RE: Fails to display temporary ACL when using CBAC

From: Joseph Brunner (joe@affirmedsystems.com)
Date: Sun Nov 04 2007 - 05:46:41 ART

• Next message: boonchin.ng@gmail.com: "Re: Re: ccie syllabus change"
• Previous message: tanvirafsar@hotmail.com: "Swaping Lab Dates"
• Maybe in reply to: C Chan: "Fails to display temporary ACL when using CBAC"
• Next in thread: Scott Vermillion: "RE: Fails to display temporary ACL when using CBAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Dude, we definitely need this

ip inspect name CCIE tcp router-traffic

now my telnet's from the router work like a champ...

Still no dyn lines in acl created by cbac though...

rack1r1#sh ip access
Extended IP access list 101
    10 permit ospf any any (169 matches)
    20 permit tcp any any eq bgp
    30 permit tcp any eq bgp any
    40 deny ip any any (45 matches)

Anybody know if CBAC still does this?

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of C
Chan
Sent: Sunday, November 04, 2007 2:01 AM
To: ccielab@groupstudy.com
Subject: Fails to display temporary ACL when using CBAC

Dear

According from DocCD, the dynamic ACL will be created in the inbound ACL
(external interface) when applying "ip inspect xxx out" and "ip access-group
yyy in". When I perform similar test by using Telnet protocol in the Lab
environment, the IOS firewall behavior is working as expected. However, the
only strange thing is that no "dynamic" ACL will be shown when issuing "s ip
access-list".

What special command I need to issue in order to view the temporary ACL
creation and removal?

R3#s ip access
Extended IP access list 110
    10 permit ospf any any (60 matches)
    20 deny tcp any any
    30 deny udp any any
    40 deny ip any any
!
R3#s ip insp sess
Established Sessions
 Session 46061BB4 (10.0.0.1:33119)=>(150.1.2.2:23) telnet SIS_OPEN
!
R3#s ip insp sess de
Established Sessions
 Session 46061BB4 (10.0.0.1:33119)=>(150.1.2.2:23) telnet SIS_OPEN
  Created 00:00:16, Last heard 00:00:15
  Bytes sent (initiator:responder) [37:74]
  In SID 150.1.2.2[23:23]=>10.0.0.1[33119:33119] on ACL 110 (11 matches)

----------------------------------------------------------------------------
-
----------------------------------------------------------------------------
-
-----------------------------------
Partial config extract
access-list 110 permit ospf any any
access-list 110 deny tcp any any
access-list 110 deny udp any any
access-list 110 deny ip any any
!
ip inspect name TELNET_OUT telnet
!
interface Serial0/1/1
 ip address 155.1.23.3 255.255.255.0
 ip access-group 110 in
 ip inspect TELNET_OUT out

----------------------------------------------------------------------------
-
----------------------------------------------------------------------------
-
-----------------------------------
Extract from DocCD
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c
/
part15/ch05/schcbac.htm#wp1001901
External Interface

Here are some guidelines for your access lists when you will be configuring
Cisco IOS Firewall on an external interface:

If you have an outbound IP access list at the external interface, the
access list can be a standard or extended access list. This outbound access
list should permit traffic that you want to be inspected by Cisco IOS
Firewall. If traffic is not permitted, it will not be inspected by Cisco IOS
Firewall, but will be simply dropped.

The inbound IP access list at the external interface must be an extended
access list. This inbound access list should deny traffic that you want to
be inspected by Cisco IOS Firewall. (Cisco IOS Firewall will create
temporary openings in this inbound access list as appropriate to permit only
return traffic that is part of a valid, existing session.)

Example RTSP with RDT

The following example illustrates the result of the *show ip inspect session
* command. It shows that a control channel (rtsp) and data channel
(rtsp-data) are open between hosts 192.168.155.2 and 192.168.35.1.

router# *show ip inspect session*

 Established Sessions

  Session 616B4F1C (192.168.155.2:7548)=>(192.168.35.1:6970) rtsp-data
SIS_OPEN

  Session 611E2904 (192.168.35.1:1221)=>(192.168.155.2:554) rtsp SIS_OPEN

 The following example illustrates the result of the *show ip
access-list*command. It shows that two dynamic entries (permit
statements) were added to
ACL 100 for the multimedia session. The TCP entry creates a dynamic opening
through the firewall between port 554 (RTSP protocol port) on the client and
port 1221 on the server. The UDP entry creates a dynamic opening between
data port 7548 on the client and data port 6970 on the server.

router# *show* ip access-list

 Extended IP access list 100

  permit udp host 192.168.155.2 eq 7548 host 192.168.35.1 eq 6970 (31
matches)

  permit tcp host 192.168.155.2 eq 554 host 192.168.35.1 eq 1221 (27
matches)

 After closing the multimedia session, review the session output using the *
show* commands to verify the firewall software has removed the dynamic
entries from the configuration.
----------------------------------------------------------------------------
-
----------------------------------------------------------------------------
-
-----------------------------------

• Next message: boonchin.ng@gmail.com: "Re: Re: ccie syllabus change"
• Previous message: tanvirafsar@hotmail.com: "Swaping Lab Dates"
• Maybe in reply to: C Chan: "Fails to display temporary ACL when using CBAC"
• Next in thread: Scott Vermillion: "RE: Fails to display temporary ACL when using CBAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:28 ART