HI all,
I am running ios FW 12.4 on an ISR 2821:
13 DMZ on gig0/1 sub intfs
1 inside intf on gig0/0
1 outside intf on vlan1 (hwic 4 FE port)
I need ip inspection to allow return traffic to come back.
I can apply ip inspection on an interface with 2 methods :
1) on ingress traffic (ip inspect <name> in)
2) on egress traffic (ip inspect <name> out)
On each interface I apply an Acl on ingress traffic (ip access-group <ACL> in)
What is the best practice for a couple of interfaces :
1) Ingress intf: ip access-group <acl> in
egress intf : ip inspect <cbac> out
2) Ingress intf: ip access-group <acl> in
Ingress intf : ip inspect <cbac> in
Egress Intf : nothing
Most cisco samples talk only about 2nd case
Regards,
Alain