ip inspect on ingress or egress interface

Unanswered Question
Feb 20th, 2008

When setting up a CBAC (ip inspect) firewall on an IOS router should the "ip inspect" command be placed on the internal interface and use "ip inspect in" or should I use "ip inspect out" on the public or egress interface? What are the pros and cons of each?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
DIEGO ALONSO Thu, 02/21/2008 - 05:57

Sorry, but that links just reiterates my comment that the inspect command can be used as "in" on the ingress and "out" on the egress. What I want to know is if there is any advantage or disadvantage of using one form or the other? I typically has used it as "in" on the ingress" but I have seem some examples using it as "out". Why?



abinjola Thu, 02/21/2008 - 06:45

okie let me explain in detail

Lets say you have 3 Interfaces on router e0,e1,e2







Now in case you want to inspect traffic originating from both 1 and 2 going to outside world then apply Inspect on e0 in "out" direction

In case you only need to monitor the traffic from e1 , then apply inspect on e1 in "in" direction

richardburford Tue, 06/03/2008 - 03:20

One difference I found from experience. When you want to inspect router generated traffic to the internet i.e. dns, icmp etc... you need to apply the inspect rule on the outside interface out.

If you apply it on the inside interface in it will not inspect router generated traffic such as DNS and ICMP even if you change the source interface to be inside.

p.s dont forget though for router generated traffic you also need to specify the router-traffic keyword on those inspects that support it such as....

ip inspect name Internet h.323 router-traffic

ip inspect name Internet sip router-traffic

ip inspect name Internet tcp router-traffic

ip inspect name Internet udp router-traffic

ip inspect name Internet icmp router-traffic


This Discussion