From: Rocco R21 (roccor21@hotmail.com)
Date: Fri Mar 02 2007 - 13:22:38 ART
Thanks 'me' for answering my own question...
...no problem 'you'...lol
>From: "Rocco R21" <roccor21@hotmail.com>
>Reply-To: "Rocco R21" <roccor21@hotmail.com>
>To: co.oleary@gmail.com
>CC: kutserdar@gmail.com, ccielab@groupstudy.com
>Subject: Re: local policy route-map w/CBAC
>Date: Wed, 28 Feb 2007 09:59:58 -0500
>MIME-Version: 1.0
>X-Originating-IP: [68.193.108.117]
>X-Originating-Email: [roccor21@hotmail.com]
>X-Sender: roccor21@hotmail.com
>Received: from lists.groupstudy.com ([207.44.210.9]) by
>bay0-mc6-f15.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Wed,
>28 Feb 2007 07:33:03 -0800
>Received: (from sympa@localhost)by lists.groupstudy.com
>(8.12.11.20060308/8.11.6) id l1SFWkMp007101;Wed, 28 Feb 2007 10:32:46 -0500
>Received: from groupstudy.com (www.groupstudy.com [209.51.144.7])by
>lists.groupstudy.com (8.12.11.20060308/8.11.6) with ESMTP id
>l1SF07p5006872for <ccielab@lists.groupstudy.com>; Wed, 28 Feb 2007 10:00:07
>-0500
>Received: from groupstudy.com (groupstudy.com [127.0.0.1])by groupstudy.com
>(8.12.11.20060308/8.12.11) with ESMTP id l1SF0Ixx008333GroupStudy Mailer;
>Wed, 28 Feb 2007 10:00:18 -0500
>Received: (from listserver@localhost)by groupstudy.com
>(8.12.11.20060308/8.12.11/Submit) id l1SF0I0U008331for ccielabxhiddenx;
>Wed, 28 Feb 2007 10:00:18 -0500
>Received: from bay0-omc2-s9.bay0.hotmail.com
>(bay0-omc2-s9.bay0.hotmail.com [65.54.246.145]) by groupstudy.com
>(8.12.11.20060308/8.12.11) with ESMTP id l1SF0HRT008279 GroupStudy Mailer;
>Wed, 28 Feb 2007 10:00:17 -0500
>Received: from hotmail.com ([65.54.250.16]) by
>bay0-omc2-s9.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Wed,
>28 Feb 2007 07:00:06 -0800
>Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
>Wed, 28 Feb 2007 07:00:06 -0800
>Received: from 65.54.250.200 by by115fd.bay115.hotmail.msn.com with HTTP;
>Wed, 28 Feb 2007 14:59:58 GMT
>X-Message-Info: LsUYwwHHNt1riFLEDbU/b9ZCrxG0FZXH4MKEz6zHSCM=
>X-OriginalArrivalTime: 28 Feb 2007 15:00:06.0130 (UTC)
>FILETIME=[21CEF520:01C75B49]
>X-ASK-Info: Whitelist match [from roccor21@hotmail\.com] (2007/02/28
>10:00:18)
>X-Loop: ccielab@groupstudy.com
>X-Sequence: 9492
>Errors-to: ccielab-owner@groupstudy.com
>Precedence: bulk
>X-no-archive: yes
>List-Id: <ccielab.groupstudy.com>
>List-Help: <mailto:sympa@groupstudy.com?subject=help>
>List-Subscribe: <mailto:sympa@groupstudy.com?subject=subscribe%20ccielab>
>List-Unsubscribe:
><mailto:sympa@groupstudy.com?subject=unsubscribe%20ccielab>
>List-Post: <mailto:ccielab@groupstudy.com>
>List-Owner: <mailto:ccielab-request@groupstudy.com>
>Return-Path: ccielab-owner@groupstudy.com
>
>I've tried it both ways on the inspect rule. This example is with the rule
>outbound using an internal interface(e0). I telnet from the neighbor router
>R3 -> R6's loopback. Once in R6 I do not see that return traffic
>inspected/audited. There are no matches on the outbound ACL either (locally
>generated). I tried a local policy and tried to set the interface for the
>ACL to R6's loopback but that didn't work either.
>
>
>CBAC example: internal interface
>
>
>R6#
>
>ip inspect audit-trail
>ip inspect name TELNET telnet
>!
>access-list 119 permit ip any any log
>access-list 120 deny tcp host 150.1.6.6 eq telnet any log
>access-list 120 deny tcp host 150.1.6.6 any eq telnet log
>access-list 120 per ip any any log
>!
>interface Ethernet0
>ip access-group 119 in
>ip access-group 120 out
>ip inspect TELNET out
>!
>int lo0
>ip address 150.1.6.6 255.255.255.0
>
>
>*
>
>Validation:
>
>R3#150.1.6.6
>Trying 150.1.6.6 ... Open
>
>
>User Access Verification
>
>Password:
>home-term-server#6
>[Resuming connection 6 to r6 ... ]
>
>
>R6#sho log
>Rack1R6# sho ip inspect ses
>
>R6# sho ip inspect all
>Session audit trail is enabled
>Session alert is enabled
>one-minute (sampling period) thresholds are [400:500] connections
>max-incomplete sessions thresholds are [400:500]
>max-incomplete tcp connections per host is 50. Block-time 0 minute.
>tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
>tcp idle-time is 3600 sec -- udp idle-time is 30 sec
>dns-timeout is 5 sec
>Inspection Rule Configuration
>Inspection name TELNET
> telnet alert is on audit-trail is on timeout 3600
>
>Interface Configuration
>Interface Ethernet0
> Inbound inspection rule is not set
> Outgoing inspection rule is TELNET
> telnet alert is on audit-trail is on timeout 3600
> Inbound access list is 119
> Outgoing access list is 120
>
>R6# sho access-lists
>
>Extended IP access list 119
> 10 permit ip any any log (50 matches)
>Extended IP access list 120
> 10 deny tcp host 150.1.6.6 eq telnet any log
> 20 deny tcp host 150.1.6.6 any eq telnet log
> 30 permit ip any any log
>
>
>
>
>
>>From: "Colm O'Leary" <co.oleary@gmail.com>
>>Reply-To: "Colm O'Leary" <co.oleary@gmail.com>
>>To: "Rocco R21" <roccor21@hotmail.com>
>>CC: kutserdar@gmail.com, ccielab@groupstudy.com
>>Subject: Re: local policy route-map w/CBAC
>>Date: Wed, 28 Feb 2007 13:45:41 +0000
>>MIME-Version: 1.0
>>Received: from lists.groupstudy.com ([207.44.210.9]) by
>>bay0-mc2-f18.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Wed,
>>28 Feb 2007 05:54:21 -0800
>>Received: (from sympa@localhost)by lists.groupstudy.com
>>(8.12.11.20060308/8.11.6) id l1SDsCGO006312;Wed, 28 Feb 2007 08:54:12
>>-0500
>>Received: from groupstudy.com (www.groupstudy.com [209.51.144.7])by
>>lists.groupstudy.com (8.12.11.20060308/8.11.6) with ESMTP id
>>l1SDjhAh006256for <ccielab@lists.groupstudy.com>; Wed, 28 Feb 2007
>>08:45:43 -0500
>>Received: from groupstudy.com (groupstudy.com [127.0.0.1])by
>>groupstudy.com (8.12.11.20060308/8.12.11) with ESMTP id
>>l1SDjscg001916GroupStudy Mailer; Wed, 28 Feb 2007 08:45:54 -0500
>>Received: (from listserver@localhost)by groupstudy.com
>>(8.12.11.20060308/8.12.11/Submit) id l1SDjsX4001914for ccielabxhiddenx;
>>Wed, 28 Feb 2007 08:45:54 -0500
>>Received: from ug-out-1314.google.com (ug-out-1314.google.com
>>[66.249.92.173]) by groupstudy.com (8.12.11.20060308/8.12.11) with ESMTP
