https://community.cisco.com/t5/network-security/ip-inspect-and-blocking/m-p/1859739#M490338 <HTML><HEAD></HEAD><BODY><P>Here are the answers to your questions.</P><P></P><P>1. Incoming TCP SYN packet arrives on fa0/1 and TCP session is built. I assume that this session will not be inspected ?</P><P>2. TCP session is initiated from fa0/2 interface. Such session will be inspected - and after 10 seconds of idle:</P><P>a) when packet within this session will be received on fa0/1 it will be accepted ?</P><P>b) when packet within this session will be received on fa0/2 it will be dropped ?</P><P>3. When TCP ACK packet is received on fa0/2 - but there is no session which matches this packet - will it be dropped ?</P><P>4. Only 100 half-opened session are accepted but only when initiated from fa0/2, when initiated from fa0/1 - there is no limit ?</P><P></P><P>1. Yes this session will not be inspected.</P><P>2. a) No, after the session has gone idle. it will be removed and the next packet should have the Syn Flag not ACK.</P><P>&nbsp;&nbsp;&nbsp; b) Yes, they will not be dropped. </P><P>3. Yes.</P><P>4. This value is defined globally , not interface wise.</P><P></P><P></P><P>Puneet</P></BODY></HTML> Thu, 22 Dec 2011 22:05:15 GMT puseth 2011-12-22T22:05:15Z https://community.cisco.com/t5/network-security/ip-inspect-and-blocking/m-p/1859738#M490337 <P>Hello</P><P></P><P>My config:</P><P>ip inspect name CBAC tcp timeout 10</P><P>ip inspect max-incomplete high 100</P><P>int fa0/1</P><P>ip access_group permit_all in</P><P>int fa 0/2</P><P>ip access_group permit_all in</P><P>ip inspect CBAC in</P><P></P><P>Access-list on both interfaces accept all ip traffic.</P><P>What happens when:</P><P>1. Incoming TCP SYN packet arrives on fa0/1 and TCP session is built. I assume that this session will not be inspected ?</P><P>2. TCP session is initiated from fa0/2 interface. Such session will be inspected - and after 10 seconds of idle:</P><P>a) when&nbsp; packet within this session will be received on fa0/1 it will be accepted ?</P><P>b) when&nbsp; packet within this session will be received on fa0/2 it will be dropped ?</P><P>3.&nbsp; When TCP ACK packet is received on fa0/2 - but there is no session which matches this packet - will it be dropped ?</P><P>4. Only 100 half-opened session are accepted but only when initiated from fa0/2, when initiated from fa0/1 - there is no limit ?</P><P></P><P>Thanx</P> Mon, 11 Mar 2019 22:05:37 GMT https://community.cisco.com/t5/network-security/ip-inspect-and-blocking/m-p/1859738#M490337 mlopacinski 2019-03-11T22:05:37Z https://community.cisco.com/t5/network-security/ip-inspect-and-blocking/m-p/1859739#M490338 <HTML><HEAD></HEAD><BODY><P>Here are the answers to your questions.</P><P></P><P>1. Incoming TCP SYN packet arrives on fa0/1 and TCP session is built. I assume that this session will not be inspected ?</P><P>2. TCP session is initiated from fa0/2 interface. Such session will be inspected - and after 10 seconds of idle:</P><P>a) when packet within this session will be received on fa0/1 it will be accepted ?</P><P>b) when packet within this session will be received on fa0/2 it will be dropped ?</P><P>3. When TCP ACK packet is received on fa0/2 - but there is no session which matches this packet - will it be dropped ?</P><P>4. Only 100 half-opened session are accepted but only when initiated from fa0/2, when initiated from fa0/1 - there is no limit ?</P><P></P><P>1. Yes this session will not be inspected.</P><P>2. a) No, after the session has gone idle. it will be removed and the next packet should have the Syn Flag not ACK.</P><P>&nbsp;&nbsp;&nbsp; b) Yes, they will not be dropped. </P><P>3. Yes.</P><P>4. This value is defined globally , not interface wise.</P><P></P><P></P><P>Puneet</P></BODY></HTML> Thu, 22 Dec 2011 22:05:15 GMT https://community.cisco.com/t5/network-security/ip-inspect-and-blocking/m-p/1859739#M490338 puseth 2011-12-22T22:05:15Z https://community.cisco.com/t5/network-security/ip-inspect-and-blocking/m-p/1859740#M490339 <HTML><HEAD></HEAD><BODY><P>Thanx for the answers. </P></BODY></HTML> Fri, 23 Dec 2011 07:01:30 GMT https://community.cisco.com/t5/network-security/ip-inspect-and-blocking/m-p/1859740#M490339 mlopacinski 2011-12-23T07:01:30Z https://community.cisco.com/t5/network-security/ip-inspect-and-blocking/m-p/1859741#M490340 <HTML><HEAD></HEAD><BODY><P>Thanx for the answers.</P><P>2. a) Next packet should have SYN only for new session. There might be network stale or application problems and, application resend ACK segment which will arrive after the router has cleared connection (both endpoints of this connection belives it's still alive). But it will arrive on interface which is not inspected. Should not "yes" (packet permitted) be answer to my question ?</P><P>4. Value is defined globally but the inspection is enabled only on fa0/2, so i am correct in point4 or not ?</P></BODY></HTML> Fri, 23 Dec 2011 07:10:54 GMT https://community.cisco.com/t5/network-security/ip-inspect-and-blocking/m-p/1859741#M490340 mlopacinski 2011-12-23T07:10:54Z