12-23-2008 05:17 PM - edited 03-04-2019 12:48 AM
Hi folks,
I'm trying to secure a router by using "ip inspect". The router takes all the commands but from a PC behind the router I cannot access the Internet. However if I remove the access list inbound on the external interface it works fine. I was under the impression that ip inspect should add a line to this access list allowing inbound access to an already established internal outbound session?
Can you please help?
I've attached...
sh run
sh ver
sh ip inspect all
sh access-lists
thanks
Dave
12-23-2008 05:25 PM
Shouldnt you be applying it inbound ?
See example below:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml
12-23-2008 05:48 PM
I've tried inbound on the VLAN Interface and external interface but it still doesn't work. The details of ip inspect can be found here where it states that ip inspect can be inbound on the internal interface but outbound on the external interface.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfcbac.htm
rgds
Dave
12-23-2008 07:46 PM
Looks like if I use the following statements it works ok...
ip inspect name firewall tcp router-traffic
ip inspect name firewall udp router-traffic
ip inspect name firewall icmp router-traffic
so I imagine it's looking at the NAT'd address instead of the source IP? can someone please confirm?
thanks
Dave
12-23-2008 08:30 PM
ah.....NAT'ting.
While configuring CBAC and NAT on a router, the NAT order of operation plays an important role.
For inside-to-outside traffic, perform these steps:
1. Check input ACL.
2. Perform NAT inside to outside.
3. Check output ACL.
For outside-to-inside traffic, perform these steps:
1. Check input ACL.
2. Perform NAT outside to inside.
3. Check output ACL.
For filtering inside-to-outside traffic on the inside interface, the inside hosts should be specified by their actual IP addresses.
Similarly, for filtering outside-to-inside traffic on the outside interface, the inside hosts should be specified by their translated addresses (inside global).
Hope that helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide