CBAC/IP Inspect

From: Bill Wharton (bill_wharton@mailhost.cjb.net)
Date: Sun Jan 15 2006 - 21:29:46 GMT-3

• Next message: Jtheunissen: "LAN Switch Issue"
• Previous message: Victor Cappuccio: "IEWB-RS Lab 3 Vol3 Task 5.5"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Cisco 3750

f0/0 - LAN interface

s0/0 - WAN interface to Internet

interface s0/0

ip inspect inspect1 out

Now I know that traffic outbound from LAN users would be inspected through a
state table. However, this network is also hosting a mail & web server and
I've created a static NAT for them along with an access list rule applied
inbound on s0/0.

With the above settings, will inbound traffic to the mail & web server be
protected too? For example with the PIX, the fixup would only allow certain
commands through to the SMTP server and this is the kind of protection I'm
looking for. Should I apply the 'ip inspect' in another direction like this
below or is my thinking incorrect?

int s0/0

ip inspect inspect1 in

1) Will this command achieve what I am looking for?

2) Will the LAN-initiated traffic undergo double inspection in any way
because of this new command?

• Next message: Jtheunissen: "LAN Switch Issue"
• Previous message: Victor Cappuccio: "IEWB-RS Lab 3 Vol3 Task 5.5"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Feb 01 2006 - 07:45:49 GMT-3