From: Bob Sinclair (bsin@cox.net)
Date: Wed Jun 01 2005 - 18:07:37 GMT-3
Rik,
Lots of options, but the basic story is this:
1. Create and apply an extended access-list inbound the outside (public)
interface. CBAC will open up holes in this access-list for return, inspected
traffic.
example:
access-list 101 deny ip any any
int s0/0
ip access-group 101 in
2. Create a named inspection rule. This will define what traffic CBAC should
inspect.
example:
ip inspect name TEST tcp
ip inspect name TEST udp
ip inspect name TEST icmp
3. Apply the inspection rule outbound the outside (public) interface.
example:
int s0/0
ip inspect TEST out
If you do not have Richard Deal's Cisco Router Firewall Security, then you
should sell something and get it. :}
ISBN: 1-58705-175-3
HTH,
Bob Sinclair
CCIE #10427, CCSI 30427, CISSP
www.netmasterclass.net
----- Original Message -----
From: Guyler, Rik
To: 'ccielab@groupstudy.com'
Sent: Wednesday, June 01, 2005 2:56 PM
Subject: IP Inspect
I'm having a little trouble following the logic for "ip inspect"
statements.
As I understand it you apply these to a public interface and the inspection
tracks sessions between hosts to allow for temporary access. That said,
the
part that is a bit gray for me is the ACL that the docs mention and what
direction the inspect should go. Should I create an ACL that basically
denies everything and then let the inspect handle what goes out? Should I
also be inspecting traffic coming in? I think I'm too PIX-concentric to
understand the logic here.
If anybody can explain this to me or provide a link that explains it better
than CCO that would be great
Thanks in advance,
---
Rik
_______________________________________________________________________
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:40 GMT-3