IP Inspect
Hi,
Im studying for iscw at the moment and have a question related to the ip inspect rule
If I enter ip inspect NAME tcp this should allow all tcp traffic via the interface it is applied to. That being the case why would I then need to add in any other protocols? for example ip inspect NAME esmtp?
Surely once the generic tcp rule is entered all protocols above the transport layer are being allowed making the second rule redundant?
If somebody could point out what Im getting wrong here that would be grand!
Cheers
Waru
Im studying for iscw at the moment and have a question related to the ip inspect rule
If I enter ip inspect NAME tcp this should allow all tcp traffic via the interface it is applied to. That being the case why would I then need to add in any other protocols? for example ip inspect NAME esmtp?
Surely once the generic tcp rule is entered all protocols above the transport layer are being allowed making the second rule redundant?
If somebody could point out what Im getting wrong here that would be grand!
Cheers
Waru
Comments
-
cisco_trooper Member Posts: 1,441 ■■■■□□□□□□is inspecting TCP even an option? TCP is already connection-oriented. In a stateful firewall I wouldn't think you would have a reason to inspect TCP...I'll have to go back over packet inspection, but that is my initial thought.
-
waru Member Posts: 41 ■■□□□□□□□□cisco_trooper wrote: »is inspecting TCP even an option? TCP is already connection-oriented. In a stateful firewall I wouldn't think you would have a reason to inspect TCP...I'll have to go back over packet inspection, but that is my initial thought.
Yes TCP is an option. Someone just cleared this up for me. The inspect command simply inspects it doesnt allow or deny. This is handled by the acl that is paired with the inspect command.
So the ios firewall will only inspect upto tcp layer if thats all you specify. if you specify esmtp or whatever it will also inspect that when it sees it. -
SysAdmin4066 Member Posts: 443TCP inspection can help to mitigate syn flooding attacks.In Progress: CCIE R&S Written Scheduled July 17th (Tentative)
Next Up: CCIE R&S Lab