Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

ip inspect on ingress or egress interface

When setting up a CBAC (ip inspect) firewall on an IOS router should the "ip inspect" command be placed on the internal interface and use "ip inspect in" or should I use "ip inspect out" on the public or egress interface? What are the pros and cons of each?

Thanks,

Diego

5 REPLIES
Cisco Employee

Re: ip inspect on ingress or egress interface

IP Inspect should be applied on an interface so that packet could be processed before leaving that interface

example :- IP inspect always applied on direction "in" on interface interface (LAN) and always applied in out direction for public (wan interface

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i2.html#wp1011411

New Member

Re: ip inspect on ingress or egress interface

Sorry, but that links just reiterates my comment that the inspect command can be used as "in" on the ingress and "out" on the egress. What I want to know is if there is any advantage or disadvantage of using one form or the other? I typically has used it as "in" on the ingress" but I have seem some examples using it as "out". Why?

Thanks,

Diego

Cisco Employee

Re: ip inspect on ingress or egress interface

okie let me explain in detail

Lets say you have 3 Interfaces on router e0,e1,e2

e1

|

Router--->e0-->(Internet)

|

|

e2

Now in case you want to inspect traffic originating from both 1 and 2 going to outside world then apply Inspect on e0 in "out" direction

In case you only need to monitor the traffic from e1 , then apply inspect on e1 in "in" direction

New Member

Re: ip inspect on ingress or egress interface

OK, I guess it saves you one line of config.

Thanks,

Diego

New Member

Re: ip inspect on ingress or egress interface

One difference I found from experience. When you want to inspect router generated traffic to the internet i.e. dns, icmp etc... you need to apply the inspect rule on the outside interface out.

If you apply it on the inside interface in it will not inspect router generated traffic such as DNS and ICMP even if you change the source interface to be inside.

p.s dont forget though for router generated traffic you also need to specify the router-traffic keyword on those inspects that support it such as....

ip inspect name Internet h.323 router-traffic

ip inspect name Internet sip router-traffic

ip inspect name Internet tcp router-traffic

ip inspect name Internet udp router-traffic

ip inspect name Internet icmp router-traffic

457
Views
8
Helpful
5
Replies
CreatePlease to create content