Options

IP Inspect

waruwaru Member Posts: 41 ■■□□□□□□□□
in CCNP
Hi,

Im studying for iscw at the moment and have a question related to the ip inspect rule

If I enter ip inspect NAME tcp this should allow all tcp traffic via the interface it is applied to. That being the case why would I then need to add in any other protocols? for example ip inspect NAME esmtp?

Surely once the generic tcp rule is entered all protocols above the transport layer are being allowed making the second rule redundant?

If somebody could point out what Im getting wrong here that would be grand!

Cheers
Waru
· Share on FacebookShare on Twitter

Comments

  • Options
    cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    is inspecting TCP even an option? TCP is already connection-oriented. In a stateful firewall I wouldn't think you would have a reason to inspect TCP...I'll have to go back over packet inspection, but that is my initial thought.
    · Share on FacebookShare on Twitter
  • Options
    waruwaru Member Posts: 41 ■■□□□□□□□□
    cisco_trooper wrote: »
    is inspecting TCP even an option? TCP is already connection-oriented. In a stateful firewall I wouldn't think you would have a reason to inspect TCP...I'll have to go back over packet inspection, but that is my initial thought.


    Yes TCP is an option. Someone just cleared this up for me. The inspect command simply inspects it doesnt allow or deny. This is handled by the acl that is paired with the inspect command.

    So the ios firewall will only inspect upto tcp layer if thats all you specify. if you specify esmtp or whatever it will also inspect that when it sees it.
    · Share on FacebookShare on Twitter
  • Options
    SysAdmin4066SysAdmin4066 Member Posts: 443
    TCP inspection can help to mitigate syn flooding attacks.
    In Progress: CCIE R&S Written Scheduled July 17th (Tentative)

    Next Up: CCIE R&S Lab
    · Share on FacebookShare on Twitter
Sign In or Register to comment.