12-02-2009 08:09 AM - edited 03-04-2019 06:51 AM
Perhaps this is a discusstion on ip inspect...I looked here but it didnt provide an answer on what exaclty it does?
My 1811. is shipped with the following
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!
However, do these have to be applied to an interface in order to make it work?
I see it here
iinterface FastEthernet0
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
But what exaclty is it doing?..is it just looking at packets cusemee, ftp, h323 etc?
what action is it taking?.........what if i remove that staement? is this causing a huge load on my router becuase of inspection?
Solved! Go to Solution.
12-03-2009 11:13 AM
nygenxny123 wrote:
ok..so if these ip inspects are applied to an interface the interface will FW on those listed protocols...allowing them.
but as with a fw...isnt there an implied deny at the end of all rules?
so wouldnt the interface not allow any protocols ..other than the ones listed in the IP inspect?
Well yes, but bear in mind that you have 3 generic inspect statements ie.
ip inspect name DEFAULT 100 icmp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
which covers pretty much all IP based applications.
If you needed to allow some other protocol through such as GRE then you would need to explicitly allow in your acl.
Jon
12-02-2009 09:01 AM
It's turning on stateful inspection for the protocols listed and that are leaving interface FastEthernet0. It's turning the router into a stateful router/firewall. If you remove it, the inspection will stop. The inspection makes sure that if the application wants to change ports, the router will allow it and can track the TCP state of the application traversing and on the appropriate ports. The load really depends on how much traffic is flowing through the interface. Generally speaking it doesn't take up too many resources.
Hope it helps.
12-02-2009 09:04 AM
nygenxny123 wrote:
Perhaps this is a discusstion on ip inspect...I looked here but it didnt provide an answer on what exaclty it does?
My 1811. is shipped with the following
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!However, do these have to be applied to an interface in order to make it work?
I see it here
iinterface FastEthernet0
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
But what exaclty is it doing?..is it just looking at packets cusemee, ftp, h323 etc?what action is it taking?.........what if i remove that staement? is this causing a huge load on my router becuase of inspection?
Inspect ... is the way you configure CBAC (Context Based Access Control) which is Cisco's firewall for the IOS router.
Yes they need to be applied to an interface.
Yes there is an overhead on the router because this is done in software, not hardware.
If you remove the "ip inspect ..." interface command then it won't do firewalling.
As well as generic stateful firewall capabilities such as TCP/UDP inspect can also understand certain apps/protocols to a greater level eg h323, sqlnet, estmp. Often this extra understanding is there because these protocols do funny things with ports eg. ftp/sqlnet etc..
Have a read of this link for more details -
Jon
12-03-2009 11:05 AM
ok..so if these ip inspects are applied to an interface the interface will FW on those listed protocols...allowing them.
but as with a fw...isnt there an implied deny at the end of all rules?
so wouldnt the interface not allow any protocols ..other than the ones listed in the IP inspect?
12-03-2009 11:13 AM
nygenxny123 wrote:
ok..so if these ip inspects are applied to an interface the interface will FW on those listed protocols...allowing them.
but as with a fw...isnt there an implied deny at the end of all rules?
so wouldnt the interface not allow any protocols ..other than the ones listed in the IP inspect?
Well yes, but bear in mind that you have 3 generic inspect statements ie.
ip inspect name DEFAULT 100 icmp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
which covers pretty much all IP based applications.
If you needed to allow some other protocol through such as GRE then you would need to explicitly allow in your acl.
Jon
12-10-2009 07:41 PM
great thx!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide