cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1218
Views
0
Helpful
3
Replies

ip inspect and blocking

mlopacinski
Level 1
Level 1

Hello

My config:

ip inspect name CBAC tcp timeout 10

ip inspect max-incomplete high 100

int fa0/1

ip access_group permit_all in

int fa 0/2

ip access_group permit_all in

ip inspect CBAC in

Access-list on both interfaces accept all ip traffic.

What happens when:

1. Incoming TCP SYN packet arrives on fa0/1 and TCP session is built. I assume that this session will not be inspected ?

2. TCP session is initiated from fa0/2 interface. Such session will be inspected - and after 10 seconds of idle:

a) when  packet within this session will be received on fa0/1 it will be accepted ?

b) when  packet within this session will be received on fa0/2 it will be dropped ?

3.  When TCP ACK packet is received on fa0/2 - but there is no session which matches this packet - will it be dropped ?

4. Only 100 half-opened session are accepted but only when initiated from fa0/2, when initiated from fa0/1 - there is no limit ?

Thanx

3 Replies 3

puseth
Level 1
Level 1

Here are the answers to your questions.

1. Incoming TCP SYN packet arrives on fa0/1 and TCP session is built. I assume that this session will not be inspected ?

2. TCP session is initiated from fa0/2 interface. Such session will be inspected - and after 10 seconds of idle:

a) when packet within this session will be received on fa0/1 it will be accepted ?

b) when packet within this session will be received on fa0/2 it will be dropped ?

3. When TCP ACK packet is received on fa0/2 - but there is no session which matches this packet - will it be dropped ?

4. Only 100 half-opened session are accepted but only when initiated from fa0/2, when initiated from fa0/1 - there is no limit ?

1. Yes this session will not be inspected.

2. a) No, after the session has gone idle. it will be removed and the next packet should have the Syn Flag not ACK.

    b) Yes, they will not be dropped.

3. Yes.

4. This value is defined globally , not interface wise.

Puneet

Thanx for the answers.

Thanx for the answers.

2. a) Next packet should have SYN only for new session. There might be network stale or application problems and, application resend ACK segment which will arrive after the router has cleared connection (both endpoints of this connection belives it's still alive). But it will arrive on interface which is not inspected. Should not "yes" (packet permitted) be answer to my question ?

4. Value is defined globally but the inspection is enabled only on fa0/2, so i am correct in point4 or not ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: