[c-nsp] dual cbac
Daniel Staněk
dan at orb.cz
Wed Oct 10 16:30:55 EDT 2007
Hi friends,
is it ok to have construction like:
ip inspect name fw tcp
... etc
int dialer1
desc internet
ip inspect fw out
ip access group from-internet in
int vlan1
desc company1
ip inspect fw in
ip access group to-company1 out
int vlan2
desc company2
ip inspect fw in
ip access group to-company2 out
The idea is to have one router and internet connection for two companys
and to have full controll about the communication between the two
companys (acl to-company1 and to-company2). But if the packet is
originated in company's vlan and goes to internet interface, it is
passed both inspection rules (for example vlan1 in and dialer1 out).
What happens if the inspection rules differ (if I have for example
another inspect fw2 out on dialer1) ?
Thanks for comments
Dan
More information about the cisco-nsp
mailing list