Thx Tyson/Paul Seems it provides the functionality similar to "established" key of the ACL.
With regards Kings On Tue, Feb 2, 2010 at 11:55 PM, Tyson Scott <[email protected]> wrote: > Well said Paul. > > > On Tue, Feb 2, 2010 at 12:37 PM, Paul Stewart <[email protected]> wrote: > >> That command should block non initial tcp packets that do not have a >> session built. The first packet must be permited by the acl or lack >> thereof. It must be a syn though. Basically a tcp communication >> should start with a 3 way handshake, or there should already be a >> session established. How it works really depends on the acl and the >> inspection placement and direction. >> >> >> >> On Feb 2, 2010, at 12:00 PM, [email protected] >> wrote: >> >> > Send CCIE_Security mailing list submissions to >> > [email protected] >> > >> > To subscribe or unsubscribe via the World Wide Web, visit >> > http://onlinestudylist.com/mailman/listinfo/ccie_security >> > or, via email, send a message with subject or body 'help' to >> > [email protected] >> > >> > You can reach the person managing the list at >> > [email protected] >> > >> > When replying, please edit your Subject line so it is more specific >> > than "Re: Contents of CCIE_Security digest..." >> > >> > >> > Today's Topics: >> > >> > 1. TCP session that doesn't belong to existing session - inspect >> > based firewall (Kingsley Charles) >> > 2. Re: TCP session that doesn't belong to existing session - >> > inspect based firewall (Tyson Scott) >> > >> > >> > ---------------------------------------------------------------------- >> > >> > Message: 1 >> > Date: Tue, 2 Feb 2010 18:48:49 +0530 >> > From: Kingsley Charles <[email protected]> >> > Subject: [OSL | CCIE_Security] TCP session that doesn't belong to >> > existing session - inspect based firewall >> > To: [email protected] >> > Message-ID: >> > <[email protected]> >> > Content-Type: text/plain; charset="iso-8859-1" >> > >> > Hi all >> > >> > The following command is used to block TCP sessions that doesn't >> > belong to >> > the existing sessions that the firewall is aware off. >> > >> > "ip inspect tcp block-non-session" >> > >> > The default action is to allow non-existing TCP sessions. >> > >> > >> > If we allow, non-existing TCP session , is that not breaking the >> > firewall? >> > >> > By default it should block right? >> > >> > Please share your thoughts. >> > >> > >> > With regards >> > Kings >> > -------------- next part -------------- >> > An HTML attachment was scrubbed... >> > URL: >> http://onlinestudylist.com/pipermail/ccie_security/attachments/20100202/41f1962e/attachment-0001.htm >> > >> > ------------------------------ >> > >> > Message: 2 >> > Date: Tue, 2 Feb 2010 10:32:37 -0500 >> > From: Tyson Scott <[email protected]> >> > Subject: Re: [OSL | CCIE_Security] TCP session that doesn't belong to >> > existing session - inspect based firewall >> > To: Kingsley Charles <[email protected]> >> > Cc: [email protected] >> > Message-ID: >> > <[email protected]> >> > Content-Type: text/plain; charset="iso-8859-1" >> > >> > Kingsley, >> > >> > In IOS you rely on a strict ACL on the outside to prevent unwanted >> > traffic >> > coming inbound. The inspection engine then creates dynamic entries >> > for >> > traffic that should be dynamically allowed back in thru the blocking >> > ACL. >> > By default the inspection engine is not used for filtering >> > sessions. It >> > is the dynamic source for allowing traffic that isn't allowed by >> > default >> > thru your protection ACL. >> > >> > The command below enables the inspection engine to be used for >> > blocking TCP >> > traffic inbound on the inspection interface. This blocks ALL traffic >> > sourced from the outside inbound. No TCP traffic that is not >> > initiated from >> > the inside is allowed in. Only dynamic entries created by the >> > inspection >> > rules are allowed back in for TCP sessions. >> > >> > It can be used but most likely is going to cause unwanted results. >> > >> > >> > >> > On Tue, Feb 2, 2010 at 8:18 AM, Kingsley Charles < >> [email protected] >> >> wrote: >> > >> >> Hi all >> >> >> >> The following command is used to block TCP sessions that doesn't >> >> belong to >> >> the existing sessions that the firewall is aware off. >> >> >> >> "ip inspect tcp block-non-session" >> >> >> >> The default action is to allow non-existing TCP sessions. >> >> >> >> >> >> If we allow, non-existing TCP session , is that not breaking the >> >> firewall? >> >> >> >> By default it should block right? >> >> >> >> Please share your thoughts. >> >> >> >> >> >> With regards >> >> Kings >> >> >> >> _______________________________________________ >> >> For more information regarding industry leading CCIE Lab training, >> >> please >> >> visit www.ipexpert.com >> >> >> >> >> > >> > >> > -- >> > Tyson Scott - CCIE #13513 R&S and Security >> > Technical Instructor - IPexpert, Inc. >> > >> > Telephone: +1.810.326.1444 >> > Fax: +1.810.454.0130 >> > Mailto: [email protected] >> > >> > Join our free online support and peer group communities: >> > http://www.IPexpert.com/communities<http://www.ipexpert.com/communities> >> > >> > IPexpert - The Global Leader in Self-Study, Classroom-Based, Video >> > On Demand >> > and Audio Certification Training Tools for the Cisco CCIE R&S Lab, >> > CCIE >> > Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE >> > Storage >> > Lab Certifications. >> > -------------- next part -------------- >> > An HTML attachment was scrubbed... >> > URL: >> http://onlinestudylist.com/pipermail/ccie_security/attachments/20100202/9d3f75c8/attachment-0001.htm >> > >> > End of CCIE_Security Digest, Vol 44, Issue 9 >> > ******************************************** >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> > > > > -- > Tyson Scott - CCIE #13513 R&S and Security > Technical Instructor - IPexpert, Inc. > > Telephone: +1.810.326.1444 > Fax: +1.810.454.0130 > Mailto: [email protected] > > Join our free online support and peer group communities: > http://www.IPexpert.com/communities <http://www.ipexpert.com/communities> > > IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On > Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, > CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE > Storage Lab Certifications. > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
