[c-nsp] dual cbac

[John Kougoulos]

Hello,

Based on what I remember from some tests a few years ago, IOS will use the
use the CBAC configuration that it will match first, but the first packet
must be permitted through all the ACLs.

So in case on Vlan1 you have "ip inspect fw in" and on Dialer1 you have
"ip inspect fw2 out", in case the first packet starts from company1 and
is destined to Internet, IOS will use the "fw" inspect configuration

I prefer the following:
int vlan1
  ip inspect vlan1in in
  ip inspect vlan1out out
  ip access-group vlan1aclin in
  ip access-group vlan1aclout out

int vlan2
  ip inspect vlan2in in
  ip inspect vlan2out out
  ip access-group vlan2aclin in
  ip access-group valn2aclout out

int dialer1
  ip access-group internetout out
  ip access-group internetin in

It doubles the ACLs you have to add, but it's safer I think
.
--koug

On Wed, 10 Oct 2007, [ISO-8859-2] Daniel Stanìk wrote:

> Hi friends,
>
> is it ok to have construction like:
>
>
> ip inspect name fw tcp
> ... etc
>
> int dialer1
>   desc internet
>   ip inspect fw out
>   ip access group from-internet in
>
>
> int vlan1
>   desc company1
>   ip inspect fw in
>   ip access group to-company1 out
>
>
> int vlan2
>   desc company2
>   ip inspect fw in
>   ip access group to-company2 out
>
>
>
>
> The idea is to have one router and internet connection for two companys
> and to have full controll about the communication between the two
> companys (acl to-company1 and to-company2). But if the packet is
> originated in company's vlan and goes to internet interface, it is
> passed both inspection rules (for example vlan1 in and dialer1 out).
> What happens if the inspection rules differ (if I have for example
> another inspect fw2 out on dialer1) ?
>
> Thanks for comments
> Dan
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>