1 2 Previous Next 15 Replies Latest reply: May 15, 2014 1:46 PM by BarbarianFrog RSS

    IP Inspect

    jusan101781

      What exactly does IP Inspect do?  Can you provide an example on how it can be used?  Thanks!

        • 1. Re: IP Inspect
          Paul Stewart  -  CCIE Security

          IP inspect helps a router act more like an ASA.  So the goal is to only allow certain traffic inbound.  For example, lets consider an inbound access-list that is very restrictive or "deny ip any any".  Using this logic, the inside hosts can make requests to outside servers, but they don't receive the responses.  A TCP 3 way handshake can't even happen.  So what we can do is inspect traffic outbound.  What that does is builds a state table in the router that allows the return traffic to bypass the inbound acl.  The inspect actually does some protocol validation on the initial outbound traffic in this case.  So a very simple configuration might look like the following.

           

           

          ip inspect name FWOUT tcp

          ip inspect name FWOUT udp

          ip inspect name FWOUT icmp

          ip inspect name FWOUT ftp

           

          //ftp is important to inspect because it can use a secondary port initiated from the outside

           

          ip access-list extended INBOUND

          deny ip any any

           

          int fa0/0

          description OUTSIDE

          ip access-group INBOUND in

          ip inpsect FWOUT out

          ip address 1.1.1.1 255.255.255.0

          ip nat outside

           

          int fa0/1

            description INSIDE

            ip address 192.168.0.1 255.255.255.0

            ip nat inside

          • 2. Re: IP Inspect
            Keith Barker - CCIE RS/Security, CISSP

            Paul is right on the money.

             

            Here is a brief video demonstration of Context Based Access Control (CBAC) that I made last week.

             

             

            You may double click to make the video larger.

             

            Best wishes,

             

            Keith

            • 3. Re: IP Inspect
              jusan101781

              Thanks!  You guys are awesome!

              • 4. Re: IP Inspect
                tylerlucas

                Wow - awesome video Keith.  Thanks.

                 

                On which routers is IP Inspect typically applied? Internet facing only I assume?

                • 5. Re: IP Inspect
                  Osvaldo

                  Thanks. Pretty Clear

                  • 6. Re: IP Inspect
                    ananth

                    Also to make things clear


                    CBAC where ip inspect is used brings the statefullness to the protocol it is inspecting.

                     

                    Why I made this point is in the evaluate statement in reflexive access lists does not have the statefullness in built. So it cannot inspect or evaluate the protocols  like FTP ,TFTP accurately

                    • 7. Re: IP Inspect
                      Florian Cokl

                      Wow!

                      AbsoCBAClutely great video - I haven't seen anything like it yet. Concise yet complete. Of course there is more - but there's always more to say, and this video builds the foundation.

                       

                      THANK YOU

                      • 8. Re: IP Inspect
                        Sixmill

                        Kieth, between you and Paul, this is the most informative thread I've ever read. Thank you so much, guys!

                        • 9. Re: IP Inspect
                          Nersas Marin

                          Totally Sixmill, these thread has been really usefull to my understanding about IP inspect.

                          • 10. Re: IP Inspect
                            Walter Steadman

                            Greetings all,

                             

                            I know this is an older post, but figured it might be the best place to get resolve

                             

                            I have a router setup with the below configuration and ICMP is not working and while I logic through it and think it should work.  I can't figure out what is going on.

                             

                            R1#ping 10.1.1.2

                            Type escape sequence to abort.

                            Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:

                            .....

                            Success rate is 0 percent (0/5)

                             

                            And my syslog message is that it is being denied by policy:

                            000076: *Apr  7 14:05:30.000 UTC: %SEC-6-IPACCESSLOGDP: list autosec_firewall_acl denied icmp 10.1.1.2 -> 10.1.1.1 (0/0), 5 packets     192.168.2.1    07/04 14:05:30.597

                             

                            CONFIGURATION INFORMATION BELOW:

                            ======================================================

                            R1#sh ip inspect all

                            Session audit trail is enabled

                            Session alert is enabled

                            one-minute (sampling period) thresholds are [unlimited : unlimited] connections

                            max-incomplete sessions thresholds are [unlimited : unlimited]

                            max-incomplete tcp connections per host is unlimited. Block-time 0 minute.

