Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Should I inspect incoming requests from public side using IOS FW

say a small company with a 2 interface 2600 router is hosting a www server and also requires access to a ssh server. Please set aside the ideal 3 interface DMZ setup for a moment and just go with me on this. truncated config follows:

ip inspect name MYeth0 tcp

... and all the rest of the inspect services

ip inspect name MYser0 tcp

ip inspect name MYser0 www

int eth 0

ip access-group 100 in

ip inspect MYeth0 in

int ser 0

ip access-group 101 in

ip inspect MYser0 in ### here is my question

access-list 100 permit ip any any

access-list 101 permit tcp any host x.x.x.x www

access-list 101 permit tcp any host x.x.x.x 22

access-list 101 deny ip any any

The "ip inspect MYser0 in" is NOT required to allow access to the two services - the acls are sufficient enough to give access to them. What benefits are there to adding this inspect rule on the outside interface for this circumstance? OR is it actually better not to have it performance wise.

Then more specifically, if it is still a good idea to inspect, would it really need to do a "ip inspect name MYser0 www" or can it simply do a "ip inspect name MYser0 tcp" since it might not need to do a www inspection on www packets that are coming from their own server?

2 REPLIES
Cisco Employee

Re: Should I inspect incoming requests from public side using IO

Hi,

See my answers inline

The "ip inspect MYser0 in" is NOT required to allow access to the two services - the acls are sufficient enough to give access to them.

>> Correct it is not required

What benefits are there to adding this inspect rule on the outside interface for this circumstance? OR is it actually better not to have it performance wise.

>> Better not to have it, no additional benefits unless you are also having another "outbound" access-list on the ser0 or "inbound" access-list on eth0

Then more specifically, if it is still a good idea to inspect, would it really need to do a "ip inspect name MYser0 www" or can it simply do a "ip inspect name MYser0 tcp" since it might not need to do a www inspection on www packets that are coming from their own server?

>> not a good idea at all to do inspection on HTTP since it will slow down WWW traffic. Unless you want to block JAVA. TCP inspection is sufficient enough to do the job.

Thanks

Nadeem

Re: Should I inspect incoming requests from public side using IO

One disagreement here:

Q - What benefits are there to adding this inspect rule on the outside interface for this circumstance? OR is it actually better not to have it performance wise.

A - IP inspect does provide some level of DOS (Denial of Service) protection by monitoring the number of half-open connections as well as total connections through the router and to each individual host. Adding the inspect tcp to the serial interface will help to provide some level of protection to your internal servers.

I agree with the rest though.

Scott

88
Views
0
Helpful
2
Replies