>>id l1SDjp7F001889 GroupStudy Mailer; Wed, 28 Feb 2007 08:45:52 -0500
>>Received: by ug-out-1314.google.com with SMTP id 32so125766ugm for
>><ccielab@groupstudy.com>; Wed, 28 Feb 2007 05:45:46 -0800 (PST)
>>Received: by 10.114.94.1 with SMTP id r1mr155684wab.1172670341514; Wed,
>>28 Feb 2007 05:45:41 -0800 (PST)
>>Received: by 10.114.121.8 with HTTP; Wed, 28 Feb 2007 05:45:41 -0800
>>(PST)
>>X-Message-Info: LsUYwwHHNt2WX5kNyA0cBOjINgk3Z4F91YrJwo9JPrw=
>>DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta;
>>h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references;
>>
>>b=pj/iHfllMKXS3udbtBp9W8I/Z8G31pwUHYm5R1eIwizqyOpjltyVnD3+cANjmsILWIhqKZgPYhV1JWyNNULLz2tfz152Li5CayUW01N1XmAhlLJVd73HY78q/xU/sVxIxobOnGNp+l5JSTp34RTOqQ/J1GFoOQP7q9Wd1Ni59E0=
>>DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta;
>>h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references;
>>
>>b=g/kpymAgFBH28Gl2YcKMhYmfUm08Ek0N881raJDedQ2f/yQWKRvMij+enAlMXLwuh0G+WNyIdk+Psgc++9ph7fHVPGPgEpgDLKhqyjZyBmcPQs5+9Tb/fVQzHdNywIjCQiOk880+3XyrrgVvZHvyZQUTzh62nN50jdzOFA6fgc8=
>>References: <d343a7300702252304g686338e5h5ad98d752733b2f8@mail.gmail.com>
>><BAY115-F231A689C97A11F4EA5A9F4CC830@phx.gbl>
>>X-Converted-To-Plain-Text: from multipart/alternative by GroupStudy
>>X-Converted-To-Plain-Text: Alternative section used was text/plain
>>X-ASK-Info: Whitelist match [from co\.oleary@gmail\.com] (2007/02/28
>>08:45:53)
>>X-Loop: ccielab@groupstudy.com
>>X-Sequence: 9488
>>Errors-to: ccielab-owner@groupstudy.com
>>Precedence: bulk
>>X-no-archive: yes
>>List-Id: <ccielab.groupstudy.com>
>>List-Help: <mailto:sympa@groupstudy.com?subject=help>
>>List-Subscribe: <mailto:sympa@groupstudy.com?subject=subscribe%20ccielab>
>>List-Unsubscribe:
>><mailto:sympa@groupstudy.com?subject=unsubscribe%20ccielab>
>>List-Post: <mailto:ccielab@groupstudy.com>
>>List-Owner: <mailto:ccielab-request@groupstudy.com>
>>Return-Path: ccielab-owner@groupstudy.com
>>X-OriginalArrivalTime: 28 Feb 2007 13:54:22.0154 (UTC)
>>FILETIME=[F303FAA0:01C75B3F]
>>
>>If you apply the inspect rule outbound on the same interface the inbound
>>acl
>>is applied it will facor in the locally generated traffic provided it is
>>configured correctly under the inspect rule
>>
>>On 2/26/07, Rocco R21 <roccor21@hotmail.com> wrote:
>> >
>> > permitting on the inbound and denying on the outbound. I'm setting this
>>up
>> > to have CBAC inspect inbound and audit telnet from the inside. A deny
>>for
>> > the outbound is to make CBAC inspect the return traffic destined for
>>the
>> > inside however I think since the outside interface is a loopback on the
>> > router the outbound ACL will not be recognized unless I use a local
>>policy
>> > route-map and set the interface loopback. When I try doing that it
>> > doesn't
>> > work so I'm thinking its not possible w/CBAC using a loopback as an
>> > external
>> > destination address. I will probably have to do this on the hop prior
>> > router.
