Re: Help ip inspect

From: Thor Kopp (thorkopp@googlemail.com)
Date: Thu May 29 2008 - 08:20:19 ART

• Next message: Thor Kopp: "Re: MSDP & MBGP"
• Previous message: ccie: "Any advice about enabling udld on the global configuration"
• Maybe in reply to: raul raul: "Help ip inspect"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

what traffic are you inspecting, you don't have anything on the 'ip inspect
name TELNET' line, you need to specify tcp or telnet for it to match that
traffic. regardless the traffic is dropped by your outbound ACL, traffic
that you want to inspect a) needs to be matched in the ip inspect name
TELNET global config command and b) needs to pass your outbound ACL.

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_cont
ent_ac_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1000959

An outbound IP access list (standard or extended) is applied to the
external interface. This access list permits all packets that you want to
allow to exit the network, including packets you want to be inspected by
CBAC. In this case, Telnet packets are permitted.

An inbound extended IP access list is applied to the external interface.
This access list denies any traffic to be inspected by CBACincluding Telnet
packets. When CBAC is triggered with an outbound packet, CBAC creates a
temporary opening in the inbound access list to permit only traffic that is
part of a valid, existing session.

- Thor
On Thu, May 29, 2008 at 10:11 AM, raul raul <juvenn@hotmail.com> wrote:

> Hi ;
>
> need help on ip inspect
>
> Question : When i telnet From R1 to R3 ; is it ; it will generate any
> Sess_audit_trail : deny or something message like that ?
> because now the traffic is drop by R2 telnet and i am not sure whether it
> will inspect the traffic ?
> can anybody explain ?
>
> R1----->R2--------R3
>
>
> R2 <-configure ip inspect
>
> let say :
>
> ip inspect audit trail
> ip inspect name TELNET
>
> int s1/0
> ip inspect TELNET out
> ip access-group 101 in
> ip access-group 101 out
>
> access-list 101 deny tcp any host R3 eq telnet
> access-list 101 permit ip any any
>
>
>
>
> _________________________________________________________________
> NEW! Get Windows Live FREE.
> http://www.get.live.com/wl/all
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Thor Kopp: "Re: MSDP & MBGP"
• Previous message: ccie: "Any advice about enabling udld on the global configuration"
• Maybe in reply to: raul raul: "Help ip inspect"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jun 02 2008 - 06:59:18 ART