From: Rocco R21 (roccor21@hotmail.com)
Date: Wed Feb 28 2007 - 11:59:58 ART
I've tried it both ways on the inspect rule. This example is with the rule
outbound using an internal interface(e0). I telnet from the neighbor router
R3 -> R6's loopback. Once in R6 I do not see that return traffic
inspected/audited. There are no matches on the outbound ACL either (locally
generated). I tried a local policy and tried to set the interface for the
ACL to R6's loopback but that didn't work either.
CBAC example: internal interface
R6#
ip inspect audit-trail
ip inspect name TELNET telnet
!
access-list 119 permit ip any any log
access-list 120 deny tcp host 150.1.6.6 eq telnet any log
access-list 120 deny tcp host 150.1.6.6 any eq telnet log
access-list 120 per ip any any log
!
interface Ethernet0
ip access-group 119 in
ip access-group 120 out
ip inspect TELNET out
!
int lo0
ip address 150.1.6.6 255.255.255.0
*
Validation:
R3#150.1.6.6
Trying 150.1.6.6 ... Open
User Access Verification
Password:
home-term-server#6
[Resuming connection 6 to r6 ... ]
R6#sho log
Rack1R6# sho ip inspect ses
R6# sho ip inspect all
Session audit trail is enabled
Session alert is enabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name TELNET
telnet alert is on audit-trail is on timeout 3600
Interface Configuration
Interface Ethernet0
Inbound inspection rule is not set
Outgoing inspection rule is TELNET
telnet alert is on audit-trail is on timeout 3600
Inbound access list is 119
Outgoing access list is 120
R6# sho access-lists
Extended IP access list 119
10 permit ip any any log (50 matches)
Extended IP access list 120
10 deny tcp host 150.1.6.6 eq telnet any log
20 deny tcp host 150.1.6.6 any eq telnet log
30 permit ip any any log
>From: "Colm O'Leary" <co.oleary@gmail.com>
>Reply-To: "Colm O'Leary" <co.oleary@gmail.com>
>To: "Rocco R21" <roccor21@hotmail.com>
>CC: kutserdar@gmail.com, ccielab@groupstudy.com
>Subject: Re: local policy route-map w/CBAC
>Date: Wed, 28 Feb 2007 13:45:41 +0000
>MIME-Version: 1.0
>Received: from lists.groupstudy.com ([207.44.210.9]) by
>bay0-mc2-f18.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Wed,
>28 Feb 2007 05:54:21 -0800
>Received: (from sympa@localhost)by lists.groupstudy.com
>(8.12.11.20060308/8.11.6) id l1SDsCGO006312;Wed, 28 Feb 2007 08:54:12 -0500
>Received: from groupstudy.com (www.groupstudy.com [209.51.144.7])by
>lists.groupstudy.com (8.12.11.20060308/8.11.6) with ESMTP id
>l1SDjhAh006256for <ccielab@lists.groupstudy.com>; Wed, 28 Feb 2007 08:45:43
>-0500
>Received: from groupstudy.com (groupstudy.com [127.0.0.1])by groupstudy.com
>(8.12.11.20060308/8.12.11) with ESMTP id l1SDjscg001916GroupStudy Mailer;
>Wed, 28 Feb 2007 08:45:54 -0500
>Received: (from listserver@localhost)by groupstudy.com
>(8.12.11.20060308/8.12.11/Submit) id l1SDjsX4001914for ccielabxhiddenx;
>Wed, 28 Feb 2007 08:45:54 -0500
>Received: from ug-out-1314.google.com (ug-out-1314.google.com
>[66.249.92.173]) by groupstudy.com (8.12.11.20060308/8.12.11) with ESMTP
>id l1SDjp7F001889 GroupStudy Mailer; Wed, 28 Feb 2007 08:45:52 -0500
>Received: by ug-out-1314.google.com with SMTP id 32so125766ugm for
><ccielab@groupstudy.com>; Wed, 28 Feb 2007 05:45:46 -0800 (PST)
>Received: by 10.114.94.1 with SMTP id r1mr155684wab.1172670341514; Wed, 28
>Feb 2007 05:45:41 -0800 (PST)
>Received: by 10.114.121.8 with HTTP; Wed, 28 Feb 2007 05:45:41 -0800 (PST)
>X-Message-Info: LsUYwwHHNt2WX5kNyA0cBOjINgk3Z4F91YrJwo9JPrw=
>DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta;
>h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references;
>
>b=pj/iHfllMKXS3udbtBp9W8I/Z8G31pwUHYm5R1eIwizqyOpjltyVnD3+cANjmsILWIhqKZgPYhV1JWyNNULLz2tfz152Li5CayUW01N1XmAhlLJVd73HY78q/xU/sVxIxobOnGNp+l5JSTp34RTOqQ/J1GFoOQP7q9Wd1Ni59E0=
>DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta;
>h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references;
>
>b=g/kpymAgFBH28Gl2YcKMhYmfUm08Ek0N881raJDedQ2f/yQWKRvMij+enAlMXLwuh0G+WNyIdk+Psgc++9ph7fHVPGPgEpgDLKhqyjZyBmcPQs5+9Tb/fVQzHdNywIjCQiOk880+3XyrrgVvZHvyZQUTzh62nN50jdzOFA6fgc8=
>References: <d343a7300702252304g686338e5h5ad98d752733b2f8@mail.gmail.com>
><BAY115-F231A689C97A11F4EA5A9F4CC830@phx.gbl>
>X-Converted-To-Plain-Text: from multipart/alternative by GroupStudy
>X-Converted-To-Plain-Text: Alternative section used was text/plain
