Skip navigation
Cisco Learning Home > Certifications > Security (CCNA Security) > Discussions

_Communities

40649 Views 14 Replies Latest reply: Apr 9, 2014 2:37 PM by vitormarcelus RSS

Currently Being Moderated

IP Inspect

May 12, 2010 9:39 PM

jusan101781 5 posts since
Jul 16, 2008

What exactly does IP Inspect do?  Can you provide an example on how it can be used?  Thanks!

  • Paul Stewart  -  CCIE Security, CCSI 6,962 posts since
    Jul 18, 2008
    Currently Being Moderated
    1. May 12, 2010 9:53 PM (in response to jusan101781)
    Re: IP Inspect

    IP inspect helps a router act more like an ASA.  So the goal is to only allow certain traffic inbound.  For example, lets consider an inbound access-list that is very restrictive or "deny ip any any".  Using this logic, the inside hosts can make requests to outside servers, but they don't receive the responses.  A TCP 3 way handshake can't even happen.  So what we can do is inspect traffic outbound.  What that does is builds a state table in the router that allows the return traffic to bypass the inbound acl.  The inspect actually does some protocol validation on the initial outbound traffic in this case.  So a very simple configuration might look like the following.

     

     

    ip inspect name FWOUT tcp

    ip inspect name FWOUT udp

    ip inspect name FWOUT icmp

    ip inspect name FWOUT ftp

     

    //ftp is important to inspect because it can use a secondary port initiated from the outside

     

    ip access-list extended INBOUND

    deny ip any any

     

    int fa0/0

    description OUTSIDE

    ip access-group INBOUND in

    ip inpsect FWOUT out

    ip address 1.1.1.1 255.255.255.0

    ip nat outside

     

    int fa0/1

      description INSIDE

      ip address 192.168.0.1 255.255.255.0

      ip nat inside

  • Keith Barker - CCIE RS/Security, CISSP 5,351 posts since
    Jul 3, 2009
    Currently Being Moderated
    2. May 12, 2010 10:06 PM (in response to jusan101781)
    Re: IP Inspect

    Paul is right on the money.

     

    Here is a brief video demonstration of Context Based Access Control (CBAC) that I made last week.

     

     

    You may double click to make the video larger.

     

    Best wishes,

     

    Keith

  • tylerlucas 1 posts since
    Jul 12, 2009
    Currently Being Moderated
    Re: IP Inspect

    Wow - awesome video Keith.  Thanks.

     

    On which routers is IP Inspect typically applied? Internet facing only I assume?

  • Osvaldo 2 posts since
    Aug 25, 2008
    Currently Being Moderated
    Re: IP Inspect

    Thanks. Pretty Clear

  • ananth 10 posts since
    Mar 2, 2009
    Currently Being Moderated
    6. Jun 24, 2011 10:30 PM (in response to jusan101781)
    Re: IP Inspect

    Also to make things clear


    CBAC where ip inspect is used brings the statefullness to the protocol it is inspecting.

     

    Why I made this point is in the evaluate statement in reflexive access lists does not have the statefullness in built. So it cannot inspect or evaluate the protocols  like FTP ,TFTP accurately

  • Florian Cokl 4 posts since
    Jul 24, 2008
    Currently Being Moderated
    Re: IP Inspect

    Wow!

    AbsoCBAClutely great video - I haven't seen anything like it yet. Concise yet complete. Of course there is more - but there's always more to say, and this video builds the foundation.

     

    THANK YOU

  • Sixmill 22 posts since
    Dec 16, 2011
    Currently Being Moderated
    Re: IP Inspect

    Kieth, between you and Paul, this is the most informative thread I've ever read. Thank you so much, guys!

  • Nersas Marin 61 posts since
    Oct 24, 2009
    Currently Being Moderated
    9. Feb 29, 2012 5:01 AM (in response to Sixmill)
    Re: IP Inspect

    Totally Sixmill, these thread has been really usefull to my understanding about IP inspect.

  • Walter Steadman 3 posts since
    Sep 9, 2008
    Currently Being Moderated
    10. Apr 7, 2012 12:08 PM (in response to jusan101781)
    Re: IP Inspect

    Greetings all,

     

    I know this is an older post, but figured it might be the best place to get resolve

     

    I have a router setup with the below configuration and ICMP is not working and while I logic through it and think it should work.  I can't figure out what is going on.

     

    R1#ping 10.1.1.2

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:

    .....

