That command should block non initial tcp packets that do not have a session built. The first packet must be permited by the acl or lack thereof. It must be a syn though. Basically a tcp communication should start with a 3 way handshake, or there should already be a session established. How it works really depends on the acl and the inspection placement and direction.
On Feb 2, 2010, at 12:00 PM, [email protected] wrote: > Send CCIE_Security mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://onlinestudylist.com/mailman/listinfo/ccie_security > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of CCIE_Security digest..." > > > Today's Topics: > > 1. TCP session that doesn't belong to existing session - inspect > based firewall (Kingsley Charles) > 2. Re: TCP session that doesn't belong to existing session - > inspect based firewall (Tyson Scott) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 2 Feb 2010 18:48:49 +0530 > From: Kingsley Charles <[email protected]> > Subject: [OSL | CCIE_Security] TCP session that doesn't belong to > existing session - inspect based firewall > To: [email protected] > Message-ID: > <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > Hi all > > The following command is used to block TCP sessions that doesn't > belong to > the existing sessions that the firewall is aware off. > > "ip inspect tcp block-non-session" > > The default action is to allow non-existing TCP sessions. > > > If we allow, non-existing TCP session , is that not breaking the > firewall? > > By default it should block right? > > Please share your thoughts. > > > With regards > Kings > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://onlinestudylist.com/pipermail/ccie_security/attachments/20100202/41f1962e/attachment-0001.htm > > ------------------------------ > > Message: 2 > Date: Tue, 2 Feb 2010 10:32:37 -0500 > From: Tyson Scott <[email protected]> > Subject: Re: [OSL | CCIE_Security] TCP session that doesn't belong to > existing session - inspect based firewall > To: Kingsley Charles <[email protected]> > Cc: [email protected] > Message-ID: > <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > Kingsley, > > In IOS you rely on a strict ACL on the outside to prevent unwanted > traffic > coming inbound. The inspection engine then creates dynamic entries > for > traffic that should be dynamically allowed back in thru the blocking > ACL. > By default the inspection engine is not used for filtering > sessions. It > is the dynamic source for allowing traffic that isn't allowed by > default > thru your protection ACL. > > The command below enables the inspection engine to be used for > blocking TCP > traffic inbound on the inspection interface. This blocks ALL traffic > sourced from the outside inbound. No TCP traffic that is not > initiated from > the inside is allowed in. Only dynamic entries created by the > inspection > rules are allowed back in for TCP sessions. > > It can be used but most likely is going to cause unwanted results. > > > > On Tue, Feb 2, 2010 at 8:18 AM, Kingsley Charles <[email protected] >> wrote: > >> Hi all >> >> The following command is used to block TCP sessions that doesn't >> belong to >> the existing sessions that the firewall is aware off. >> >> "ip inspect tcp block-non-session" >> >> The default action is to allow non-existing TCP sessions. >> >> >> If we allow, non-existing TCP session , is that not breaking the >> firewall? >> >> By default it should block right? >> >> Please share your thoughts. >> >> >> With regards >> Kings >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, >> please >> visit www.ipexpert.com >> >> > > > -- > Tyson Scott - CCIE #13513 R&S and Security > Technical Instructor - IPexpert, Inc. > > Telephone: +1.810.326.1444 > Fax: +1.810.454.0130 > Mailto: [email protected] > > Join our free online support and peer group communities: > http://www.IPexpert.com/communities > > IPexpert - The Global Leader in Self-Study, Classroom-Based, Video > On Demand > and Audio Certification Training Tools for the Cisco CCIE R&S Lab, > CCIE > Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE > Storage > Lab Certifications. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://onlinestudylist.com/pipermail/ccie_security/attachments/20100202/9d3f75c8/attachment-0001.htm > > End of CCIE_Security Digest, Vol 44, Issue 9 > ******************************************** _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
