Deciding where CBAC should be configured (internal or external interface) is subjective. As shown in Figure 5-3,
CBAC inspection can be configured on either internal or external interfaces??”a decision that depends entirely on
the security policy. When making that decision, consider which segment is required to be protected:
Apply CBAC inspection to the external (outbound) interface when configuring CBAC for outbound traffic.
Apply CBAC inspection to the internal (inbound) interface when configuring CBAC for inbound traffic.
Figure 5-3. Applying ACL and CBAC Inspection
[View full size image]
To apply an inspection rule to an interface, use the ip inspect inspection-name {in | out} command in
interface configuration mode.
Step 6??”Verifying and Monitoring CBAC
Use the show ip inspect [config | interface] command or the show ip inspect all command to verify CBAC
configuration settings. To view the statistics and session information table with all the established and half-open
connections for all session flow through the firewall, use the show ip inspect session [detail] command. In
addition, use the show ip access lists command to verify the dynamic access list entries populated in the
firewall access list, as shown in Example 5-1 and Example 5-2.
Pages:
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228