Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
273
Views
0
Helpful
4
Replies

firewall on 857 not working?

d.hodgson
Level 1
Level 1

‎12-23-2008 05:17 PM - edited ‎03-04-2019 12:48 AM

Hi folks,

I'm trying to secure a router by using "ip inspect". The router takes all the commands but from a PC behind the router I cannot access the Internet. However if I remove the access list inbound on the external interface it works fine. I was under the impression that ip inspect should add a line to this access list allowing inbound access to an already established internal outbound session?

Can you please help?

I've attached...

sh run

sh ver

sh ip inspect all

sh access-lists

thanks

Dave

Labels:
Preview file
16 KB
0 Helpful
4 Replies 4

Pari Thiagasundaram
Level 3
Level 3

‎12-23-2008 05:25 PM

Shouldnt you be applying it inbound ?

See example below:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

0 Helpful

d.hodgson
Level 1
Level 1
In response to Pari Thiagasundaram

‎12-23-2008 05:48 PM

I've tried inbound on the VLAN Interface and external interface but it still doesn't work. The details of ip inspect can be found here where it states that ip inspect can be inbound on the internal interface but outbound on the external interface.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfcbac.htm

rgds

Dave

0 Helpful

d.hodgson
Level 1
Level 1

‎12-23-2008 07:46 PM

Looks like if I use the following statements it works ok...

ip inspect name firewall tcp router-traffic

ip inspect name firewall udp router-traffic

ip inspect name firewall icmp router-traffic

so I imagine it's looking at the NAT'd address instead of the source IP? can someone please confirm?

thanks

Dave

0 Helpful

Pari Thiagasundaram
Level 3
Level 3
In response to d.hodgson

‎12-23-2008 08:30 PM

ah.....NAT'ting.

While configuring CBAC and NAT on a router, the NAT order of operation plays an important role.

For inside-to-outside traffic, perform these steps:

1. Check input ACL.

2. Perform NAT inside to outside.

3. Check output ACL.

For outside-to-inside traffic, perform these steps:

1. Check input ACL.

2. Perform NAT outside to inside.

3. Check output ACL.

For filtering inside-to-outside traffic on the inside interface, the inside hosts should be specified by their actual IP addresses.

Similarly, for filtering outside-to-inside traffic on the outside interface, the inside hosts should be specified by their translated addresses (inside global).

http://www.cisco.com/en/US/customer/products/sw/secursw/ps1018/products_configuration_example09186a008009445f.shtml

Hope that helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card