07-27-2005 04:08 PM - edited 03-09-2019 11:58 AM
in the case below we want to java applets to be downloaded from 150.50.4.80. The INFILTER allows just about everything in. TCP, UDP, and HTTP-Java are allowed out.
Now access-list 1 permits a *source* of 150.50.4.80 yet the outbound inspection should be keying on a *destination* of 150.50.4.80. Am I missing something?
<snip>
!
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW http java-list 1
!
<snip>
!
interface Serial0/1/0.2 point-to-point
ip address 150.50.25.5 255.255.255.0
ip access-group INFILTER in
ip inspect FW out
frame-relay interface-dlci 501
!
<snip>
!
ip access-list extended INFILTER
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 224.0.0.0 15.255.255.255 any log
deny ip host 0.0.0.0 any log
deny ip host 255.255.255.255 any log
permit ip any any
!
access-list 1 permit 150.50.4.80
!
<snip>
07-27-2005 04:36 PM
to filter JAVA applet from this source, you need to apply this inspection on inbound. but you also need to apply an inspection on outbound for the return traffic for your inside network
07-28-2005 06:37 AM
My understanding of CBAC is that a router "inspects" on the outbound traffic which modifies a restrictive ACL for the returning traffic.
My question is about the purpose of the http java-list ACL. Why is this needed at all since the http traffic is inspected on the way out; why is an ACL needed to specify the source of the java applet? I expect the source to already be known and cached since that http host is a destination that I am inspecting already. Is it just for finer granularity? If so, it seems odd to make it a required param.
Any further insight?
07-28-2005 10:20 AM
My understanding of CBAC is that a router "inspects" on the outbound traffic which modifies a restrictive ACL for the returning traffic.
>> true
My question is about the purpose of the http java-list ACL. Why is this needed at all since the http traffic is inspected on the way out;
>> http inspection is not at all needed unless you wan t to filter java. the http traffic comes under tcp , so a tcp inspection takes care of it. unless you want java filtering you dont need http inspection.
why is an ACL needed to specify the source of the java applet? I expect the source to already be known and cached since that http host is a destination that I am inspecting already. Is it just for finer granularity? If so, it seems odd to make it a required param.
>> i think i answered it already and now i think you dont need anohter inspection inbound, the outbound should take care of it. when you define the http inspection , you should always define the source to be allowed, otherwise you dont even need http inspection
Any further insight?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide