Questions about CBAC

Hi *,

How to place correctly the command 'ip inspect NAME in|out' ?

Example :

Inside_Network

fa0/0 CBAC fa0/1

Outside_Network

From the Cisco website, I can find : 'ip inspect NAME in' on fa0/0
Context-Based Access Control (CBAC): Introduction and Configuration [Cisco IOS Firewall] - Cisco Systems

From the Packetlife website, I can find: 'ip inspect NAME out' on fa0/1
IOS Context-Based Access Control (CBAC) - Packet Life

I'm confusing, what's the best choice ?

Thanks a lot,

Find more posts tagged with

Comments

Rens-

Nobody has an idea

Legacy User

Think of it as if you were creating basic standard access-list do you want to apply the settings for the packets going inbound or outbound.

cisco_trooper

chetanm wrote: »

you can try this command

ip inspect name FWOUT tcp
ip inspect name FWOUT udp
ip inspect name FWOUT icmp
ip inspect name FWOUT ftp

//ftp is important to inspect because it can use a secondary port initiated from the outside

ip access-list extended INBOUND
deny ip any any

int fa0/0
description OUTSIDE
ip access-group INBOUND in
ip inpsect FWOUT out
ip address 1.1.1.1 255.255.255.0
ip nat outside

int fa0/1
description INSIDE
ip address 192.168.0.1 255.255.255.0
ip nat inside

^^ THIS is the generally accepted way of doing it. If you are inspecting on the inside you need a specific reason to do so.