Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1030
Views
0
Helpful
3
Replies

CBAC/ IP Inspect

ciscors
Level 1
Level 1

‎01-16-2006 05:40 AM

Cisco 3750

f0/0 - LAN interface

s0/0 - WAN interface to Internet

interface s0/0

ip inspect inspect1 out

Now I know that traffic outbound from LAN users would be inspected through a state table. However, this network is also hosting a mail & web server and I've created a static NAT for them along with an access list rule applied inbound on s0/0.

With the above settings, will inbound traffic to the mail & web server be protected too? For example with the PIX, the fixup would only allow certain commands through to the SMTP server and this is the kind of protection I'm looking for. Should I apply the 'ip inspect' in another direction like this below or is my thinking incorrect?

int s0/0

ip inspect inspect1 in

1) Will this command achieve what I am looking for?

2) Will the LAN-initiated traffic undergo double inspection in any way because of this new command?

Labels:
0 Helpful
3 Replies 3

ddawson
Level 1
Level 1

‎01-16-2006 11:56 AM

One of the important things to remember with CBAC is that it has to "see" (i.e. "inspect") the first packet of a session in order to track the state for that session. This means that yes, you do need to inspect in the "in" direction if you want to apply the SMTP inspection to connections to your mail server. The PIX automatically inspects all traffic so this isn't an issue there. You can either use the same inspection rule set as you use in the out direction, or you can create a new one - they don't have to be the same (though the often are). For email and web sessions to simply work you can usually get by without this inbound inspection as long as you're not blocking outbound traffic from your server, since email and http use simple TCP connections. However, protocols like FTP that involve multiple connections will require inbound inspection to work, since CBAC needs to see the first packet in order to allow subsequent incoming connections that are a part of the same FTP session.

The processing of your outbound LAN-initiated traffic won't be affected by the inbound inspection, since state information for it will already exist because it was inspected when the sessions were started. CBAC has to track the state of all sessions to make sure they're valid, so it's already "watching" the return traffic for those LAN-initiated sessions.

HTH - Good luck!

0 Helpful

ciscors
Level 1
Level 1
In response to ddawson

‎01-16-2006 02:15 PM

I like your explanation a lot. One follow-up question. I know my inbound mail/web traffic would work and is currently working without inspection. However, does 'ip inspection' work similar to fixup? Fixup on the PIX allows only certain commands through to the SMTP server, thus preventing anybody trying malicious hacking. Once I configure inspection for inbound traffic too, would it do something similar? PIX fixups also hide the SMTP banner, etc when you telnet to port 25 from the Internet.

0 Helpful

ddawson
Level 1
Level 1
In response to ciscors

‎01-16-2006 03:01 PM

Yes, "ip inspect" in IOS is essentially the same as "fixup protocol" in the PIX (which, incidentally, has been changed to "inspect" in the new 7.0 PIX/ASA software - go figure).

To enable the SMTP functionality you want you'll need to add the command "ip inspect name YADDA smtp" to your configuration. This Cisco page documents the precise SMTP command that this will allow:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_r/srprt3/srdcbac.htm#wp1020247

Good luck!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents