CBAC <-> traffic starting from the router.

From: Kal Han (calikali2006@gmail.com)
Date: Mon Nov 13 2006 - 20:50:25 ART

• Next message: Kal Han: "ip ospf network point-to-multipoint"
• Previous message: Adhu Ajit: "Rate Limit vs Police"
• Next in thread: Ivan: "Re: CBAC <-> traffic starting from the router."
• Maybe reply: Ivan: "Re: CBAC <-> traffic starting from the router."
• Maybe reply: Petr Lapukhov: "Re: CBAC <-> traffic starting from the router."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi
Will CBAC inspect traffic starting from the router itself ?
or will it inspect only traffic going thru the router with respect
to what return traffic is allowed ?

I have icmp inspection enabled and
I am pinging from R4 -> R5, and the return traffic is being blocked.
Is this expected ??
Here is my config and ping output.

R5#sh run | in ip inspect
ip inspect name ids tcp
ip inspect name ids udp
ip inspect name ids icmp
ip inspect name ids ftp
ip inspect name idsin http
ip inspect name idsin icmp
 ip inspect idsin in
 ip inspect ids out

R5#sh access-li 101
Extended IP access list 101
    1 permit icmp any any echo
    2 permit icmp any any echo-reply
    10 permit tcp any any eq telnet
    20 permit tcp any any eq www
    30 permit tcp any any eq 443
    40 permit tcp any any eq ftp
    50 permit udp any any eq domain
    60 deny ip any any log
R5#
R5#
R5#
R5#sh access-li 102
Extended IP access list 102
    1 permit ospf host 195.3.56.3 host 195.3.56.5 (145 matches)
    2 permit ospf host 195.3.56.6 host 195.3.56.5 (168 matches)
    5 permit udp host 195.3.56.3 host 195.3.56.5 eq ntp (328 matches)
    10 permit tcp any host 195.1.5.25 eq www
    20 permit tcp any host 195.1.5.25 eq 443
    30 permit udp host 195.1.114.4 host 195.3.56.5 eq isakmp (20 matches)
    40 permit udp host 195.1.114.4 host 195.3.56.5 eq non500-isakmp
    50 permit esp host 195.1.114.4 host 195.3.56.5 (27 matches)
    60 permit ospf host 195.3.56.3 host 224.0.0.9
    70 permit ospf host 195.3.56.3 host 224.0.0.5 (387 matches)
    80 permit ospf host 195.3.56.6 host 224.0.0.5 (387 matches)
    90 deny ip any any log (187 matches)
R5#
R5#
R5#sh run int s0/0
Building configuration...

Current configuration : 480 bytes
!
interface Serial0/0
 ip address 195.3.56.5 255.255.255.0
 ip access-group 102 in
 ip access-group 101 out
 ip inspect idsin in
 ip inspect ids out
 encapsulation frame-relay
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 cciesec
 ip ospf network point-to-multipoint
 frame-relay map ip 195.3.56.3 503 broadcast
 frame-relay map ip 195.3.56.6 506 broadcast
 no frame-relay inverse-arp
 frame-relay lmi-type cisco
 crypto ipsec client ezvpn myezvpn
end

R5#p 44.44.44.44 sour 10.55.55.55

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 44.44.44.44, timeout is 2 seconds:
Packet sent with a source address of 10.55.55.55

*Mar 1 23:16:39.922: %SEC-6-IPACCESSLOGDP: list 102 denied icmp 44.44.44.44->
195.168.1.19 (0/0), 1 packet.....
Success rate is 0 percent (0/5)

Thanks
Kal

• Next message: Kal Han: "ip ospf network point-to-multipoint"
• Previous message: Adhu Ajit: "Rate Limit vs Police"
• Next in thread: Ivan: "Re: CBAC <-> traffic starting from the router."
• Maybe reply: Ivan: "Re: CBAC <-> traffic starting from the router."
• Maybe reply: Petr Lapukhov: "Re: CBAC <-> traffic starting from the router."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:46 ART