CBAC, egress ACL and ingress ACL question

tgroth · ‎03-22-2004

I am testing with a few 1700 Cisco routers in the field running CBAC and I would also like to apply ingress and egress ACL. The routers are dual Ethernet routers and are connected to the Internet. One Ethernet connection to the outside, one Ethernet connection to the inside and an asy port for dial backup. Also note my outside interface has a static IP address that belongs to the ISP and we PAT. I wouldn’t think I would want to apply the egress ACL to the outside interface going out because the ACL sources IP would then be our ISP’s static IP address and that would make the egress filter less effective.

1. Which interface should I apply CBAC to?

2. Which interface should I apply the ingress filter to?

3. Which interface should I apply the egress filter to?

4. Can you give me an example or send me a link of “best practice” for configuring egress and ingress ACL?

revangelista · ‎03-22-2004

1: I believe you could apply CBAC on both 'outside' and 'inside' interfaces.

2: 'Ingress' filtering should be applied on the 'outside' or 'Internet Facing' interface for traffic is going 'inbound' in to your protected network.

3: 'Egress' filtering should be applied on your 'inside' interface. This is the interface where your protected network's traffic comes in, and going out ("egressing" or exiting) to the Internet.

4: Review RFC 2827 (ref: http://www.faqs.org/rfcs/rfc2827.html)

Utilizing CBAC on a router takes a major hit on CPU cycles. I recommend implementing a dedicated firewall device.

Hope this helps.

--re