03-10-2011 07:04 AM - edited 03-11-2019 01:04 PM
I am looking at tightening up security into our network by implementing the IP inspect feature on our internet-connected routers. I've not used this feature before so I've had to do a bit of reading on it's usage and I'm reasonably confident in what I need to do but I was hoping someone could sanity check my plan and make sure what I'm doing is correct.
At present, we don't have 'proper' firewalls controlling inbound/outbound access. We have two inbound net connections and an extended ACL applied to the internal interface to control access. Roughly speaking, here is the current setup
Gi0/2 - link to ISP
No access list
Gi0/3 - Internal
Access group 101 out
Access list 101 extended
(about 100 lines specifying miscellaneous ports open for public servers)
permit tcp any my subnet established
Deny ip any any log
So what I think I need to do is:
But what I'm wondering is would it work if the ip inspect ruleset and access list are applied to different interfaces?
Also is it likely to have a performance impact?
Not quite sure why the access list is applied to the internal interface - I would have thought it would make more sense to apply it inbound on the external interface but this is the system I've inherited.
Thanks in advance.
- P
03-10-2011 07:13 AM
Hi,
The inspection can be applied to a different interface than the ACL and it works.
The important thing is that you inspect traffic in the outbound direction and the ACL protects traffic in the inbound direction.
For example (working configs):
interface inside
ip inspect FW in
interface outside
ip access-group 101 in
Or:
interface inside
interface outside
ip inspect FW out
ip access-group 101 in
There are some differences.
In the second example, the inspection is going to take place when traffic exits the router at the outside interface.
A more recommended approach to CBAC (ip inspect) is ZFW (Zone-Based Firewall) configurations that provide more flexibility.
Hope it helps.
Federico.
03-10-2011 07:36 AM
So, if I understand you correctly, my plan wouldn't work because access-group 101 would need to be applied inbound to the external interface?
I'm just reading up on ZFW now. I think I could be a while...
03-10-2011 08:34 AM
Paul,
The issue with your plan:
Gi0/3 - Internal
Access group 101 out
Is that the ACL is checking outbound traffic.
But the purpose of inspection is to allow outbound traffic (meaning all outbound traffic should be permitted by any ACL allowing outbound traffic), and there should be an ACL denying inbound traffic.
The inspection will open ''holes'' to allow the replies from traffic originating inside-out.
Hope it makes sense.
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide