tiptechs
asked on
cisco router - ip insepct interface
I am trying to determine if it matters which interface I apply the "ip inspect" too on a cisco ios router/firewall.
From reading up on the "ip inspect" it says that if you have the "ip inspect" the return traffic will bypass any ACLs. In the below example will the return traffic still bypass the ACL 100 on Fa0/1 even if the inspect is applied to Fa0/0.
internal network: 192.168.1.0/24
interface FastEthernet0/0
description Internal Network
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
ip inspect FWINSPECT in
ip nat inside
interface FastEthernet0/1
description Connection to the Internet
ip address 1.1.1.2 255.255.255.252
ip access-group 100 in
ip nat outside
Thanks
From reading up on the "ip inspect" it says that if you have the "ip inspect" the return traffic will bypass any ACLs. In the below example will the return traffic still bypass the ACL 100 on Fa0/1 even if the inspect is applied to Fa0/0.
internal network: 192.168.1.0/24
interface FastEthernet0/0
description Internal Network
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
ip inspect FWINSPECT in
ip nat inside
interface FastEthernet0/1
description Connection to the Internet
ip address 1.1.1.2 255.255.255.252
ip access-group 100 in
ip nat outside
Thanks
rauenpc
I believe it will work regardless of interface, but if you only have one inspection policy, I would put it on the outside interface so that any other inside interfaces, whether existing today or configured in the future, all end up getting covered by that policy.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.