Now I know that traffic outbound from LAN users would be inspected through a state table. However, this network is also hosting a mail & web server and I've created a static NAT for them along with an access list rule applied inbound on s0/0.
With the above settings, will inbound traffic to the mail & web server be protected too? For example with the PIX, the fixup would only allow certain commands through to the SMTP server and this is the kind of protection I'm looking for. Should I apply the 'ip inspect' in another direction like this below or is my thinking incorrect?
ip inspect inspect1 in
1) Will this command achieve what I am looking for?
2) Will the LAN-initiated traffic undergo double inspection in any way because of this new command?
One of the important things to remember with CBAC is that it has to "see" (i.e. "inspect") the first packet of a session in order to track the state for that session. This means that yes, you do need to inspect in the "in" direction if you want to apply the SMTP inspection to connections to your mail server. The PIX automatically inspects all traffic so this isn't an issue there. You can either use the same inspection rule set as you use in the out direction, or you can create a new one - they don't have to be the same (though the often are). For email and web sessions to simply work you can usually get by without this inbound inspection as long as you're not blocking outbound traffic from your server, since email and http use simple TCP connections. However, protocols like FTP that involve multiple connections will require inbound inspection to work, since CBAC needs to see the first packet in order to allow subsequent incoming connections that are a part of the same FTP session.
The processing of your outbound LAN-initiated traffic won't be affected by the inbound inspection, since state information for it will already exist because it was inspected when the sessions were started. CBAC has to track the state of all sessions to make sure they're valid, so it's already "watching" the return traffic for those LAN-initiated sessions.
I like your explanation a lot. One follow-up question. I know my inbound mail/web traffic would work and is currently working without inspection. However, does 'ip inspection' work similar to fixup? Fixup on the PIX allows only certain commands through to the SMTP server, thus preventing anybody trying malicious hacking. Once I configure inspection for inbound traffic too, would it do something similar? PIX fixups also hide the SMTP banner, etc when you telnet to port 25 from the Internet.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :