From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Fri May 09 2008 - 16:16:57 ART
Patrick this feature was introduced in IOS 12.3(14)T, so make sure you
have the right IOS version running. And of course as as Joe mentioned,
use the 'router-traffic' keyword.
http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/h_insrg.html
HTH
Farrukh
On Fri, May 9, 2008 at 6:48 AM, Joseph Brunner <joe@affirmedsystems.com> wrote:
> NYCORPHQ1#$show run | inc ip
> inspec|nterface|access-list|deny|descrip|access-group
>
> ip inspect name cbac tcp router-traffic
> ip inspect name cbac icmp router-traffic
> ip inspect name cbac udp router-traffic
> interface FastEthernet0/0
> description USER_LAN
> ip inspect cbac in
> interface Serial0/0
> description INTERNET_FACING
> ip access-group NOTHING_ALLOWED_IN_BUT_CBAC_SESSIONS in
> ip inspect cbac out
> ip access-list extended NOTHING_ALLOWED_IN_BUT_CBAC_SESSIONS
> deny ip any any log
>
>
> (telnet to upstream router)
>
> NYCORPHQ1#telnet 66.66.1.1
> Trying 66.66.1.1 ... Open
>
>
> User Access Verification
>
> Password: (then crtl+shift+6 X)
> NYCORPHQ1#show ip inspect sessions
> Established Sessions
> Session 65400C08 (66.66.1.2:27927)=>(66.66.1.1:23) tcp SIS_OPEN
>
>
> As you can see the router generated telnet traffic created a cbac session.
> Without the "router-traffic" argument the session would not have made it
> back in.
>
> -Joe
>
> -----Original Message-----
> From: Patrick Galligan [mailto:pgalligan@gmail.com]
> Sent: Thursday, May 08, 2008 11:29 PM
> To: Joseph Brunner
> Subject: Re: CBAC
>
> Joe,
>
> All my reading tells me that CBAC doesn't work with any traffic
> generated by the router. I've tried to make this work after you
> replied this morning and I can't. If you have an example config I'd
> love to see it :)
>
> Cheers,
> Pat
>
> On Fri, May 9, 2008 at 12:19 PM, Joseph Brunner <joe@affirmedsystems.com>
> wrote:
>> Cbac inspects traffic at the incoming interface. So if your F0/0 interface
>> (on the way to the loopback from the lan) or your F0/1 interface (touching
>> the internet) has ip inspect <name> in the traffic will be inspected.
>>
>> If you want to specifically combine policy routing or local policy routing
>> to move traffic to a certain destination, this happens independently of
> cbac
>> inspection. I use cbac almost daily in the real world, and almost never
> use
>> Ip inspect <name> out unless I'm looking to inspect router generated
> traffic
>> such as ntp, etc.
>>
>> -Joe
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>> Patrick Galligan
>> Sent: Thursday, May 08, 2008 9:57 PM
>> To: Cisco certification
>> Subject: CBAC
>>
>> Is there any way to have CBAC inspect traffic destined to a loopback
>> on a router (the same router running CBAC)? eg. with a local policy?
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>
>
>
> --
> Certain techniques work on a motorcycle. Other techniques don't, and they
> hurt
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Jun 02 2008 - 06:59:16 ART