RE: CBAC

From: Joseph Brunner (joe@affirmedsystems.com)
Date: Thu Sep 04 2008 - 03:09:31 ART

• Next message: ricky ong: "IEWB2 LAB 11 Q 1.8"
• Previous message: Huan Pham: "RE: Backup Solution"
• Maybe in reply to: Huan Pham: "CBAC"
• Next in thread: Huan Pham: "RE: CBAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

>Unlike Reflexive ACL, CBAC does not have any command command on the ACL
>referencing the Inspect rule. My question is how the router know for
>what ACL it should create temporary openings?

Um, it doesn't really... old code had temporary access-list entries for CBAC
sessions, above the "show access-list", but lately (right now from a 12.4T
recent code)...

RTR_1#show access-list
Extended IP access list internet-security
    100 permit tcp any host 64.115.120.110 eq www (237 matches)
    150 permit tcp any host 64.115.120.110 eq 443 (14525 matches)
    200 permit tcp any host 64.115.120.105 eq smtp (155612 matches)
    250 permit tcp any host 64.115.120.105 eq www (191 matches)
    300 permit tcp any host 64.115.120.105 eq 443 (161266 matches)
    310 permit tcp any host 64.115.120.105 eq 993 (7718 matches)
    350 permit tcp any host 64.115.166.178 eq 22 (87051 matches)
    400 permit icmp any any echo-reply (111548 matches)
    450 permit udp any any eq isakmp
    500 permit udp any any eq non500-isakmp
    600 permit esp any any (5877 matches)
    700 deny ip any any (16784 matches)

Nothing

Just the cbac sessions are processed before ACL's.

RTR_1#show ip inspect sessions
Established Sessions
 Session 47EBA998 (10.1.10.11:7742)=>(204.187.87.33:3101) tcp SIS_OPEN
 Session 47EBE990 (10.1.10.57:4449)=>(72.247.65.25:80) tcp SIS_OPEN
 Session 47EC4558 (10.1.10.10:1180)=>(69.25.21.193:443) tcp SIS_OPEN
 Session 47EBD618 (10.1.10.65:1952)=>(74.125.47.189:80) tcp SIS_OPEN
 Session 47EBB4B8 (10.1.10.11:6065)=>(67.43.161.248:6005) tcp SIS_OPEN
 Session 47EBF4B0 (10.1.10.54:3259)=>(74.125.47.189:80) tcp SIS_OPEN

>Does the router work out
>the ACL it needs to "modify" based on the path the internally generated
>traffic takes?

You got it... it knows an "ip inspect fwpolicy in" where a session is opened
on the lan, means a session will return on an interface where ip inspect has
not been configured...

>My question is if the router has another interface e.g. Ethernet 1/2,
>with a different ACL applied inbound, will the router create openings
>for ACL 101 as well?

Again the "openings" are not for an ACL... just CBAC sessions are evaluated
(sorry to borrow a word from reflexive acls) before access-lists are
processed

>Is there any way to check what temporary openings the router created
> (other than show ip inspect sessions)? I means something similar to show
>ip access-list (in case of the reflexive ACL)

Sure run old code cerca 2002; it used to show weird acl "holes" for old cbac
sessions, which were very specific, i.e

Permit tcp host 204.15.1.1 eq 32093 host 65.56.42.1 eq 1037

I used to wonder what the hell that was back then... LOL till I learned
how/when to use CBAC!

-Joe

Blogs and organic groups at http://www.ccie.net

• Next message: ricky ong: "IEWB2 LAB 11 Q 1.8"
• Previous message: Huan Pham: "RE: Backup Solution"
• Maybe in reply to: Huan Pham: "CBAC"
• Next in thread: Huan Pham: "RE: CBAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:17 ART