Re: IP Inspect name NO-JAVA http java-list 1

From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Fri Dec 07 2007 - 19:59:24 ART

Maybe after the 'Firewall ACL Bypass' feature which was introduced in 12.3(X)T,
the need for an inbound ACL was done away with.

Previously it was required AFAIR.

Regards

Farrukh

On Dec 8, 2007 12:03 AM, Mike Stout <michaelgstout@gmail.com> wrote:

> Thank You Eric.
> Your answer was very helpful.
> I modified my configureation slightly and added an inspection rule for
> http.
>
> ip inspect name WWW http
> ip inspect name WWW http java-list 1
> access-list 1 deny any
>
> I applied the inspection rule outbound on serial0/1/0
> ip inspect WWW out
>
> I then opened an http session from another device to a host on serial
> 0/1/0
> and i got a session.
> R4#show ip inspect sess
> Established Sessions
> Session 4777938C (120.5.72.145:26281)=>(120.5.72.2:80) http SIS_OPEN
> R4#
> I guess there is an implied access-list inbound on gig 0/0
>
> Thank you again for your response.
>
>
>
> On 12/7/07, Eric Phillips <ephillips@squick.cc> wrote:
> >
> > Hi Gary,
> >
> > CBAC is applied in the same direction as the traffic you want to track.
> > So it could be applied on the inbound direction of the inside interface,
> or
> > on the outbound direction of the outside interface.
> >
> > Putting CBAC on the inbound direction of the outside interface would
> only
> > help incoming traffic. Which is important if you are using a router as
> a
> > firewall and NAT device, and have a FTP server on the inside that you
> want
> > the outside folks to access. But that is a different case from what
> Mike
> > mentioned.
> >
> > I do have a question though about there not being an access-list applied
> > to the interface though. With CBAC traffic inspection, the traffic must
> be
> > denied for CBAC to pick it up. I am not familiar with the java
> filtering
> > though, but I don't think CBAC will even inspect the traffic in any way
> > without an ACL inbound on your outside ACL.
> >
> >
>
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/
> part15/ch05/schcbac.htm
> >
> >
> > Quote:
> > External Interface
> >
> > Here are some guidelines for your access lists when you will be
> > configuring Cisco IOS Firewall on an external interface:
> >
> > If you have an outbound IP access list at the external interface, the
> > access list can be a standard or extended access list. This outbound
> access
> > list should permit traffic that you want to be inspected by Cisco IOS
> > Firewall. If traffic is not permitted, it will not be inspected by Cisco
> IOS
> > Firewall, but will be simply dropped.
> >
> > The inbound IP access list at the external interface must be an
> extended
> > access list. This inbound access list should deny traffic that you want
> to
> > be inspected by Cisco IOS Firewall. (Cisco IOS Firewall will create
> > temporary openings in this inbound access list as appropriate to permit
> only
> > return traffic that is part of a valid, existing session.)
> > ---
> >
> > Hope that helps,
> >
> > Eric M. Phillips
> >
> >
> > On 12/7/07, Gary Duncanson < gary.duncanson@googlemail.com> wrote:
> >
> > > Should that not be
> > >
> > > int Serial 0/0
> > > > descr Link to Internet
> > > > ip inspect NO-JAVA in
> > > ----- Original Message -----
> > > From: < v.shekhar@yahoo.com>
> > > To: "Mike Stout" <michaelgstout@gmail.com>; < ccielab@groupstudy.com>
> > > Sent: Friday, December 07, 2007 8:57 AM
> > > Subject: Re: IP Inspect name NO-JAVA http java-list 1
> > >
> > >
> > > > Looks fine to me.
> > > >
> > > > Thanks,
> > > > -sHekHar.
> > > > CCIE#17589/CISSP/RHCE.
> > > >
> > > > ----- Original Message ----
> > > > From: Mike Stout <michaelgstout@gmail.com>
> > > > To: ccielab@groupstudy.com
> > > > Sent: Friday, December 7, 2007 5:00:16 AM
> > > > Subject: IP Inspect name NO-JAVA http java-list 1
> > > >
> > > >
> > > > Hello:
> > > > Can anybody tell me if this is a correct config to protect the
> > > Ethernet
> > > > LAN
> > > > from
> > > >
> > > > receiving JAVA APPLETS from the internet which is connected to my
> > > > serial
> > > >
> > > > interface??
> > > >
> > > > Router
> > > > ip inspect name NO-JAVA http java-list 1
> > > > access-list 1 deny any
> > > > !
> > > > interface Ethernet0/0
> > > > descr Corp LAN
> > > > !
> > > > int Serial 0/0
> > > > descr Link to Internet
> > > > ip inspect NO-JAVA out
> > > >
> > > > Please notice, ther is no ip access-group configured on the Ethernet
> > > or
> > > > Serial.
> > > >
> > > > Thank You
> > > >
> > > >
> > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
>
> _____________________________________________________________________________
> _______
> > > > Be a better friend, newshound, and
> > > > know-it-all with Yahoo! Mobile. Try it now.
> > > > http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> > > >
> > > >
> > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> >
> >
> >
> > --
> > Eric Phillips
> >
> > Senior Network Consultant
> > LTI Information Technology http://www.ltiit.com
> >
> > 501 Avis Drive
> > Ann Arbor, MI 48108
> > Phone: (734) 929-1400 Fax: (734) 929-1401
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:29 ARST