Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IOS Firewall / IP inspect

I have inherited a large mpls enterprise network. Many of the 100+ sites have a vpn failover. The IOS version is 12.4 Adv Security on 1760/2801 routers. Here is one example:

interface Ethernet0/1

description BrightHouse cable $FW_OUTSIDE$

ip address x.x.x.254 255.255.255.252

ip access-group 103 in

ip verify unicast reverse-path

no ip redirects

ip nbar protocol-discovery

ip inspect standard in

ip route-cache flow

full-duplex

no cdp enable

crypto map myset

After reading up on IOS firewall it seems that it should applied outbound instead of inbound since it connection would be initialed from the inside going out?? Any input would be greatly appreciated!

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: IOS Firewall / IP inspect

I agree that it should be applied outbound. The firewall will track connection states and the majority of traffic is 'inside' to 'outside'. You can apply it inbound, but only if you'll be hosting services and generally the service would need to change ports (ie passive ftp), otherwise an ACL should suffice on the outside interface.

Hope that helps.

Re: IOS Firewall / IP inspect

Yes, it should be "ip inspect standard out".

"ip inspect standard in" will inspect traffic initiated from outside in, but you need to inspect traffic that is initiated from inside out.

Be careful what traffic you allow into the network on access-list 103. That traffic can be initiated from outside and not be inspected by the firewall.

Cheers:

Istvan

3 REPLIES

Re: IOS Firewall / IP inspect

I agree that it should be applied outbound. The firewall will track connection states and the majority of traffic is 'inside' to 'outside'. You can apply it inbound, but only if you'll be hosting services and generally the service would need to change ports (ie passive ftp), otherwise an ACL should suffice on the outside interface.

Hope that helps.

New Member

Re: IOS Firewall / IP inspect

Thanks for the input - just wanted a second pair of eyes to verify I was interpreting it correctly.

Re: IOS Firewall / IP inspect

Yes, it should be "ip inspect standard out".

"ip inspect standard in" will inspect traffic initiated from outside in, but you need to inspect traffic that is initiated from inside out.

Be careful what traffic you allow into the network on access-list 103. That traffic can be initiated from outside and not be inspected by the firewall.

Cheers:

Istvan

173
Views
0
Helpful
3
Replies