From: Huan Pham (Huan.Pham@peopletelecom.com.au)
Date: Thu Sep 04 2008 - 02:43:35 ART
Hi all,
Unlike Reflexive ACL, CBAC does not have any command command on the ACL
referencing the Inspect rule. My question is how the router know for
what ACL it should create temporary openings? Does the router work out
the ACL it needs to "modify" based on the path the internally generated
traffic takes?
Example below is takend directly from the Doc CD.
Topology:
LAN ------ R1 --------- WAN
E0/0 E0/1
Config:
access-list 100 deny tcp any any
access-list 100 deny udp any any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any traceroute
access-list 100 permit icmp any any unreachable
access-list 100 deny ip any any
interface Ethernet1/1
ip access-group 100 in
ip inspect name hqusers rtsp
ip inspect name hqusers h323
interface Ethernet1/0
ip inspect hqusers in
My question is if the router has another interface e.g. Ethernet 1/2,
with a different ACL applied inbound, will the router create openings
for ACL 101 as well?
interface Ethernet1/1
ip access-group 101 in
Is there any way to check what temporary openings the router created
(other than show ip inspect sessions)? I means something similar to show
ip access-list (in case of the reflexive ACL)
Below is the link where the example taken from.
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg
_content_ac_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp10022
24
Cisco IOS Security Configuration Guide, Release 12.4
Traffic Filtering, Firewalls, and Virus Detection
Context-Based Access Control
Configuring Context-based Access Control
CBAC Configuration Examples
Ethernet Interface Configuration Example
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:17 ART