ip inspect and access-list question

Discussion in 'Cisco' started by didier, Jan 17, 2004.

  1. didier

    didier Guest

    Hi,
    As I'm at a remote location, I do not want to lock myself out.
    My dmz can do anything, it browses and downloads from internet etc (even if
    it is not secure it is only for testing).

    Now I would like INTERNET being able to "PASSIVE" ftp (I don't want to allow
    ftp-data) to a host on the DMZ, I want that ip inspect adds temporary
    entries to access-list 102 to allow return traffic and protects servers from
    distributed denial of service attacks.

    See the config of fastethernet0 at the very end of this message, it's my
    proposal, would that work?

    Ethernet0 is INTERNET
    FastEthernet0 is DMZ

    INTERNET should be able to passiv ftp to DMZ

    Here is my ip inspect config:
    ip inspect audit-trail
    ip inspect udp idle-time 1800
    ip inspect dns-timeout 7
    ip inspect tcp idle-time 14400
    ip inspect name standard cuseeme
    ip inspect name standard ftp
    ip inspect name standard h323
    ip inspect name standard http
    ip inspect name standard rcmd
    ip inspect name standard realaudio
    ip inspect name standard smtp
    ip inspect name standard sqlnet
    ip inspect name standard streamworks
    ip inspect name standard tcp
    ip inspect name standard tftp
    ip inspect name standard udp
    ip inspect name standard vdolive
    ip audit notify log
    ip audit po max-events 100

    Here are my access-lists (samples)
    access-list 101 permit tcp any host 10.0.0.10 eq 22
    access-list 101 deny icmp any any log-input
    access-list 101 deny ip any any log-input
    access-list 102 permit ip 10.0.0.0 0.0.0.255 any
    access-list 102 deny ip any any log-input

    Here are now the interfaces (simplified, only access-group and inspect):
    int eth0
    ip access-group 101 in

    int fast0
    ip access-group 102 in
    ip inspect name standard in
    -------------------------------
    Here comes what I thought it should be:
    New access-list 101
    ! I allow ftp traffic on eth0 (INTERNET) to come in
    access-list 101 permit tcp any host 10.0.0.10 eq ftp
    access-list 101 permit tcp any host 10.0.0.10 eq 22
    access-list 101 deny icmp any any log-input
    access-list 101 deny ip any any log-input

    int fast0
    ip access-group 102 in
    ip inspect name standard in
    ip inspect name standard out

    Would that work if I'm adding "ip inspect name standard out" to
    fastethernet0?
    Please, I'm at a remote location so be sure ;-)) ?
    didier, Jan 17, 2004
    #1
    1. Advertising

  2. didier

    Didier Guest

    problem solved
    thx
    Didier, Jan 18, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. PS2 gamer
    Replies:
    6
    Views:
    6,784
    Hansang Bae
    Jun 9, 2004
  2. KB
    Replies:
    1
    Views:
    855
  3. Southern Kiwi
    Replies:
    6
    Views:
    2,155
    Southern Kiwi
    Mar 19, 2006
  4. JF Mezei

    IP INSPECT question

    JF Mezei, Jan 21, 2010, in forum: Cisco
    Replies:
    1
    Views:
    804
    Igor Mamuzić aka Pseto
    Jan 21, 2010
  5. JF Mezei
    Replies:
    0
    Views:
    1,027
    JF Mezei
    Jan 22, 2010
Loading...

Share This Page