What is this default config doing?..ip inspect

Answered Question
Dec 2nd, 2009

Perhaps this is a discusstion on ip inspect...I looked here but it didnt provide an answer on what exaclty it does?

http://www.cisco.com/en/US/docs/routers/access/cisco_router_and_security_device_manager/application/notes/FPLCY-an.pdf

My 1811. is shipped with the following

ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!

However, do these have to be applied to an interface in order to make it work?

I see it here

iinterface FastEthernet0
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto


But what exaclty is it doing?..is it just looking at packets cusemee, ftp, h323 etc?

what action is it taking?.........what if i remove that staement?  is this causing a huge load on my router becuase of inspection?

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 1 week ago

nygenxny123 wrote:

ok..so if these ip inspects are applied to an interface the interface will FW on those listed protocols...allowing them.

but as with a fw...isnt there an implied deny at the end of all rules?

so wouldnt the interface not allow any protocols ..other than the ones listed in the IP inspect?

Well yes, but bear in mind that you have 3 generic inspect statements ie.

ip inspect name DEFAULT 100 icmp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

which covers pretty much all IP based applications.

If you needed to allow some other protocol through such as GRE then you would need to explicitly allow in your acl.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Collin Clark Wed, 12/02/2009 - 09:01

It's turning on stateful inspection for the protocols listed and that are leaving interface FastEthernet0. It's turning the router into a stateful router/firewall. If you remove it, the inspection will stop. The inspection makes sure that if the application wants to change ports, the router will allow it and can track the TCP state of the application traversing and on the appropriate ports. The load really depends on how much traffic is flowing through the interface. Generally speaking it doesn't take up too many resources.

Hope it helps.

Jon Marshall Wed, 12/02/2009 - 09:04

nygenxny123 wrote:

Perhaps this is a discusstion on ip inspect...I looked here but it didnt provide an answer on what exaclty it does?

http://www.cisco.com/en/US/docs/routers/access/cisco_router_and_security_device_manager/application/notes/FPLCY-an.pdf

My 1811. is shipped with the following

ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!

However, do these have to be applied to an interface in order to make it work?

I see it here

iinterface FastEthernet0
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto


But what exaclty is it doing?..is it just looking at packets cusemee, ftp, h323 etc?

what action is it taking?.........what if i remove that staement?  is this causing a huge load on my router becuase of inspection?

Inspect ... is the way you configure CBAC (Context Based Access Control) which is Cisco's firewall for the IOS router.

Yes they need to be applied to an interface.

Yes there is an overhead on the router because this is done in software, not hardware.

If you remove the "ip inspect ..." interface command then it won't do firewalling.

As well as generic stateful firewall capabilities such as TCP/UDP inspect can also understand certain apps/protocols to a greater level eg h323, sqlnet, estmp. Often this extra understanding is there because these protocols do funny things with ports eg. ftp/sqlnet etc..

Have a read of this link for more details -

https://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c5.html

Jon

nygenxny123 Thu, 12/03/2009 - 11:05

ok..so if these ip inspects are applied to an interface the interface will FW on those listed protocols...allowing them.

but as with a fw...isnt there an implied deny at the end of all rules?

so wouldnt the interface not allow any protocols ..other than the ones listed in the IP inspect?

Correct Answer
Jon Marshall Thu, 12/03/2009 - 11:13

nygenxny123 wrote:

ok..so if these ip inspects are applied to an interface the interface will FW on those listed protocols...allowing them.

but as with a fw...isnt there an implied deny at the end of all rules?

so wouldnt the interface not allow any protocols ..other than the ones listed in the IP inspect?

Well yes, but bear in mind that you have 3 generic inspect statements ie.

ip inspect name DEFAULT 100 icmp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

which covers pretty much all IP based applications.

If you needed to allow some other protocol through such as GRE then you would need to explicitly allow in your acl.

Jon

Actions

This Discussion