>> >
>> >
>> > >From: "Serdar Kut" <kutserdar@gmail.com>
>> > >To: "Rocco R21" <roccor21@hotmail.com>
>> > >CC: ccielab@groupstudy.com
>> > >Subject: Re: local policy route-map w/CBAC
>> > >Date: Mon, 26 Feb 2007 09:04:28 +0200
>> > >MIME-Version: 1.0
>> > >Received: from an-out-0708.google.com ([209.85.132.250]) by
>> > >bay0-mc12-f6.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
>>Sun,
>> > >25 Feb 2007 23:04:29 -0800
>> > >Received: by an-out-0708.google.com with SMTP id c2so722557anc
>>for
>> > ><roccor21@hotmail.com>; Sun, 25 Feb 2007 23:04:29 -0800 (PST)
>> > >Received: by 10.114.151.13 with SMTP id y13mr1995203wad.1172473468652;
>> > > Sun, 25 Feb 2007 23:04:28 -0800 (PST)
>> > >Received: by 10.114.14.17 with HTTP; Sun, 25 Feb 2007 23:04:28 -0800
>> > (PST)
>> > >X-Message-Info: LsUYwwHHNt07nv3MYTV3Nze46fi3X5GNSXHXi6lbiv4=
>> > >DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com;
>> > s=beta;
>> > >
>> >
>> >
>> >h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references;
>> > >
>> >
>> >
>> >b=IlNmTZfdDDRZQGy42yf6Lh1G3qlbf8sX+mmNwLODfAgvHUOJmw8D7yZ15RNDemqAtOutYZrFfqx5lUofkXqIDUADa3qn7euOIDmGGr7LZwvM3dR3JX1pdS3QLRKUT9bGzNzUU/ckey67b+Jehah+kiaTZ0b95zoUpLAI5aNz5Ts=
>> > >DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta;
>> > >
>> >
>> >
>> >h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references;
>> > >
>> >
>> >
>> >b=HJvJh8L2eR7eqp5pdr4vel92DWVxurP2ld8tMmPLhIrhESRTUP0CdkQknlb/OMyzvzNY4Xf51SIREhi1zPUk8yLAPlDfVYhXL14HhqdIdGY1htGQn/huhmlBOO33akSiPr9wDOhLpprUDDORQFt8BTaIaKJAUO7WZbD//tT7P90=
>> > >References: <BAY115-F37CF45B5D671C08888DF1ACC8C0@phx.gbl>
>> > >Return-Path: kutserdar@gmail.com
>> > >X-OriginalArrivalTime: 26 Feb 2007 07:04:29.0627 (UTC)
>> > >FILETIME=[5BE6A8B0:01C75974]
>> > >
>> > >hi,
>> > >did you check the inbound acl? maybe your return traffic is not
>> > >permitted?hence it is not checked by cbac, you should manually permit
>>the
>> > >return traffic inbound.
>> > >
>> > >
>> > >On 2/25/07, Rocco R21 <roccor21@hotmail.com> wrote:
>> > >>
>> > >>Hi all,
>> > >>
>> > >>Anybody ever use a local policy route-map when configuring CBAC? I've
>> > been
>> > >>playing around in my lab and I 'm setting it up as internal on an
>> > ethernet
>> > >>interface but by default the router will not block outbound on the
>>ACL
>> > >>with
>> > >>orginated traffic. I'm trying a local policy route-map and setting
>>the
>> > >>interface to my loopback but no luck. I was wondering if anybody ever
>> > came
>> > >>across this scenerio?
>> > >>
>> > >>rr
>> > >>
>> >
>> >>_______________________________________________________________________
>> > >>Subscription information may be found at:
>> > >>http://www.groupstudy.com/list/CCIELab.html
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>_______________________________________________________________________
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:49 ART