CBAC / IP Inspect Confusion
DComTalk.com Forum Index DComTalk.com
Discussion of VoIP, VPN, Video Conferencen, DSL and other data commucations.
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web dcomtalk.com
CBAC / IP Inspect Confusion

 
Post new topic   Reply to topic    DComTalk.com Forum Index -> Cisco
Author Message
Guest
Posted: Tue Dec 06, 2005 5:20 pm    Post subject: CBAC / IP Inspect Confusion Reply with quote
We have recently installed a new Cisco 837 router running IOS version
12.3(2)XC2 and an issue relating to CBAC / 'ip inspect' command has
come to light.

When the 'ip inspect' command is applied outbound only on the Dialer0
interface, we are able to access/browse the Internet from the internal
network successfully but cannot receive incoming mail. Outgoing e-mail
is fine.

However, when the 'ip inspect' command (outbound) is removed from the
Dialer0 interface altogether, we are able to receive incoming mail but
cannot get to the Internet at all.

We've worked around this by applying the 'ip inspect' commands to the
Dialer0 interface both in AND outbound so as not to disrupt service but
think that surely this must only be a temporary measure due to the
increased security risk.

This router is configured in practically exactly the same way as
another 837 also running IOS version 12.3(2)XC2. With the 'ip inspect'
command applied outbound only on the Dialer0 interface of this second
router, we see none of the same issues and everything works fine.

I think that this may be a symptom of a misconfiguration rather than a
problem in itself but I don't know what. Could it be NAT or route maps?

I will post config if anyone wants to have a look.

Thank you in advance for you help & suggestions.
Back to top
Guest
Posted: Tue Dec 06, 2005 5:20 pm    Post subject: Re: CBAC / IP Inspect Confusion Reply with quote
You put an Access-list on the Dialer0 that
permits incoming mail and keep the Inspect.

access-l 100 permit tcp any host my.mail.server eq 25

int d0
access-g 100 in

substitute the EXTERNAL address of the mail server
for "my.mail.server".
Back to top
slim
Guest
Posted: Wed Dec 07, 2005 6:40 am    Post subject: Re: CBAC / IP Inspect Confusion Reply with quote
anybody43@hotmail.com wrote:
Quote:
You put an Access-list on the Dialer0 that
permits incoming mail and keep the Inspect.

access-l 100 permit tcp any host my.mail.server eq 25

int d0
access-g 100 in

substitute the EXTERNAL address of the mail server
for "my.mail.server".

Correct me if I'm wrong, but isn't the point of "ip inspect" to get

around manually defining ACL's? In fact, I believe in 12.3T, a feature
called "firewall ACL bypass" was introduced. If I understand it
correctly, that feature is to eliminate redundant ACL processing - an
inbound pass, inspect, and outbound pass, with the idea being that if
inspect "sees" the traffic, the other two ACL processes are assumed to
be performed.

I ask this because I'm starting to work with the firewall feature set
myself, and too have noticed odd behavior. In my case, with inspect on,
RTP flows between IP phones work. Shut it down, and I get one-way audio.
All of this with no ACL's. However, I have to explicitly define ACL's
for skinny even though it's configured to be inspected. Very odd, and I
don't understand the inconsistency.

Any insights would be appreciated!
Back to top
 
Post new topic   Reply to topic    DComTalk.com Forum Index -> Cisco All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




VoIP Solutions: Telephone Systems Electronics Satellite TV Tech & Gadgets
Powered by phpBB