Hi there
I have read a reasonable amount about the IOS ip inspect function, but I'd really appreciate it if someone could verify a few things that are still unclear for me.
Consider a firewall router with three interfaces - one to the LAN, one to the Internet, and one to the DMZ. Just to note, ip inspect can be enabled in each direction on every interface, so theoretically there could be a maximum of 6 ip inspect rules used on this router.
If I understand ip inspect correctly, if "ip inspect xxxx out" is used, packets are inspected when going in the direction of the final parameter, which in this case is "out"-wards. Is this true - ie incoming packets to this interface will not be inspected using this command, although it may have created an incoming permit ACL to allow the traffic to return?
How many ACLs can a single ip inspect command open and on how many interfaces? Consider that incoming and outgoing "deny all" ACLs are created on both sides of the LAN and the Internet interfaces, and an "ip inspect in" is used on the LAN interface. A "incoming" permit statement ACL is configured on the LAN interface too, to allow internal clients to access any host at port 80. When a client browses the web, will ip inspect create 3 ACLs to allow packets out through the Internet NIC and back through the Internet and LAN NICs, will it create 2 ACLs for the return traffic, meaning that it get blocked at the outgoing ACL on the Internet NIC unless an ACL is written to allow this traffic out, or will it create only one return ACL to allow the traffic back in the other direction of the LAN NIC.
Basically I want to know if ip inspect will create all ACLs on all interfaces for the packet to reach its destination and return, or if it can only add ACLs to the NIC on which it is configured.
I hope my explanation is not too confusing!
Depending upon the answers to this, the answer to my next question may be obvious, but.... Would it be practical and advatagous to have incoming and outgoing ip inspect rules on all interfaces of this router (so in total 6 ip inspect rules) or would this become an administrative nightmare when new requests to allow outgoing traffic are made from users?
Thank you kindly in advance for your wise words!
Best wishes Paul