ip inspect command on 2851

Answered Question
Oct 15th, 2007
User Badges:

Hi, I have CBAC configured on my 2851 router. The IP INSPECT command is placed OUT on the T1 going to the Internet. From what I have read is that the IP INSPECT should be placed on the LAN interface going IN. I am asking this because I just connected another T1 to another ISP just for web browsing. I have also placed the IP INSPECT on the T1 going out. Right after I did that the router suffered huge performance issues. The router utilization is very low but it would take 10-20 sec. to load a web page. Can anyome tell if I can use same IP INSPECT command on two different interfaces? and if I need to move the IP INSPECT to LAN IN as apposed to the T1 going OUT?

Correct Answer by nathancielieska about 9 years 7 months ago

so definitely take it off of two interfaces.


I would do ip inspect in on your ethernet interface and then an access-list in on your T1 interface.


This way you inspect your traffic going out.. but people that need connectivity to a resource on your internal network will have to traverse the access-list.


I have done this in the past and it works fine.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
nathancielieska Tue, 10/16/2007 - 09:43
User Badges:

so definitely take it off of two interfaces.


I would do ip inspect in on your ethernet interface and then an access-list in on your T1 interface.


This way you inspect your traffic going out.. but people that need connectivity to a resource on your internal network will have to traverse the access-list.


I have done this in the past and it works fine.

Actions

This Discussion