Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1128
Views
0
Helpful
3
Replies

IP Inspect usage

Paul Harris
Level 1
Level 1

‎03-10-2011 07:04 AM - edited ‎03-11-2019 01:04 PM

I am looking at tightening up security into our network by implementing the IP inspect feature on our internet-connected routers. I've not used this feature before so I've had to do a bit of reading on it's usage and I'm reasonably confident in what I need to do but I was hoping someone could sanity check my plan and make sure what I'm doing is correct.

At present, we don't have 'proper' firewalls controlling inbound/outbound access. We have two inbound net connections and an extended ACL applied to the internal interface to control access. Roughly speaking, here is the current setup

Gi0/2 - link to ISP

No access list

Gi0/3 - Internal

Access group 101 out

Access list 101 extended

(about 100 lines specifying miscellaneous ports open for public servers)

permit tcp any my subnet established

Deny ip any any log

So what I think I need to do is:

  1. Create ip inspect ruleset and apply to interface Gi0/2 outbound
  2. Remove the 'established' line from the access list 101

But what I'm wondering is would it work if the ip inspect ruleset and access list are applied to different interfaces?

Also is it likely to have a performance impact?

Not quite sure why the access list is applied to the internal interface - I would have thought it would make more sense to apply it inbound on the external interface but this is the system I've inherited.

Thanks in advance.

- P

Labels:
0 Helpful
3 Replies 3

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎03-10-2011 07:13 AM

Hi,

The inspection can be applied to a different interface than the ACL and it works.

The important thing is that you inspect traffic in the outbound direction and the ACL protects traffic in the inbound direction.

For example (working configs):

interface inside
  ip inspect FW in

interface outside
  ip access-group 101 in

Or:

interface inside

interface outside
  ip inspect FW out
  ip access-group 101 in

There are some differences.

In the second example, the inspection is going to take place when traffic exits the router at the outside interface.

A more recommended approach to CBAC (ip inspect) is ZFW (Zone-Based Firewall) configurations that provide more flexibility.

Hope it helps.

Federico.

0 Helpful

Paul Harris
Level 1
Level 1
In response to Federico Coto Fajardo

‎03-10-2011 07:36 AM

So, if I understand you correctly, my plan wouldn't work because access-group 101 would need to be applied inbound to the external interface?

I'm just reading up on ZFW now. I think I could be a while...

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Paul Harris

‎03-10-2011 08:34 AM

Paul,

The issue with your plan:

Gi0/3 - Internal

Access group 101 out

Is that the ACL is checking outbound traffic.

But the purpose of inspection is to allow outbound traffic (meaning all outbound traffic should be permitted by any ACL allowing outbound traffic), and there should be an ACL denying inbound traffic.

The inspection will open ''holes'' to allow the replies from traffic originating inside-out.

Hope it makes sense.


Federico.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card