Best practice for CBAC

Unanswered Question
Feb 20th, 2007

HI all,

I am running ios FW 12.4 on an ISR 2821:

13 DMZ on gig0/1 sub intfs

1 inside intf on gig0/0

1 outside intf on vlan1 (hwic 4 FE port)

I need ip inspection to allow return traffic to come back.

I can apply ip inspection on an interface with 2 methods :

1) on ingress traffic (ip inspect <name> in)

2) on egress traffic (ip inspect <name> out)

On each interface I apply an Acl on ingress traffic (ip access-group <ACL> in)

What is the best practice for a couple of interfaces :

1) Ingress intf: ip access-group <acl> in

egress intf : ip inspect <cbac> out

2) Ingress intf: ip access-group <acl> in

Ingress intf : ip inspect <cbac> in

Egress Intf : nothing

Most cisco samples talk only about 2nd case



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion