Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IOS Firewall and IP Inspect

Can someone please tell me what the IP Inspect commands accomplish that cant be done with access lists

thanks

3 REPLIES
Cisco Employee

Re: IOS Firewall and IP Inspect

IP Inspection, i.e. CBAC, works at application layer. CBAC filters TCP and UDP packets based on application-layer protocol session information.

The process generates ACLs dynamically to allow traffic in which is part of the same stream that was initiated from the inside.

More info on this on the below url;

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfcbac.htm

Hope this helps,

Yatin

New Member

Re: IOS Firewall and IP Inspect

Thanks

So to allow any traffic form outside I need access-lists?? If I dont create any will all trffic be allowed.. And I f I do create one will all traffic not specifically permitted be denied??

Thnaks

Cisco Employee

Re: IOS Firewall and IP Inspect

Any outside initiated traffic that you need to allow, you have to permit that by an acl on the outside interface in the inbound direction. Only this permitted traffic will be allowed to be intiated from outside, other traffic not matching the acl will be dropped unless it was initiated on the inside and was inspected going out.

If nothing is allowed in and the inspection is done outbound on the outside interface, then no traffic initiated on the outside will be allowed in.

Hope this clears up a bit.

Thanks,

yatin

141
Views
0
Helpful
3
Replies