RE: Fails to display temporary ACL when using CBAC

From: Joseph Brunner (joe@affirmedsystems.com)
Date: Sun Nov 04 2007 - 05:26:53 ART

I noticed that in my lab friend.

Here we go

rack1r1#sh run int f0/1
Building configuration...

Current configuration : 158 bytes
!
interface FastEthernet0/1
 ip address 1.1.21.1 255.255.255.0
 ip access-group 101 in
 ip inspect CCIE out
 ip ospf mtu-ignore
 duplex auto
 speed auto
end

rack1r1#sh ip access
Extended IP access list 101
    10 permit ospf any any (32 matches)
    20 permit tcp any any eq bgp
    30 permit tcp any eq bgp any
    40 deny ip any any (12 matches)
rack1r1#sh ip inspect sessions
Established Sessions
 Session 45766004 (1.1.11.11:61659)=>(1.1.21.2:23) tcp SIS_OPEN

Note: we don't see a temp acl line above the ones I configured...

Weird, and yes I'm running the latest and greatest 12.4 advanced ip services
in my lab...

My older code in production does show these lines for user on my lan... As a
side note I tested this with NON router generated traffic in my example,
where I had "ip inspect CCIE in" on the F0/0 interface. Still no temp acl
lines;

When I telnet out this interface with my current config to a directly
connected neighbor's ip, the telnet fails... seems router generated traffic
is hard to permit with CBAC.

Still working this one...

-Joe

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of C
Chan
Sent: Sunday, November 04, 2007 2:01 AM
To: ccielab@groupstudy.com
Subject: Fails to display temporary ACL when using CBAC

Dear

According from DocCD, the dynamic ACL will be created in the inbound ACL
(external interface) when applying "ip inspect xxx out" and "ip access-group
yyy in". When I perform similar test by using Telnet protocol in the Lab
environment, the IOS firewall behavior is working as expected. However, the
only strange thing is that no "dynamic" ACL will be shown when issuing "s ip
access-list".

What special command I need to issue in order to view the temporary ACL
creation and removal?

R3#s ip access
Extended IP access list 110
    10 permit ospf any any (60 matches)
    20 deny tcp any any
    30 deny udp any any
    40 deny ip any any
!
R3#s ip insp sess
Established Sessions
 Session 46061BB4 (10.0.0.1:33119)=>(150.1.2.2:23) telnet SIS_OPEN
!
R3#s ip insp sess de
Established Sessions
 Session 46061BB4 (10.0.0.1:33119)=>(150.1.2.2:23) telnet SIS_OPEN
  Created 00:00:16, Last heard 00:00:15
  Bytes sent (initiator:responder) [37:74]
  In SID 150.1.2.2[23:23]=>10.0.0.1[33119:33119] on ACL 110 (11 matches)

----------------------------------------------------------------------------
-
----------------------------------------------------------------------------
-
-----------------------------------
Partial config extract
access-list 110 permit ospf any any
access-list 110 deny tcp any any
access-list 110 deny udp any any
access-list 110 deny ip any any
!
ip inspect name TELNET_OUT telnet
!
interface Serial0/1/1
 ip address 155.1.23.3 255.255.255.0
 ip access-group 110 in
 ip inspect TELNET_OUT out

----------------------------------------------------------------------------
-
----------------------------------------------------------------------------
-
-----------------------------------
Extract from DocCD
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c
/
part15/ch05/schcbac.htm#wp1001901
External Interface

Here are some guidelines for your access lists when you will be configuring
Cisco IOS Firewall on an external interface:

If you have an outbound IP access list at the external interface, the
access list can be a standard or extended access list. This outbound access
list should permit traffic that you want to be inspected by Cisco IOS
Firewall. If traffic is not permitted, it will not be inspected by Cisco IOS
Firewall, but will be simply dropped.

The inbound IP access list at the external interface must be an extended
access list. This inbound access list should deny traffic that you want to
be inspected by Cisco IOS Firewall. (Cisco IOS Firewall will create
temporary openings in this inbound access list as appropriate to permit only
return traffic that is part of a valid, existing session.)

Example RTSP with RDT

The following example illustrates the result of the *show ip inspect session
* command. It shows that a control channel (rtsp) and data channel
(rtsp-data) are open between hosts 192.168.155.2 and 192.168.35.1.

router# *show ip inspect session*

 Established Sessions

  Session 616B4F1C (192.168.155.2:7548)=>(192.168.35.1:6970) rtsp-data
SIS_OPEN

  Session 611E2904 (192.168.35.1:1221)=>(192.168.155.2:554) rtsp SIS_OPEN

 The following example illustrates the result of the *show ip
access-list*command. It shows that two dynamic entries (permit
statements) were added to
ACL 100 for the multimedia session. The TCP entry creates a dynamic opening
through the firewall between port 554 (RTSP protocol port) on the client and
port 1221 on the server. The UDP entry creates a dynamic opening between
data port 7548 on the client and data port 6970 on the server.

router# *show* ip access-list

 Extended IP access list 100

  permit udp host 192.168.155.2 eq 7548 host 192.168.35.1 eq 6970 (31
matches)

  permit tcp host 192.168.155.2 eq 554 host 192.168.35.1 eq 1221 (27
matches)

 After closing the multimedia session, review the session output using the *
show* commands to verify the firewall software has removed the dynamic
entries from the configuration.
----------------------------------------------------------------------------
-
----------------------------------------------------------------------------
-
-----------------------------------

This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:28 ART