>X-ASK-Info: Whitelist match [from co\.oleary@gmail\.com] (2007/02/28
>08:45:53)
>X-Loop: ccielab@groupstudy.com
>X-Sequence: 9488
>Errors-to: ccielab-owner@groupstudy.com
>Precedence: bulk
>X-no-archive: yes
>List-Id: <ccielab.groupstudy.com>
>List-Help: <mailto:sympa@groupstudy.com?subject=help>
>List-Subscribe: <mailto:sympa@groupstudy.com?subject=subscribe%20ccielab>
>List-Unsubscribe:
><mailto:sympa@groupstudy.com?subject=unsubscribe%20ccielab>
>List-Post: <mailto:ccielab@groupstudy.com>
>List-Owner: <mailto:ccielab-request@groupstudy.com>
>Return-Path: ccielab-owner@groupstudy.com
>X-OriginalArrivalTime: 28 Feb 2007 13:54:22.0154 (UTC)
>FILETIME=[F303FAA0:01C75B3F]
>
>If you apply the inspect rule outbound on the same interface the inbound
>acl
>is applied it will facor in the locally generated traffic provided it is
>configured correctly under the inspect rule
>
>On 2/26/07, Rocco R21 <roccor21@hotmail.com> wrote:
> >
> > permitting on the inbound and denying on the outbound. I'm setting this
>up
> > to have CBAC inspect inbound and audit telnet from the inside. A deny
>for
> > the outbound is to make CBAC inspect the return traffic destined for the
> > inside however I think since the outside interface is a loopback on the
> > router the outbound ACL will not be recognized unless I use a local
>policy
> > route-map and set the interface loopback. When I try doing that it
> > doesn't
> > work so I'm thinking its not possible w/CBAC using a loopback as an
> > external
> > destination address. I will probably have to do this on the hop prior
> > router.
> >
> >
> > >From: "Serdar Kut" <kutserdar@gmail.com>
> > >To: "Rocco R21" <roccor21@hotmail.com>
> > >CC: ccielab@groupstudy.com
> > >Subject: Re: local policy route-map w/CBAC
> > >Date: Mon, 26 Feb 2007 09:04:28 +0200
> > >MIME-Version: 1.0
> > >Received: from an-out-0708.google.com ([209.85.132.250]) by
> > >bay0-mc12-f6.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
>Sun,
> > >25 Feb 2007 23:04:29 -0800
> > >Received: by an-out-0708.google.com with SMTP id c2so722557anc
>for
> > ><roccor21@hotmail.com>; Sun, 25 Feb 2007 23:04:29 -0800 (PST)
> > >Received: by 10.114.151.13 with SMTP id y13mr1995203wad.1172473468652;
> > > Sun, 25 Feb 2007 23:04:28 -0800 (PST)
> > >Received: by 10.114.14.17 with HTTP; Sun, 25 Feb 2007 23:04:28 -0800
> > (PST)
> > >X-Message-Info: LsUYwwHHNt07nv3MYTV3Nze46fi3X5GNSXHXi6lbiv4=
> > >DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com;
> > s=beta;
> > >
> >
> >
> >h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references;
> > >
> >
> >
> >b=IlNmTZfdDDRZQGy42yf6Lh1G3qlbf8sX+mmNwLODfAgvHUOJmw8D7yZ15RNDemqAtOutYZrFfqx5lUofkXqIDUADa3qn7euOIDmGGr7LZwvM3dR3JX1pdS3QLRKUT9bGzNzUU/ckey67b+Jehah+kiaTZ0b95zoUpLAI5aNz5Ts=
> > >DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta;
> > >
> >
> >
> >h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references;
> > >
> >
> >
> >b=HJvJh8L2eR7eqp5pdr4vel92DWVxurP2ld8tMmPLhIrhESRTUP0CdkQknlb/OMyzvzNY4Xf51SIREhi1zPUk8yLAPlDfVYhXL14HhqdIdGY1htGQn/huhmlBOO33akSiPr9wDOhLpprUDDORQFt8BTaIaKJAUO7WZbD//tT7P90=
> > >References: <BAY115-F37CF45B5D671C08888DF1ACC8C0@phx.gbl>
> > >Return-Path: kutserdar@gmail.com
> > >X-OriginalArrivalTime: 26 Feb 2007 07:04:29.0627 (UTC)
> > >FILETIME=[5BE6A8B0:01C75974]
> > >
> > >hi,
> > >did you check the inbound acl? maybe your return traffic is not
> > >permitted?hence it is not checked by cbac, you should manually permit
>the
> > >return traffic inbound.
> > >
> > >
> > >On 2/25/07, Rocco R21 <roccor21@hotmail.com> wrote:
> > >>
> > >>Hi all,
> > >>
> > >>Anybody ever use a local policy route-map when configuring CBAC? I've
> > been
> > >>playing around in my lab and I 'm setting it up as internal on an
> > ethernet
> > >>interface but by default the router will not block outbound on the ACL
> > >>with
> > >>orginated traffic. I'm trying a local policy route-map and setting the
> > >>interface to my loopback but no luck. I was wondering if anybody ever
> > came
> > >>across this scenerio?
> > >>
> > >>rr
> > >>
> >
> >>_______________________________________________________________________
> > >>Subscription information may be found at:
> > >>http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Mar 01 2007 - 07:38:48 ART