interface? I am not saying right now that it is not allowed but it is kind of unusual.

Second, from the output you have posted, I am confused by the "show log" output. It says that a packet destined to 1.2.3.4 was denied by the ABC_out. However, the ABC_out is applied on the Gi0/0.12 in the outbound direction (for packets going out that interface) and the IP 1.2.3.4 is the address of the Gi0/0.12 itself. From this it follows that the log entry describes an impossible situation:

1) The ABC_out could capture and drop this packet only if it was sent out the interface Gi0/0.12. However, a packet would never be sent out an interface if the interface's address is the same as the destination of the packet.

2) If the packet was coming into the Gi0/0.12 interface, the outbound ACL ABC_out was not consulted for that packet at all. It is thus impossible for it to log a drop.

Can you please double check the posted configuration and clarify this?

Best regards,

Peter

0 Helpful

jmaat
Level 1
Level 1
In response to Peter Paluch

‎08-24-2009 01:07 AM

Hi Paluchpeter,

Apparently I made a typo. (I adjusted the IP addresses, I also mentioned this in the post)

The IP address of the inferface should be 1.2.3.1

interface GigabitEthernet0/0.12

description ABC_vlan

encapsulation dot1Q 12

ip address 1.2.3.1 255.255.254.0

I need to have the in/out access-list on both directions, otherwise my access-list configuration will be very long. The rest of the interface are not having any restrictions.

I am sorry for the confusion,

Thanks and regards,

Jeroen

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card