                            tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec

                            tcp idle-time is 14400 sec -- udp idle-time is 1800 sec

                            tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes

                            dns-timeout is 7 sec

                            Inspection Rule Configuration

                            Inspection name autosec_inspect

                                icmp alert is on audit-trail is on timeout 5

                                cuseeme alert is on audit-trail is on timeout 3600

                                ftp alert is on audit-trail is on timeout 3600

                                http alert is on audit-trail is on timeout 3600

                                rcmd alert is on audit-trail is on timeout 3600

                                realaudio alert is on audit-trail is on timeout 3600

                                smtp max-data 20000000 alert is on audit-trail is on timeout 3600

                                tftp alert is on audit-trail is on timeout 30

                                udp alert is on audit-trail is on timeout 15

                                tcp alert is on audit-trail is on timeout 3600

                             

                            Interface Configuration

                            Interface Serial0/0

                              Inbound inspection rule is not set

                              Outgoing inspection rule is autosec_inspect

                                icmp alert is on audit-trail is on timeout 5

                                cuseeme alert is on audit-trail is on timeout 3600

                                ftp alert is on audit-trail is on timeout 3600

                                http alert is on audit-trail is on timeout 3600

                                rcmd alert is on audit-trail is on timeout 3600

                                realaudio alert is on audit-trail is on timeout 3600

                                smtp max-data 20000000 alert is on audit-trail is on timeout 3600

                                tftp alert is on audit-trail is on timeout 30

                                udp alert is on audit-trail is on timeout 15

                                tcp alert is on audit-trail is on timeout 3600

                              Inbound access list is autosec_firewall_acl

                              Outgoing access list is not set

                            ==================================================

                             

                            Access List:

                            ========================

                            Extended IP access list 100

                                10 permit udp any any eq bootpc

                            Extended IP access list autosec_firewall_acl

                                10 permit udp any any eq bootpc

                                15 permit eigrp any any (2154 matches)

                                18 permit tcp any any eq telnet (36 matches)

                                20 deny ip any any log (59 matches)

                            Extended IP access list sl_def_acl

                                10 deny tcp any any eq telnet log

                                20 deny tcp any any eq www log

                                30 deny tcp any any eq 22 log

                                40 permit tcp any any eq 22 log

                            ============================

                             

                            Interface configuration

                            =============================

                            interface Serial0/0

                            ip address 10.1.1.1 255.255.255.252

                            ip access-group autosec_firewall_acl in

                            ip verify unicast source reachable-via rx allow-default 100

                            no ip redirects

                            no ip unreachables

                            no ip proxy-arp

                            ip inspect autosec_inspect out

                            clock rate 2000000

                            end

                            ========================

                             

                            Thanks in advance

                            Wally

                            • 11. Re: IP Inspect
                              Walter Steadman

                              I got it figured out.  I was pinging from the router and not the PC.  Works like a champ

                              • 12. Re: IP Inspect
                                Elvin Arias

                                If you want to ping from the router to some destination you will have to apply an IP inspect policy in order to allow traffic locally generated from the router itself with the "ip inspect name <NAME> router-traffic <PROTOCOL>" command.

                                 

                                Elvin

                                • 13. Re: IP Inspect
                                  Philozow

                                  Thanks Paul! Very nice explanation.

                                  Is this approach better than using "established" option in ACL?

                                  Do I understand correctly that there are several types of firewall configuration in IOS:

                                  1) Pure ACL

                                  2) ACL + inspect commands

                                  3) Zone based firewall

                                   

                                  Or maybe I missed something?

                                   

                                  Thank you in advance.

                                  • 14. Re: IP Inspect
                                    vitormarcelus

                                    Great explanation from Paul and Keith

                                    1 2 Previous Next