RE: CBAC

From: Joseph Brunner (joe@affirmedsystems.com)
Date: Fri May 09 2008 - 00:48:01 ART

• Next message: Mahaffey, Brian: "ATM Technology Question"
• Previous message: Luan Nguyen: "Re: cisco-workbook-version-69-redistribution-question"
• Maybe in reply to: Patrick Galligan: "CBAC"
• Next in thread: Farrukh Haroon: "Re: CBAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

NYCORPHQ1#$show run | inc ip
inspec|nterface|access-list|deny|descrip|access-group
     
ip inspect name cbac tcp router-traffic
ip inspect name cbac icmp router-traffic
ip inspect name cbac udp router-traffic
interface FastEthernet0/0
 description USER_LAN
 ip inspect cbac in
interface Serial0/0
 description INTERNET_FACING
 ip access-group NOTHING_ALLOWED_IN_BUT_CBAC_SESSIONS in
 ip inspect cbac out
ip access-list extended NOTHING_ALLOWED_IN_BUT_CBAC_SESSIONS
 deny ip any any log

(telnet to upstream router)

NYCORPHQ1#telnet 66.66.1.1
Trying 66.66.1.1 ... Open

User Access Verification

Password: (then crtl+shift+6 X)
NYCORPHQ1#show ip inspect sessions
Established Sessions
 Session 65400C08 (66.66.1.2:27927)=>(66.66.1.1:23) tcp SIS_OPEN

As you can see the router generated telnet traffic created a cbac session.
Without the "router-traffic" argument the session would not have made it
back in.

-Joe

-----Original Message-----
From: Patrick Galligan [mailto:pgalligan@gmail.com]
Sent: Thursday, May 08, 2008 11:29 PM
To: Joseph Brunner
Subject: Re: CBAC

Joe,

All my reading tells me that CBAC doesn't work with any traffic
generated by the router. I've tried to make this work after you
replied this morning and I can't. If you have an example config I'd
love to see it :)

Cheers,
Pat

On Fri, May 9, 2008 at 12:19 PM, Joseph Brunner <joe@affirmedsystems.com>
wrote:
> Cbac inspects traffic at the incoming interface. So if your F0/0 interface
> (on the way to the loopback from the lan) or your F0/1 interface (touching
> the internet) has ip inspect <name> in the traffic will be inspected.
>
> If you want to specifically combine policy routing or local policy routing
> to move traffic to a certain destination, this happens independently of
cbac
> inspection. I use cbac almost daily in the real world, and almost never
use
> Ip inspect <name> out unless I'm looking to inspect router generated
traffic
> such as ntp, etc.
>
> -Joe
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Patrick Galligan
> Sent: Thursday, May 08, 2008 9:57 PM
> To: Cisco certification
> Subject: CBAC
>
> Is there any way to have CBAC inspect traffic destined to a loopback
> on a router (the same router running CBAC)? eg. with a local policy?
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>

-- 
Certain techniques work on a motorcycle. Other techniques don't, and they
hurt

• Next message: Mahaffey, Brian: "ATM Technology Question"
• Previous message: Luan Nguyen: "Re: cisco-workbook-version-69-redistribution-question"
• Maybe in reply to: Patrick Galligan: "CBAC"
• Next in thread: Farrukh Haroon: "Re: CBAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jun 02 2008 - 06:59:16 ART