Apply Inspection Rules and ACLs to an Interface

Apply Inspection Rules and ACLs to an Interface

It’s time to apply the inspection set to a router interface. If the interface connects to the external network, apply the inspection rules to outbound traffic. If the interface connects to the internal network, apply the inspection rules to inbound traffic. By applying the rules to outbound traffic, then returning inbound packets will be permitted if they belong to a valid connection with existing state information. This connection state must be initiated with an outbound packet.

Normally, you apply only one inspection rule per interface. The only exception is if you want to enable CBAC in two directions between two departments or partner networks. To configure CBAC in both directions on a single firewall interface, apply two rules, one for each direction.

Use the interface configuration ip inspect command to apply a set of inspection rules to an interface. Use the no form of the command to remove the set of rules from the interface. The syntax is

Rtr1(config-if)#ip inspect inspection-name {in | out} Rtr1(config-if)#no ip inspect inspection-name {in | out}

This command was introduced in IOS 11.2.

This example applies a set of inspection rules named letusin to an external interface’s outbound traffic. The inspection set is the one created in the example and isn’t repeated here. Inbound IP traffic is permitted only if the traffic is part of an existing session created by the letusin inspections. All other inbound traffic will be denied unless it’s the specific ICMP traffic allowed by the inbound ACL 101. The outbound ACL 150 spec- ifies the traffic that can leave the network.

Rtr1(config)#access-list 101 deny udp any any 
Rtr1(config)#access-list 101 deny tcp any any 
Rtr1(config)#access-list 101 permit icmp any any echo-reply 
Rtr1(config)#access-list 101 permit icmp any any packet-too-big 
Rtr1(config)#access-list 101 permit icmp any any time-exceeded 
Rtr1(config)#access-list 101 permit icmp any any traceroute 
Rtr1(config)#access-list 101 permit icmp any any unreachable 
Rtr1(config)#access-list 150 permit tcp any any 
Rtr1(config)#access-list 150 permit udp any any 
Rtr1(config)#access-list 150 permit icmp any any 
Rtr1(config)#interface serial0
Rtr1(config-if)#ip inspect letusin out
Rtr1(config-if)#ip access-group 150 out
Rtr1(config-if)#ip access-group 101 in