From: Kal Han (calikali2006@gmail.com)
Date: Thu Sep 07 2006 - 20:31:38 ART
Hi
I am not clear about what exactly happens after one applies
inspection on an interface.
------------------------[ROUTER]---------------------
Inside Outside
ACL--> permit http ACL --> deny any any
inspect http
INSIDE USER WANTS TO CONNECT TO AN OUTSIDE WEBSITE.
On the router inside interface, I applied an inbound acl to permit http.
I have http inspection applied for the inbound traffic on inside.
I have a "deny any any" inbound ACL on the outside interface.
Given that the inspection is applied for inbound traffic on the inside
interface,
Will I be able to successfully establish a http connection.
My question is if I apply this config, ( inspection on inside interface )
will the ACL ( or a pinhole ) be created on the outside interface to allow
return traffic. ??
If I apply on inspection on the outside interface ( instead of inside ) the
answer
is simple that the reverse traffic will be permitted.
what about here where applying inspection on one interface should open an
pin hole
on the other side.
Or is CBAC also like pix, which checks for an existing flow first before
access list ?
in which case, the access-list is not even checked for the return traffic as
there is
an existing flow ( or state table entry )
Please let me know
Thanks
Kal
This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:40 ART