Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > ip inspect and access-list question

Reply
Thread Tools

ip inspect and access-list question

 
 
didier
Guest
Posts: n/a
 
      01-17-2004
Hi,
As I'm at a remote location, I do not want to lock myself out.
My dmz can do anything, it browses and downloads from internet etc (even if
it is not secure it is only for testing).

Now I would like INTERNET being able to "PASSIVE" ftp (I don't want to allow
ftp-data) to a host on the DMZ, I want that ip inspect adds temporary
entries to access-list 102 to allow return traffic and protects servers from
distributed denial of service attacks.

See the config of fastethernet0 at the very end of this message, it's my
proposal, would that work?

Ethernet0 is INTERNET
FastEthernet0 is DMZ

INTERNET should be able to passiv ftp to DMZ

Here is my ip inspect config:
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name standard cuseeme
ip inspect name standard ftp
ip inspect name standard h323
ip inspect name standard http
ip inspect name standard rcmd
ip inspect name standard realaudio
ip inspect name standard smtp
ip inspect name standard sqlnet
ip inspect name standard streamworks
ip inspect name standard tcp
ip inspect name standard tftp
ip inspect name standard udp
ip inspect name standard vdolive
ip audit notify log
ip audit po max-events 100

Here are my access-lists (samples)
access-list 101 permit tcp any host 10.0.0.10 eq 22
access-list 101 deny icmp any any log-input
access-list 101 deny ip any any log-input
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
access-list 102 deny ip any any log-input

Here are now the interfaces (simplified, only access-group and inspect):
int eth0
ip access-group 101 in

int fast0
ip access-group 102 in
ip inspect name standard in
-------------------------------
Here comes what I thought it should be:
New access-list 101
! I allow ftp traffic on eth0 (INTERNET) to come in
access-list 101 permit tcp any host 10.0.0.10 eq ftp
access-list 101 permit tcp any host 10.0.0.10 eq 22
access-list 101 deny icmp any any log-input
access-list 101 deny ip any any log-input

int fast0
ip access-group 102 in
ip inspect name standard in
ip inspect name standard out

Would that work if I'm adding "ip inspect name standard out" to
fastethernet0?
Please, I'm at a remote location so be sure ) ?


 
Reply With Quote
 
 
 
 
Didier
Guest
Posts: n/a
 
      01-18-2004
problem solved
thx


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
inspect.stack() or inspect.currentframe() gives "list index out ofrange error" deluxstar Python 5 09-25-2010 05:12 PM
NAT and access lists and IP INSPECT JF Mezei Cisco 0 01-22-2010 11:24 AM
IP INSPECT question JF Mezei Cisco 1 01-21-2010 01:46 PM
question with inspect module Tool69 Python 3 02-21-2007 01:00 AM
question about introspection using inspect module Benjamin Rutt Python 4 07-08-2005 04:33 AM



Advertisments