Questions about CBAC

Rens-Rens- Junior MemberMember Posts: 8 ■□□□□□□□□□
Hi *,

How to place correctly the command 'ip inspect NAME in|out' ?

Example :

fa0/0 CBAC fa0/1

From the Cisco website, I can find : 'ip inspect NAME in' on fa0/0
Context-Based Access Control (CBAC): Introduction and Configuration  [Cisco IOS Firewall] - Cisco Systems

From the Packetlife website, I can find: 'ip inspect NAME out' on fa0/1
IOS Context-Based Access Control (CBAC) - Packet Life

I'm confusing, what's the best choice ?

Thanks a lot,


  • Rens-Rens- Junior Member Member Posts: 8 ■□□□□□□□□□
    Nobody has an idea :p ?
  • Legacy UserLegacy User Unregistered / Not Logged In Posts: 0 ■□□□□□□□□□
    Think of it as if you were creating basic standard access-list do you want to apply the settings for the packets going inbound or outbound.
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    chetanm wrote: »
    you can try this command

    ip inspect name FWOUT tcp
    ip inspect name FWOUT udp
    ip inspect name FWOUT icmp
    ip inspect name FWOUT ftp

    //ftp is important to inspect because it can use a secondary port initiated from the outside

    ip access-list extended INBOUND
    deny ip any any

    int fa0/0
    description OUTSIDE
    ip access-group INBOUND in
    ip inpsect FWOUT out
    ip address
    ip nat outside

    int fa0/1
    description INSIDE
    ip address
    ip nat inside

    ^^ THIS is the generally accepted way of doing it. If you are inspecting on the inside you need a specific reason to do so.
Sign In or Register to comment.