The inspect-config are your

aweise · ‎03-25-2014

We're using a 3925 router with ACLs on the local LAN interface and also a set of CBAC rules as follows:

ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp timeout 43200
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW smtp

We apply the SDM_LOW rule on the outbound WAN interface.

This location is also using a special application that does not use a standard port (it uses TCP 7111). I would have thought that the line with "tcp timeout 43200" would cover all TCP ports, but this apparently is being blocked.

How can I create a user-defined service and apply it to these rules?

Karsten Iwen · ‎03-25-2014

is the application using only a single channel or does it negotiate secondary channels?

If it is single channel then the inspect-config should be fine. But the initial traffic still has to be allowed if there is an ACL on the path to the server.

Also enable logging and look if there is something usefull there.

aweise · ‎03-26-2014

Thank you Karsten.

To my knowledge, it's a single-channel application (not anything like ftp).

What's the syntax for inspect-config? I don't see that as an option in my IOS version (15.2(4)M5). I have a TAC case open, but they're not doing a good job of responding.

Karsten Iwen · ‎03-26-2014

The inspect-config are your commands above with "ip inspect name ...". There you inspect the relevant traffic and probably much more then needed.

User-defined port for CBAC