×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ip inspect and blocking

Unanswered Question
Dec 22nd, 2011
User Badges:

Hello


My config:

ip inspect name CBAC tcp timeout 10

ip inspect max-incomplete high 100

int fa0/1

ip access_group permit_all in

int fa 0/2

ip access_group permit_all in

ip inspect CBAC in


Access-list on both interfaces accept all ip traffic.

What happens when:

1. Incoming TCP SYN packet arrives on fa0/1 and TCP session is built. I assume that this session will not be inspected ?

2. TCP session is initiated from fa0/2 interface. Such session will be inspected - and after 10 seconds of idle:

a) when  packet within this session will be received on fa0/1 it will be accepted ?

b) when  packet within this session will be received on fa0/2 it will be dropped ?

3.  When TCP ACK packet is received on fa0/2 - but there is no session which matches this packet - will it be dropped ?

4. Only 100 half-opened session are accepted but only when initiated from fa0/2, when initiated from fa0/1 - there is no limit ?


Thanx

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
puseth Thu, 12/22/2011 - 14:05
User Badges:

Here are the answers to your questions.


1. Incoming TCP SYN packet arrives on fa0/1 and TCP session is built. I assume that this session will not be inspected ?

2. TCP session is initiated from fa0/2 interface. Such session will be inspected - and after 10 seconds of idle:

a) when packet within this session will be received on fa0/1 it will be accepted ?

b) when packet within this session will be received on fa0/2 it will be dropped ?

3. When TCP ACK packet is received on fa0/2 - but there is no session which matches this packet - will it be dropped ?

4. Only 100 half-opened session are accepted but only when initiated from fa0/2, when initiated from fa0/1 - there is no limit ?


1. Yes this session will not be inspected.

2. a) No, after the session has gone idle. it will be removed and the next packet should have the Syn Flag not ACK.

    b) Yes, they will not be dropped.

3. Yes.

4. This value is defined globally , not interface wise.



Puneet

mlopacinski Thu, 12/22/2011 - 23:10
User Badges:

Thanx for the answers.

2. a) Next packet should have SYN only for new session. There might be network stale or application problems and, application resend ACK segment which will arrive after the router has cleared connection (both endpoints of this connection belives it's still alive). But it will arrive on interface which is not inspected. Should not "yes" (packet permitted) be answer to my question ?

4. Value is defined globally but the inspection is enabled only on fa0/2, so i am correct in point4 or not ?

Actions

This Discussion