07-04-2020 11:37 PM
Hi,
I have a question, is it better to put ip inspect firewall in on LAN interface or put it on interface facing internet with ip inspect firewall out?
Thank you
Solved! Go to Solution.
07-05-2020 11:41 PM - edited 07-05-2020 11:43 PM
ip inspect FW tcp router-traffic ip inspect FW udp router-traffic ip inspect FW icmp router-traffic ! ip access-list extended OUTSIDE-IN permit tcp any host 192.0.2.10 eq 443 permit udp any host 192.0.2.10 eq 443
deny ip any any log ! interface gig 0/1
description Interface to the Internet ip address 192.0.2.10 255.255.255.248 ip inspect FW out ip access-group OUTSIDE-IN in
In this example the outside interface allows TCP and UDP/443 for VPN but the ACL denies the rest. Connections initiated in the outbound direction enter the firewalls state-table and the answer-packets are also allowed in.
07-05-2020 02:10 AM - edited 07-05-2020 02:12 AM
I always put it on the internet-facing interface in the outgoing direction. That gives you the possibility to also inspect router-generated traffic like pinging to the internet for troubleshooting, sending NTP or DNS to the internet or registering the router with DynDNS (and so on):
ip inspect FW tcp router-traffic ip inspect FW udp router-traffic ip inspect FW icmp router-traffic
Although much more complex, you should also familiarise yourself the the zone-based-firewall as CBAC (the "ip inspect" based firewall) is not supported any more in recent IOS-versions and platforms.
07-05-2020 09:07 AM
Thank you for your reply, so I put the command on interface facing internet with:
IP inspect firewall out
and create a standard ACL to protect incoming traffic with deny any any
Please confirm if this is the correct settings
Thank you
07-05-2020 11:42 AM
I would directly use an extended ACL instead of a standard ACL. That way you are prepared in case you want to allow incoming connections with more flexibility.
07-05-2020 11:18 PM
Thank you, if you don't mind would like to give me a really short and good example for extended ACL that can protect inside network and where to apply it please?
Thank you again
07-05-2020 11:41 PM - edited 07-05-2020 11:43 PM
ip inspect FW tcp router-traffic ip inspect FW udp router-traffic ip inspect FW icmp router-traffic ! ip access-list extended OUTSIDE-IN permit tcp any host 192.0.2.10 eq 443 permit udp any host 192.0.2.10 eq 443
deny ip any any log ! interface gig 0/1
description Interface to the Internet ip address 192.0.2.10 255.255.255.248 ip inspect FW out ip access-group OUTSIDE-IN in
In this example the outside interface allows TCP and UDP/443 for VPN but the ACL denies the rest. Connections initiated in the outbound direction enter the firewalls state-table and the answer-packets are also allowed in.
07-06-2020 11:19 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: