Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

CBAC/ IP Inspect

Cisco 3750

f0/0 - LAN interface

s0/0 - WAN interface to Internet

interface s0/0

ip inspect inspect1 out

Now I know that traffic outbound from LAN users would be inspected through a state table. However, this network is also hosting a mail & web server and I've created a static NAT for them along with an access list rule applied inbound on s0/0.

With the above settings, will inbound traffic to the mail & web server be protected too? For example with the PIX, the fixup would only allow certain commands through to the SMTP server and this is the kind of protection I'm looking for. Should I apply the 'ip inspect' in another direction like this below or is my thinking incorrect?

int s0/0

ip inspect inspect1 in

1) Will this command achieve what I am looking for?

2) Will the LAN-initiated traffic undergo double inspection in any way because of this new command?


Re: CBAC/ IP Inspect

One of the important things to remember with CBAC is that it has to "see" (i.e. "inspect") the first packet of a session in order to track the state for that session. This means that yes, you do need to inspect in the "in" direction if you want to apply the SMTP inspection to connections to your mail server. The PIX automatically inspects all traffic so this isn't an issue there. You can either use the same inspection rule set as you use in the out direction, or you can create a new one - they don't have to be the same (though the often are). For email and web sessions to simply work you can usually get by without this inbound inspection as long as you're not blocking outbound traffic from your server, since email and http use simple TCP connections. However, protocols like FTP that involve multiple connections will require inbound inspection to work, since CBAC needs to see the first packet in order to allow subsequent incoming connections that are a part of the same FTP session.

The processing of your outbound LAN-initiated traffic won't be affected by the inbound inspection, since state information for it will already exist because it was inspected when the sessions were started. CBAC has to track the state of all sessions to make sure they're valid, so it's already "watching" the return traffic for those LAN-initiated sessions.

HTH - Good luck!

New Member

Re: CBAC/ IP Inspect

I like your explanation a lot. One follow-up question. I know my inbound mail/web traffic would work and is currently working without inspection. However, does 'ip inspection' work similar to fixup? Fixup on the PIX allows only certain commands through to the SMTP server, thus preventing anybody trying malicious hacking. Once I configure inspection for inbound traffic too, would it do something similar? PIX fixups also hide the SMTP banner, etc when you telnet to port 25 from the Internet.


Re: CBAC/ IP Inspect

Yes, "ip inspect" in IOS is essentially the same as "fixup protocol" in the PIX (which, incidentally, has been changed to "inspect" in the new 7.0 PIX/ASA software - go figure).

To enable the SMTP functionality you want you'll need to add the command "ip inspect name YADDA smtp" to your configuration. This Cisco page documents the precise SMTP command that this will allow:

Good luck!

CreatePlease to create content