Kingsley, In IOS you rely on a strict ACL on the outside to prevent unwanted traffic coming inbound. The inspection engine then creates dynamic entries for traffic that should be dynamically allowed back in thru the blocking ACL. By default the inspection engine is not used for filtering sessions. It is the dynamic source for allowing traffic that isn't allowed by default thru your protection ACL.
The command below enables the inspection engine to be used for blocking TCP traffic inbound on the inspection interface. This blocks ALL traffic sourced from the outside inbound. No TCP traffic that is not initiated from the inside is allowed in. Only dynamic entries created by the inspection rules are allowed back in for TCP sessions. It can be used but most likely is going to cause unwanted results. On Tue, Feb 2, 2010 at 8:18 AM, Kingsley Charles <[email protected] > wrote: > Hi all > > The following command is used to block TCP sessions that doesn't belong to > the existing sessions that the firewall is aware off. > > "ip inspect tcp block-non-session" > > The default action is to allow non-existing TCP sessions. > > > If we allow, non-existing TCP session , is that not breaking the firewall? > > By default it should block right? > > Please share your thoughts. > > > With regards > Kings > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -- Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications.
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
