Solved: How to remove ip inspect config from Router

mahesh18 · ‎11-19-2014

Hi Everyone,

Our Internet Router is configured with ip inspect on interfaces gi0/1 for internal traffic

Here is config

interface GigabitEthernet0/0
description ISP Network
ip address x.x.x.x
ip access-group 125 in
ip access-group 129 out
duplex full
speed 100
media-type rj45

interface GigabitEthernet0/1
description Internal Network
ip address x.x.x.x
ip access-group 106 in
ip inspect corp in

ip inspect config is

ip inspect name corp appfw corp1httpmisuse
ip inspect name corp ssh timeout 300
ip inspect name corp ftp timeout 300
ip inspect name corp dns timeout 300

ip inspect name corp udp timeout 600
ip inspect name corp https timeout 300
ip inspect name corp pop3 timeout 300

ip inspect name corp user-vpn timeout 300
ip inspect name corp tcp timeout 600
ip inspect name corp ntp timeout 300

appfw policy-name corp1httpmisuse
application http
strict-http action allow alarm
port-misuse default action allow alarm

For some reasons we need to remove ip inspect from the inside interface.

When i did that then users were unable to access internet and also NTP was not working.

Logs were showing that

%SEC-6-IPACCESSLOGP: list 125 denied udp x.x.x.x(53) -> x.x.x.x(19935), 1 packet

Seems DNS from ISP is denied by ACL 125 on outside interface.

So we put the ip inspect back on interface.

Need to know to make NTP and internet working should i allow NTP and DNS traffic on outside interface gi0/0 under ACL 125?

Also for all the ip inspect config which says to inspect specfic traffic as it goes out to internet on specfic ports should i allow that traffic on outside interface

of gi0/0 under ACL in direction inwards?

Regards

Mahesh

Richard Burts · ‎11-20-2014

Mahesh

John is correct. There is a dynamic relationship between inspect on Gig0/1 and ACL 125 and 129 on Gig0/0. When inspect sees traffic on Gig0/1 it dynamically creates entries in ACL 125 and 129 to allow that traffic. When you remove inspect from Gig0/0 then the dynamic entries do not get created in 125 and 129 and the traffic gets denied by ACL. So if you remove inspect on Gig0/0 then you need to rewrite 125 and 129 to manually specify what traffic is to be permitted and what is to be denied.

HTH

Rick

HTH

Rick

View solution in original post

John Blakley · ‎11-20-2014

Mahesh,

As Rick stated, those entries are no longer dynamically created, so if you have any traffic that was inspected by the inspect rule, but explicitly denied by the acl, you'll need to modify the acl to now allow that traffic. You will need to take both acls into account when modifying them as to what type of traffic was allowed out/in by the inspect.

For example, if you have an inspect that inspects http traffic. Your acl may deny all http traffic inbound:

access-list 100 deny tcp any any eq 80

access-list 100 permit ip any any

Your inspect may allow it:

ip inspect name FW http

On your interface, you have both:

int g0/1 (wan interface)

ip inspect FW out

ip access-group 100 in

When someone on the inside needs to get to a web page, a session gets created and it allows the return traffic in even though the acl explicitly denies the http traffic. If you remove the inspects, as Rick noted, those rules don't get created any longer. Now the users would not be able to get to the internet because the acl is explicitly denying traffic coming from port 80 which includes return traffic. You would need to change acl 100 in the example to now allow 80 inbound. This is also why I said you'd need to take a look to see what the inspects were inspecting. If you have any non-standard ports configured, you'd need to take those into account in your acl.

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎11-20-2014

Mahesh,

Inpsects allow return traffic in if there's a related session associated in the session table. When you remove the inspect, if you don't allow the traffic out, or don't specifically allow that traffic back in, the traffic will get dropped like you noticed. You can remove the inspects, but you would also need to all of your related traffic through both of your acls. For example, if you wanted to allow 80 out, you'd create a rule for that in your out, and then you'd need to create another rule for your in acl.

Yes, anything that you're specifying to inspect in the inspect, you'd want to take into account in the acl.

HTH,

John

HTH, John *** Please rate all useful posts ***

Richard Burts · ‎11-20-2014

Mahesh

John is correct. There is a dynamic relationship between inspect on Gig0/1 and ACL 125 and 129 on Gig0/0. When inspect sees traffic on Gig0/1 it dynamically creates entries in ACL 125 and 129 to allow that traffic. When you remove inspect from Gig0/0 then the dynamic entries do not get created in 125 and 129 and the traffic gets denied by ACL. So if you remove inspect on Gig0/0 then you need to rewrite 125 and 129 to manually specify what traffic is to be permitted and what is to be denied.

HTH

Rick

HTH

Rick

mahesh18 · ‎11-20-2014

Many thanks for Great reply.

Best regards

MAhesh

mahesh18 · ‎11-20-2014

Hi John,

Seems to fix this i need to permit traffic on outside interface gi0/0 under ACL 125 direction in as per logs.

Do i also need to modify ACL 129 outside interface direction out?

Regards

MAhesh

John Blakley · ‎11-20-2014

Mahesh,

As Rick stated, those entries are no longer dynamically created, so if you have any traffic that was inspected by the inspect rule, but explicitly denied by the acl, you'll need to modify the acl to now allow that traffic. You will need to take both acls into account when modifying them as to what type of traffic was allowed out/in by the inspect.

For example, if you have an inspect that inspects http traffic. Your acl may deny all http traffic inbound:

access-list 100 deny tcp any any eq 80

access-list 100 permit ip any any

Your inspect may allow it:

ip inspect name FW http

On your interface, you have both:

int g0/1 (wan interface)

ip inspect FW out

ip access-group 100 in

When someone on the inside needs to get to a web page, a session gets created and it allows the return traffic in even though the acl explicitly denies the http traffic. If you remove the inspects, as Rick noted, those rules don't get created any longer. Now the users would not be able to get to the internet because the acl is explicitly denying traffic coming from port 80 which includes return traffic. You would need to change acl 100 in the example to now allow 80 inbound. This is also why I said you'd need to take a look to see what the inspects were inspecting. If you have any non-standard ports configured, you'd need to take those into account in your acl.

HTH,

John

HTH, John *** Please rate all useful posts ***

mahesh18 · ‎11-20-2014

Many thanks John.

Regards

MAhesh

John Blakley · ‎11-20-2014

You're welcome! I need to correct the acl though. I did it in a rush to leave the house :) the return traffic will come from port 80, so the acl should look like:

access-list 100 permit tcp any eq 80 any

deny ip any any

this should allow the return traffic back in. The deny any line is just the catch all.

Hth,

john

HTH, John *** Please rate all useful posts ***