11-11-2007 04:08 AM - edited 03-09-2019 07:20 PM
I have a Cisco 837 router for home use on my ADSL line, there are no firewall rules inplace as far as my knowledge goes. What does the "ip inspect" rule do and do I need to add it to the ethernet inteface inbound?
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ADSL
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable password 7 ****
!
no aaa new-model
!
resource policy
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.10
!
ip dhcp pool client
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.100
dns-server 190.217.138.197 187.186.189.16
lease 0 2
!
!
no ip cef
!
!
!
username *** password ***
!
!
!
!
!
interface Ethernet0
ip address 192.168.2.100 255.255.255.0
no ip unreachables
ip nat inside
ip virtual-reassembly
hold-queue 100 out
!
interface Ethernet2
no ip address
shutdown
hold-queue 100 out
!
interface ATM0
no ip address
no ip unreachables
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
cdp enable
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
no ip unreachables
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ***
ppp chap password ***
ppp pap sent-username *** password ***
ppp ipcp dns request
ppp ipcp wins request
!
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
ip nat inside source list 102 interface Dialer1 overload
!
logging trap debugging
logging facility local4
logging source-interface Ethernet0
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
exec-timeout 5 0
login local
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
end
11-11-2007 11:07 AM
hi,
The "ip inspect" does stateful packet inspection. You might want to apply it to the adsl interface outbound. That way it will inspect traffic leaving your network and open the necessary ports for the return traffic. Have a look at the following:
11-11-2007 11:13 AM
Thanks John,
1.) I've seen example applying it to the ethernet 0 inbound, any ideas why?
2.) So does it just inspect, what exactly is that?
3.) Also from the config above, I don't seem to have any firewall rules (unless I'm missing something). I want to be able to go outbound to the internet with no blocking (http, https, ftp, telnet, work VPN etc), but block the usual inbound traffic, should I have an access list?
Thanks
11-12-2007 02:49 PM
Andy
Has our discussion about ip inspect in the WAN forum clarified your understanding of this or do you still have questions?
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide