cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1038
Views
0
Helpful
3
Replies

What does the "ip inspect" command do?

whiteford
Level 1
Level 1

I have a Cisco 837 router for home use on my ADSL line, there are no firewall rules inplace as far as my knowledge goes. What does the "ip inspect" rule do and do I need to add it to the ethernet inteface inbound?

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ADSL

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable password 7 ****

!

no aaa new-model

!

resource policy

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.2.1 192.168.2.10

!

ip dhcp pool client

import all

network 192.168.2.0 255.255.255.0

default-router 192.168.2.100

dns-server 190.217.138.197 187.186.189.16

lease 0 2

!

!

no ip cef

!

!

!

username *** password ***

!

!

!

!

!

interface Ethernet0

ip address 192.168.2.100 255.255.255.0

no ip unreachables

ip nat inside

ip virtual-reassembly

hold-queue 100 out

!

interface Ethernet2

no ip address

shutdown

hold-queue 100 out

!

interface ATM0

no ip address

no ip unreachables

no ip mroute-cache

atm vc-per-vp 64

no atm ilmi-keepalive

dsl operating-mode auto

cdp enable

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

!

interface FastEthernet1

duplex auto

speed auto

!

interface FastEthernet2

duplex auto

speed auto

!

interface FastEthernet3

duplex auto

speed auto

!

interface FastEthernet4

duplex auto

speed auto

!

interface Dialer1

ip address negotiated

no ip unreachables

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname ***

ppp chap password ***

ppp pap sent-username *** password ***

ppp ipcp dns request

ppp ipcp wins request

!

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

no ip http secure-server

!

ip nat inside source list 102 interface Dialer1 overload

!

logging trap debugging

logging facility local4

logging source-interface Ethernet0

access-list 102 permit ip 192.168.2.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

control-plane

!

!

line con 0

no modem enable

transport output telnet

line aux 0

transport output telnet

line vty 0 4

exec-timeout 5 0

login local

transport input telnet ssh

transport output all

!

scheduler max-task-time 5000

end

3 Replies 3

johnd2310
Level 8
Level 8

hi,

The "ip inspect" does stateful packet inspection. You might want to apply it to the adsl interface outbound. That way it will inspect traffic leaving your network and open the necessary ports for the return traffic. Have a look at the following:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_implementation_design_guide09186a00800fd670.html

**Please rate posts you find helpful**

Thanks John,

1.) I've seen example applying it to the ethernet 0 inbound, any ideas why?

2.) So does it just inspect, what exactly is that?

3.) Also from the config above, I don't seem to have any firewall rules (unless I'm missing something). I want to be able to go outbound to the internet with no blocking (http, https, ftp, telnet, work VPN etc), but block the usual inbound traffic, should I have an access list?

Thanks

Andy

Has our discussion about ip inspect in the WAN forum clarified your understanding of this or do you still have questions?

HTH

Rick

HTH

Rick