IOS-firwall inspect rule direction

Unanswered Question
Jul 22nd, 2009

Hi,

While implementing IOS based firewall,

normally we will apply

permit ACL to inside interface of router.

Followed by ip inspect rule in "in" direction. Then apply deny all ACL on outside interface so that connections initiated from internet are not allowed.

This will allow only return traffic which was originated from inside region.

int fa0/1

description "inside interface"

ip add 10.1.1.1 255.255.255.0

ip access-group test in

ip inspect from_inside in

int fa0/0

description "outside"

ip access-group block_all

ip address 10.10.2.1 255.255.255.252

Now can we apply same inspection rule on outside interface in out direction to have same results.

for example for above case

int fa0/1

description "interface"

ip add 10.1.1.1 255.255.255.0

ip access-group test in

(no inspection rule applied on fa0/1 )

int fa0/0

description "outside"

ip access-group block_all

ip address 10.10.2.1 255.255.255.252

ip inspect from_inside out

(inspection rule applied on outside interface with out direction)

Will this conf. will have the same result as that of original configuration.

Please share the experience.

Thanks in advance.

Subodh

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Wed, 07/22/2009 - 13:28

Yes it will. Be aware though that other interfaces will also use this inspection to the outside.

Hope that helps.

Actions

This Discussion