Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ip inspect and blocking

Hello

My config:

ip inspect name CBAC tcp timeout 10

ip inspect max-incomplete high 100

int fa0/1

ip access_group permit_all in

int fa 0/2

ip access_group permit_all in

ip inspect CBAC in

Access-list on both interfaces accept all ip traffic.

What happens when:

1. Incoming TCP SYN packet arrives on fa0/1 and TCP session is built. I assume that this session will not be inspected ?

2. TCP session is initiated from fa0/2 interface. Such session will be inspected - and after 10 seconds of idle:

a) when  packet within this session will be received on fa0/1 it will be accepted ?

b) when  packet within this session will be received on fa0/2 it will be dropped ?

3.  When TCP ACK packet is received on fa0/2 - but there is no session which matches this packet - will it be dropped ?

4. Only 100 half-opened session are accepted but only when initiated from fa0/2, when initiated from fa0/1 - there is no limit ?

Thanx

3 REPLIES
Community Member

ip inspect and blocking

Here are the answers to your questions.

1. Incoming TCP SYN packet arrives on fa0/1 and TCP session is built. I assume that this session will not be inspected ?

2. TCP session is initiated from fa0/2 interface. Such session will be inspected - and after 10 seconds of idle:

a) when packet within this session will be received on fa0/1 it will be accepted ?

b) when packet within this session will be received on fa0/2 it will be dropped ?

3. When TCP ACK packet is received on fa0/2 - but there is no session which matches this packet - will it be dropped ?

4. Only 100 half-opened session are accepted but only when initiated from fa0/2, when initiated from fa0/1 - there is no limit ?

1. Yes this session will not be inspected.

2. a) No, after the session has gone idle. it will be removed and the next packet should have the Syn Flag not ACK.

    b) Yes, they will not be dropped.

3. Yes.

4. This value is defined globally , not interface wise.

Puneet

Community Member

Re: ip inspect and blocking

Thanx for the answers.

Community Member

Re: ip inspect and blocking

Thanx for the answers.

2. a) Next packet should have SYN only for new session. There might be network stale or application problems and, application resend ACK segment which will arrive after the router has cleared connection (both endpoints of this connection belives it's still alive). But it will arrive on interface which is not inspected. Should not "yes" (packet permitted) be answer to my question ?

4. Value is defined globally but the inspection is enabled only on fa0/2, so i am correct in point4 or not ?

562
Views
0
Helpful
3
Replies
CreatePlease to create content