Re: IP Inspect name NO-JAVA http java-list 1

From: Mike Stout (michaelgstout@gmail.com)
Date: Fri Dec 07 2007 - 18:03:25 ART

• Next message: Gary Duncanson: "Re: IP Inspect name NO-JAVA http java-list 1"
• Previous message: kang lee: "Re: OSPF ASBR redistribute"
• Maybe in reply to: Mike Stout: "IP Inspect name NO-JAVA http java-list 1"
• Next in thread: Gary Duncanson: "Re: IP Inspect name NO-JAVA http java-list 1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thank You Eric.
Your answer was very helpful.
I modified my configureation slightly and added an inspection rule for http.

ip inspect name WWW http
ip inspect name WWW http java-list 1
access-list 1 deny any

I applied the inspection rule outbound on serial0/1/0
ip inspect WWW out

I then opened an http session from another device to a host on serial 0/1/0
and i got a session.
R4#show ip inspect sess
Established Sessions
 Session 4777938C (120.5.72.145:26281)=>(120.5.72.2:80) http SIS_OPEN
R4#
I guess there is an implied access-list inbound on gig 0/0

Thank you again for your response.

On 12/7/07, Eric Phillips <ephillips@squick.cc> wrote:
>
> Hi Gary,
>
> CBAC is applied in the same direction as the traffic you want to track.
> So it could be applied on the inbound direction of the inside interface, or
> on the outbound direction of the outside interface.
>
> Putting CBAC on the inbound direction of the outside interface would only
> help incoming traffic. Which is important if you are using a router as a
> firewall and NAT device, and have a FTP server on the inside that you want
> the outside folks to access. But that is a different case from what Mike
> mentioned.
>
> I do have a question though about there not being an access-list applied
> to the interface though. With CBAC traffic inspection, the traffic must be
> denied for CBAC to pick it up. I am not familiar with the java filtering
> though, but I don't think CBAC will even inspect the traffic in any way
> without an ACL inbound on your outside ACL.
>
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/
part15/ch05/schcbac.htm
>
>
> Quote:
> External Interface
>
> Here are some guidelines for your access lists when you will be
> configuring Cisco IOS Firewall on an external interface:
>
> If you have an outbound IP access list at the external interface, the
> access list can be a standard or extended access list. This outbound access
> list should permit traffic that you want to be inspected by Cisco IOS
> Firewall. If traffic is not permitted, it will not be inspected by Cisco
IOS
> Firewall, but will be simply dropped.
>
> The inbound IP access list at the external interface must be an extended
> access list. This inbound access list should deny traffic that you want to
> be inspected by Cisco IOS Firewall. (Cisco IOS Firewall will create
> temporary openings in this inbound access list as appropriate to permit
only
> return traffic that is part of a valid, existing session.)
> ---
>
> Hope that helps,
>
> Eric M. Phillips
>
>
> On 12/7/07, Gary Duncanson < gary.duncanson@googlemail.com> wrote:
>
> > Should that not be
> >
> > int Serial 0/0
> > > descr Link to Internet
> > > ip inspect NO-JAVA in
> > ----- Original Message -----
> > From: < v.shekhar@yahoo.com>
> > To: "Mike Stout" <michaelgstout@gmail.com>; < ccielab@groupstudy.com>
> > Sent: Friday, December 07, 2007 8:57 AM
> > Subject: Re: IP Inspect name NO-JAVA http java-list 1
> >
> >
> > > Looks fine to me.
> > >
> > > Thanks,
> > > -sHekHar.
> > > CCIE#17589/CISSP/RHCE.
> > >
> > > ----- Original Message ----
> > > From: Mike Stout <michaelgstout@gmail.com>
> > > To: ccielab@groupstudy.com
> > > Sent: Friday, December 7, 2007 5:00:16 AM
> > > Subject: IP Inspect name NO-JAVA http java-list 1
> > >
> > >
> > > Hello:
> > > Can anybody tell me if this is a correct config to protect the
> > Ethernet
> > > LAN
> > > from
> > >
> > > receiving JAVA APPLETS from the internet which is connected to my
> > > serial
> > >
> > > interface??
> > >
> > > Router
> > > ip inspect name NO-JAVA http java-list 1
> > > access-list 1 deny any
> > > !
> > > interface Ethernet0/0
> > > descr Corp LAN
> > > !
> > > int Serial 0/0
> > > descr Link to Internet
> > > ip inspect NO-JAVA out
> > >
> > > Please notice, ther is no ip access-group configured on the Ethernet
> > or
> > > Serial.
> > >
> > > Thank You
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >

• Next message: Gary Duncanson: "Re: IP Inspect name NO-JAVA http java-list 1"
• Previous message: kang lee: "Re: OSPF ASBR redistribute"
• Maybe in reply to: Mike Stout: "IP Inspect name NO-JAVA http java-list 1"
• Next in thread: Gary Duncanson: "Re: IP Inspect name NO-JAVA http java-list 1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:29 ARST