From: Scott Vermillion (scott_ccie_list@it-ag.com)
Date: Sun Nov 04 2007 - 17:49:37 ART
Hey all,
Warning: Champaign brunch with the family today!
But I did recognize this from a recent read of "Cisco Router Firewall
Security." According to Deal:
"A new feature was introduced in Cisco IOS 12.3(4)T, called Firewall ACL
Bypass (FAB). This feature was developed to speed up the Cisco IOS
processing of traffic returning to the network. With the FAB feature, the
Cisco IOS does not create dynamic ACL entries to allow returning traffic
into the network. Instead, the Cisco IOS examines the state table to
determine which traffic should be allowed back into the network, which can
be handled by fast switching processes such as Cisco Express Forwarding
(CEF)."
Then, in every part of the chapter where he talks about dynamic entries, he
caveats it to say "unless FAB is present." He also states that "Starting in
Cisco IOS 12.3(4)T, the FAB feature is automatically enabled and cannot be
disabled."
Back to the hooch...
Regards,
Scott
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Joseph Brunner
Sent: Sunday, November 04, 2007 1:47 AM
To: 'C Chan'; ccielab@groupstudy.com
Subject: RE: Fails to display temporary ACL when using CBAC
Dude, we definitely need this
ip inspect name CCIE tcp router-traffic
now my telnet's from the router work like a champ...
Still no dyn lines in acl created by cbac though...
rack1r1#sh ip access
Extended IP access list 101
10 permit ospf any any (169 matches)
20 permit tcp any any eq bgp
30 permit tcp any eq bgp any
40 deny ip any any (45 matches)
Anybody know if CBAC still does this?
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of C
Chan
Sent: Sunday, November 04, 2007 2:01 AM
To: ccielab@groupstudy.com
Subject: Fails to display temporary ACL when using CBAC
Dear
According from DocCD, the dynamic ACL will be created in the inbound ACL
(external interface) when applying "ip inspect xxx out" and "ip access-group
yyy in". When I perform similar test by using Telnet protocol in the Lab
environment, the IOS firewall behavior is working as expected. However, the
only strange thing is that no "dynamic" ACL will be shown when issuing "s ip
access-list".
What special command I need to issue in order to view the temporary ACL
creation and removal?
R3#s ip access
Extended IP access list 110
10 permit ospf any any (60 matches)
20 deny tcp any any
30 deny udp any any
40 deny ip any any
!
R3#s ip insp sess
Established Sessions
Session 46061BB4 (10.0.0.1:33119)=>(150.1.2.2:23) telnet SIS_OPEN
!
R3#s ip insp sess de
Established Sessions
Session 46061BB4 (10.0.0.1:33119)=>(150.1.2.2:23) telnet SIS_OPEN
Created 00:00:16, Last heard 00:00:15
Bytes sent (initiator:responder) [37:74]
In SID 150.1.2.2[23:23]=>10.0.0.1[33119:33119] on ACL 110 (11 matches)
----------------------------------------------------------------------------
-
----------------------------------------------------------------------------
-
-----------------------------------
Partial config extract
access-list 110 permit ospf any any
access-list 110 deny tcp any any
access-list 110 deny udp any any
access-list 110 deny ip any any
!
ip inspect name TELNET_OUT telnet
!
interface Serial0/1/1
ip address 155.1.23.3 255.255.255.0
ip access-group 110 in
ip inspect TELNET_OUT out
----------------------------------------------------------------------------
-
----------------------------------------------------------------------------
-
-----------------------------------
Extract from DocCD
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c
/
part15/ch05/schcbac.htm#wp1001901
External Interface
Here are some guidelines for your access lists when you will be configuring
Cisco IOS Firewall on an external interface: