Hi, I have CBAC configured on my 2851 router. The IP INSPECT command is placed OUT on the T1 going to the Internet. From what I have read is that the IP INSPECT should be placed on the LAN interface going IN. I am asking this because I just connected another T1 to another ISP just for web browsing. I have also placed the IP INSPECT on the T1 going out. Right after I did that the router suffered huge performance issues. The router utilization is very low but it would take 10-20 sec. to load a web page. Can anyome tell if I can use same IP INSPECT command on two different interfaces? and if I need to move the IP INSPECT to LAN IN as apposed to the T1 going OUT?
so definitely take it off of two interfaces.
I would do ip inspect in on your ethernet interface and then an access-list in on your T1 interface.
This way you inspect your traffic going out.. but people that need connectivity to a resource on your internal network will have to traverse the access-list.
I have done this in the past and it works fine.