[c-nsp] dual cbac
John Kougoulos
koug at intracom.gr
Thu Oct 11 17:25:12 EDT 2007
Hello,
Based on what I remember from some tests a few years ago, IOS will use the
use the CBAC configuration that it will match first, but the first packet
must be permitted through all the ACLs.
So in case on Vlan1 you have "ip inspect fw in" and on Dialer1 you have
"ip inspect fw2 out", in case the first packet starts from company1 and
is destined to Internet, IOS will use the "fw" inspect configuration
I prefer the following:
int vlan1
ip inspect vlan1in in
ip inspect vlan1out out
ip access-group vlan1aclin in
ip access-group vlan1aclout out
int vlan2
ip inspect vlan2in in
ip inspect vlan2out out
ip access-group vlan2aclin in
ip access-group valn2aclout out
int dialer1
ip access-group internetout out
ip access-group internetin in
It doubles the ACLs you have to add, but it's safer I think
.
--koug
On Wed, 10 Oct 2007, [ISO-8859-2] Daniel Stanìk wrote:
> Hi friends,
>
> is it ok to have construction like:
>
>
> ip inspect name fw tcp
> ... etc
>
> int dialer1
> desc internet
> ip inspect fw out
> ip access group from-internet in
>
>
> int vlan1
> desc company1
> ip inspect fw in
> ip access group to-company1 out
>
>
> int vlan2
> desc company2
> ip inspect fw in
> ip access group to-company2 out
>
>
>
>
> The idea is to have one router and internet connection for two companys
> and to have full controll about the communication between the two
> companys (acl to-company1 and to-company2). But if the packet is
> originated in company's vlan and goes to internet interface, it is
> passed both inspection rules (for example vlan1 in and dialer1 out).
> What happens if the inspection rules differ (if I have for example
> another inspect fw2 out on dialer1) ?
>
> Thanks for comments
> Dan
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list