From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Tue Nov 14 2006 - 13:06:06 ART
Also, there is special CBAC support for inspection of router-originated
traffic
since 12.3(14)T:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part15/ch05/h_insrg.pdf
14.11.06, Ivan <ivan@iip.net> NAPISAL(A):
>
> To CBAC work properly it need input and output interface. CBAC it is like
> Reflexive ACL on steroids. Locally originated traffic can be forward out
> Lo0
> interface. Such way router will see as gouing thru.
>
> On Tuesday 14 November 2006 02:50, Kal Han wrote:
> > Hi
> > Will CBAC inspect traffic starting from the router itself ?
> > or will it inspect only traffic going thru the router with respect
> > to what return traffic is allowed ?
> >
> > I have icmp inspection enabled and
> > I am pinging from R4 -> R5, and the return traffic is being blocked.
> > Is this expected ??
> > Here is my config and ping output.
> >
> >
> > R5#sh run | in ip inspect
> > ip inspect name ids tcp
> > ip inspect name ids udp
> > ip inspect name ids icmp
> > ip inspect name ids ftp
> > ip inspect name idsin http
> > ip inspect name idsin icmp
> > ip inspect idsin in
> > ip inspect ids out
> >
> >
> > R5#sh access-li 101
> > Extended IP access list 101
> > 1 permit icmp any any echo
> > 2 permit icmp any any echo-reply
> > 10 permit tcp any any eq telnet
> > 20 permit tcp any any eq www
> > 30 permit tcp any any eq 443
> > 40 permit tcp any any eq ftp
> > 50 permit udp any any eq domain
> > 60 deny ip any any log
> > R5#
> > R5#
> > R5#
> > R5#sh access-li 102
> > Extended IP access list 102
> > 1 permit ospf host 195.3.56.3 host 195.3.56.5 (145 matches)
> > 2 permit ospf host 195.3.56.6 host 195.3.56.5 (168 matches)
> > 5 permit udp host 195.3.56.3 host 195.3.56.5 eq ntp (328 matches)
> > 10 permit tcp any host 195.1.5.25 eq www
> > 20 permit tcp any host 195.1.5.25 eq 443
> > 30 permit udp host 195.1.114.4 host 195.3.56.5 eq isakmp (20
> matches)
> > 40 permit udp host 195.1.114.4 host 195.3.56.5 eq non500-isakmp
> > 50 permit esp host 195.1.114.4 host 195.3.56.5 (27 matches)
> > 60 permit ospf host 195.3.56.3 host 224.0.0.9
> > 70 permit ospf host 195.3.56.3 host 224.0.0.5 (387 matches)
> > 80 permit ospf host 195.3.56.6 host 224.0.0.5 (387 matches)
> > 90 deny ip any any log (187 matches)
> > R5#
> > R5#
> > R5#sh run int s0/0
> > Building configuration...
> >
> > Current configuration : 480 bytes
> > !
> > interface Serial0/0
> > ip address 195.3.56.5 255.255.255.0
> > ip access-group 102 in
> > ip access-group 101 out
> > ip inspect idsin in
> > ip inspect ids out
> > encapsulation frame-relay
> > ip ospf authentication message-digest
> > ip ospf message-digest-key 1 md5 cciesec
> > ip ospf network point-to-multipoint
> > frame-relay map ip 195.3.56.3 503 broadcast
> > frame-relay map ip 195.3.56.6 506 broadcast
> > no frame-relay inverse-arp
> > frame-relay lmi-type cisco
> > crypto ipsec client ezvpn myezvpn
> > end
> >
> >
> > R5#p 44.44.44.44 sour 10.55.55.55
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 44.44.44.44, timeout is 2 seconds:
> > Packet sent with a source address of 10.55.55.55
> >
> > *Mar 1 23:16:39.922: %SEC-6-IPACCESSLOGDP: list 102 denied icmp
> > 44.44.44.44-> 195.168.1.19 (0/0), 1 packet.....
> > Success rate is 0 percent (0/5)
> >
> > Thanks
> > Kal
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> --
> Ivan
>
>
-- Petr Lapukhov, CCIE #16379 petr@internetworkexpert.comInternetwork Expert, Inc. http://www.InternetworkExpert.com Toll Free: 877-224-8987 Outside US: 775-826-4344
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:47 ART