Re: CBAC <-> traffic starting from the router.

From: Ivan (ivan@iip.net)
Date: Tue Nov 14 2006 - 07:06:07 ART

• Next message: Ming Ki Au: "Re: Port Security Questions"
• Previous message: Nouman, Khan: "VOIP Over NAT"
• Maybe in reply to: Kal Han: "CBAC <-> traffic starting from the router."
• Next in thread: Petr Lapukhov: "Re: CBAC <-> traffic starting from the router."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To CBAC work properly it need input and output interface. CBAC it is like
Reflexive ACL on steroids. Locally originated traffic can be forward out Lo0
interface. Such way router will see as gouing thru.

On Tuesday 14 November 2006 02:50, Kal Han wrote:
> Hi
> Will CBAC inspect traffic starting from the router itself ?
> or will it inspect only traffic going thru the router with respect
> to what return traffic is allowed ?
>
> I have icmp inspection enabled and
> I am pinging from R4 -> R5, and the return traffic is being blocked.
> Is this expected ??
> Here is my config and ping output.
>
>
> R5#sh run | in ip inspect
> ip inspect name ids tcp
> ip inspect name ids udp
> ip inspect name ids icmp
> ip inspect name ids ftp
> ip inspect name idsin http
> ip inspect name idsin icmp
> ip inspect idsin in
> ip inspect ids out
>
>
> R5#sh access-li 101
> Extended IP access list 101
> 1 permit icmp any any echo
> 2 permit icmp any any echo-reply
> 10 permit tcp any any eq telnet
> 20 permit tcp any any eq www
> 30 permit tcp any any eq 443
> 40 permit tcp any any eq ftp
> 50 permit udp any any eq domain
> 60 deny ip any any log
> R5#
> R5#
> R5#
> R5#sh access-li 102
> Extended IP access list 102
> 1 permit ospf host 195.3.56.3 host 195.3.56.5 (145 matches)
> 2 permit ospf host 195.3.56.6 host 195.3.56.5 (168 matches)
> 5 permit udp host 195.3.56.3 host 195.3.56.5 eq ntp (328 matches)
> 10 permit tcp any host 195.1.5.25 eq www
> 20 permit tcp any host 195.1.5.25 eq 443
> 30 permit udp host 195.1.114.4 host 195.3.56.5 eq isakmp (20 matches)
> 40 permit udp host 195.1.114.4 host 195.3.56.5 eq non500-isakmp
> 50 permit esp host 195.1.114.4 host 195.3.56.5 (27 matches)
> 60 permit ospf host 195.3.56.3 host 224.0.0.9
> 70 permit ospf host 195.3.56.3 host 224.0.0.5 (387 matches)
> 80 permit ospf host 195.3.56.6 host 224.0.0.5 (387 matches)
> 90 deny ip any any log (187 matches)
> R5#
> R5#
> R5#sh run int s0/0
> Building configuration...
>
> Current configuration : 480 bytes
> !
> interface Serial0/0
> ip address 195.3.56.5 255.255.255.0
> ip access-group 102 in
> ip access-group 101 out
> ip inspect idsin in
> ip inspect ids out
> encapsulation frame-relay
> ip ospf authentication message-digest
> ip ospf message-digest-key 1 md5 cciesec
> ip ospf network point-to-multipoint
> frame-relay map ip 195.3.56.3 503 broadcast
> frame-relay map ip 195.3.56.6 506 broadcast
> no frame-relay inverse-arp
> frame-relay lmi-type cisco
> crypto ipsec client ezvpn myezvpn
> end
>
>
> R5#p 44.44.44.44 sour 10.55.55.55
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 44.44.44.44, timeout is 2 seconds:
> Packet sent with a source address of 10.55.55.55
>
> *Mar 1 23:16:39.922: %SEC-6-IPACCESSLOGDP: list 102 denied icmp
> 44.44.44.44-> 195.168.1.19 (0/0), 1 packet.....
> Success rate is 0 percent (0/5)
>
> Thanks
> Kal
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

-- 
Ivan

• Next message: Ming Ki Au: "Re: Port Security Questions"
• Previous message: Nouman, Khan: "VOIP Over NAT"
• Maybe in reply to: Kal Han: "CBAC <-> traffic starting from the router."
• Next in thread: Petr Lapukhov: "Re: CBAC <-> traffic starting from the router."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:46 ART