    Success rate is 0 percent (0/5)

     

    And my syslog message is that it is being denied by policy:

    000076: *Apr  7 14:05:30.000 UTC: %SEC-6-IPACCESSLOGDP: list autosec_firewall_acl denied icmp 10.1.1.2 -> 10.1.1.1 (0/0), 5 packets     192.168.2.1    07/04 14:05:30.597

     

    CONFIGURATION INFORMATION BELOW:

    ======================================================

    R1#sh ip inspect all

    Session audit trail is enabled

    Session alert is enabled

    one-minute (sampling period) thresholds are [unlimited : unlimited] connections

    max-incomplete sessions thresholds are [unlimited : unlimited]

    max-incomplete tcp connections per host is unlimited. Block-time 0 minute.

    tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec

    tcp idle-time is 14400 sec -- udp idle-time is 1800 sec

    tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes

    dns-timeout is 7 sec

    Inspection Rule Configuration

    Inspection name autosec_inspect

        icmp alert is on audit-trail is on timeout 5

        cuseeme alert is on audit-trail is on timeout 3600

        ftp alert is on audit-trail is on timeout 3600

        http alert is on audit-trail is on timeout 3600

        rcmd alert is on audit-trail is on timeout 3600

        realaudio alert is on audit-trail is on timeout 3600

        smtp max-data 20000000 alert is on audit-trail is on timeout 3600

        tftp alert is on audit-trail is on timeout 30

        udp alert is on audit-trail is on timeout 15

        tcp alert is on audit-trail is on timeout 3600

     

    Interface Configuration

    Interface Serial0/0

      Inbound inspection rule is not set

      Outgoing inspection rule is autosec_inspect

        icmp alert is on audit-trail is on timeout 5

        cuseeme alert is on audit-trail is on timeout 3600

        ftp alert is on audit-trail is on timeout 3600

        http alert is on audit-trail is on timeout 3600

        rcmd alert is on audit-trail is on timeout 3600

        realaudio alert is on audit-trail is on timeout 3600

        smtp max-data 20000000 alert is on audit-trail is on timeout 3600

        tftp alert is on audit-trail is on timeout 30

        udp alert is on audit-trail is on timeout 15

        tcp alert is on audit-trail is on timeout 3600

      Inbound access list is autosec_firewall_acl

      Outgoing access list is not set

    ==================================================

     

    Access List:

    ========================

    Extended IP access list 100

        10 permit udp any any eq bootpc

    Extended IP access list autosec_firewall_acl

        10 permit udp any any eq bootpc

        15 permit eigrp any any (2154 matches)

        18 permit tcp any any eq telnet (36 matches)

        20 deny ip any any log (59 matches)

    Extended IP access list sl_def_acl

        10 deny tcp any any eq telnet log

        20 deny tcp any any eq www log

        30 deny tcp any any eq 22 log

        40 permit tcp any any eq 22 log

    ============================

     

    Interface configuration

    =============================

    interface Serial0/0

    ip address 10.1.1.1 255.255.255.252

    ip access-group autosec_firewall_acl in

    ip verify unicast source reachable-via rx allow-default 100

    no ip redirects

    no ip unreachables

    no ip proxy-arp

    ip inspect autosec_inspect out

    clock rate 2000000

    end

    ========================

     

    Thanks in advance

    Wally

  • Walter Steadman 3 posts since
    Sep 9, 2008
    Currently Being Moderated
    11. Apr 7, 2012 1:44 PM (in response to Walter Steadman)
    Re: IP Inspect

    I got it figured out.  I was pinging from the router and not the PC.  Works like a champ

  • Elvin Arias 1,837 posts since
    Mar 12, 2010
    Currently Being Moderated
    12. Apr 7, 2012 1:52 PM (in response to Walter Steadman)
    Re: IP Inspect

    If you want to ping from the router to some destination you will have to apply an IP inspect policy in order to allow traffic locally generated from the router itself with the "ip inspect name <NAME> router-traffic <PROTOCOL>" command.

     

    Elvin

  • Philozow 13 posts since
    Aug 11, 2010
    Currently Being Moderated
    Re: IP Inspect

    Thanks Paul! Very nice explanation.

    Is this approach better than using "established" option in ACL?

    Do I understand correctly that there are several types of firewall configuration in IOS:

    1) Pure ACL

    2) ACL + inspect commands

    3) Zone based firewall

     

    Or maybe I missed something?

     

    Thank you in advance.

  • vitormarcelus 2 posts since
    Jul 2, 2010
    Currently Being Moderated
    14. Apr 9, 2014 2:37 PM (in response to jusan101781)
    Re: IP Inspect

    Great explanation from Paul and Keith

Actions

More Like This

  • Retrieving data ...

Bookmarked By (2)