From: secondie (secondie@gmail.com)
Date: Tue Jan 09 2007 - 14:46:35 ART
Closest to source is preferred but also depends on the number of
interfaces and how many of them need to be protected. If you have one
interface in and one out, I will prob put it in the protected side. If
there are multiple protected interfaces then I will put on the outside.
Manjeet Chawla
CCIE #5591 (R&S/Security)
cadet wrote:
> Hi ALL !
> I have question about CBAC direction.
>
> for example, I have:
>
> protected network --- e0 --- R1 --- e1 --- unprotected network
> I need accept only connections from protected network or answers from
> unprotected network on this connections.
>
> As for me there are 2 variants:
>
> 1
> protected network CBAC IN --- e0 --- R1 --- e1 ACL IN (deny any any)--- unprotected network
> ^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^
>
> 2
> protected network --- e0 --- R1 --- e1 CBAC OUT + ACL IN (deny any any) --- unprotected network
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> Which variant is correct ?
>
> HTH.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:56 ART