Questions about CBAC
Rens-
Member Posts: 8 ■□□□□□□□□□
Hi *,
How to place correctly the command 'ip inspect NAME in|out' ?
Example :
Inside_Network
fa0/0 CBAC fa0/1
Outside_Network
From the Cisco website, I can find : 'ip inspect NAME in' on fa0/0
Context-Based Access Control (CBAC): Introduction and Configuration [Cisco IOS Firewall] - Cisco Systems
From the Packetlife website, I can find: 'ip inspect NAME out' on fa0/1
IOS Context-Based Access Control (CBAC) - Packet Life
I'm confusing, what's the best choice ?
Thanks a lot,
How to place correctly the command 'ip inspect NAME in|out' ?
Example :
Inside_Network
fa0/0 CBAC fa0/1
Outside_Network
From the Cisco website, I can find : 'ip inspect NAME in' on fa0/0
Context-Based Access Control (CBAC): Introduction and Configuration [Cisco IOS Firewall] - Cisco Systems
From the Packetlife website, I can find: 'ip inspect NAME out' on fa0/1
IOS Context-Based Access Control (CBAC) - Packet Life
I'm confusing, what's the best choice ?
Thanks a lot,
Comments
-
Legacy User
Unregistered / Not Logged In Posts: 0 ■□□□□□□□□□
Think of it as if you were creating basic standard access-list do you want to apply the settings for the packets going inbound or outbound.
-
cisco_trooper
Member Posts: 1,441 ■■■■□□□□□□
you can try this command
ip inspect name FWOUT tcp
ip inspect name FWOUT udp
ip inspect name FWOUT icmp
ip inspect name FWOUT ftp
//ftp is important to inspect because it can use a secondary port initiated from the outside
ip access-list extended INBOUND
deny ip any any
int fa0/0
description OUTSIDE
ip access-group INBOUND in
ip inpsect FWOUT out
ip address 1.1.1.1 255.255.255.0
ip nat outside
int fa0/1
description INSIDE
ip address 192.168.0.1 255.255.255.0
ip nat inside
^^ THIS is the generally accepted way of doing it. If you are inspecting on the inside you need a specific reason to do so.
?