ACL INBOUND with Inspection

imranraheel · ‎12-29-2011

I have to apply an ACL on a interface , so that inside users can access all the traffic but out side users can only ping inside users and can only return the traffic which is generated from inside.

How can i implement this , should i use CBAC feature or Inspection or reflect access list . Also keeping in mind there are some application on the inside interface which are custome made and send traffic on custme port and requires reply on multiple ports.

LAN(Indise) --------10.10.10.0\24----------Router-------------------192.168.1.0\24---------LAN(Outside)

Julio Carvajal · ‎12-29-2011

Hello,

Lets use CBAC

Ip inspect name test ICMP router-traffic

ip inspect name test tcp

ip inspect name test udp

interface fastethernet 0/1 (Inside interface of the router connectin to the lan)

ip inspect test in

This will allow all communications from inside users to outside users. If the outside users wants to initiatte a connection there got to be an ACL on the outside allowing the communication, if not it would be impossible.

TCP, UDP and ICMP replies by outside users will be accepted by the IOS firewall.

Do rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC