Re: CBAC : never work for me :(

From: GAURAV MADAN (gauravmadan1177@gmail.com)
Date: Thu Jan 29 2009 - 14:47:30 ARST

• Next message: GAURAV MADAN: "Re: CBAC : never work for me :("
• Previous message: Anthony Sequeira: "Re: CBAC : never work for me :("
• Maybe in reply to: GAURAV MADAN: "CBAC : never work for me :("
• Next in thread: GAURAV MADAN: "Re: CBAC : never work for me :("
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Wow ,,,, things started to make a littlke sense .

I have :

ip inspect name CBAC udp
ip inspect name CBAC tcp router-traffic
ip inspect name CBAC icmp router-traffic

Extended IP access list 101
    10 deny tcp any any

Rack1R5(config)#do sh run int f0/0.52
Building configuration...
Current configuration : 142 bytes
!
interface FastEthernet0/0.52
 encapsulation dot1Q 52
 ip address 192.10.1.5 255.255.255.0
 ip access-group 101 in
 ip inspect CBAC out
end

[A] I am able to ping because :
I have ip inspect name CBAC icmp router-tr in place
AND
this is denied by inbond ACL

[B] My BGP session is up because
I have TCP as protocol
and i have denied tcp by inbound ACL
Last question
As I am noticing ; we can either have router-traffic option or not .. Cant
have both
SO in ACL we are expectd to allow for local router and deny for internal
routers /
This will solve purpose .. right ?
On Thu, Jan 29, 2009 at 10:08 PM, Jared Scrivener
<jscrivener@ipexpert.com>wrote:

> Yep, that's exactly right, Gaurav.
>
>
>
> The ACL doesn't really have any effect on CBAC (it just allows certain
> packets in after CBAC has allowed "its" packets in).
>
>
>
> If you used "ip inspect CBAC tcp" and applied that outbound on the f0/0.52
> interface then all TCP sessions that leave the f0/0.52 interface (except
> packets generated by the router) will be allowed to return through that
> interface.
>
>
>
> You'll find that your BGP still won't work however (as the router generates
> those packets). If you want the BGP session to work use "ip inspect CBAC tcp
> router-traffic". That'll inspect router-generated packets too.
>
>
>
> In summary, CBAC inspects the traffic in the direction of the **source**
> packet flows. This is normally outbound on the egress interface, but (as
> Anthony noted) can be inbound on the ingress interface too.
>
>
>
> Cheers,
>
>
>
> Jared Scrivener CCIE3 #16983 (R&S, Security, SP), CISSP
>
> Technical Instructor - IPexpert, Inc.
>
> Telephone: +1.810.326.1444
>
> Fax: +1.810.454.0130
>
> Mailto: jscrivener@ipexpert.com
> ------------------------------
>
> *From:* GAURAV MADAN [mailto:gauravmadan1177@gmail.com]
> *Sent:* Thursday, 29 January 2009 11:33 AM
> *To:* jscrivener@ipexpert.com
> *Cc:* Cisco certification
> *Subject:* Re: CBAC : never work for me :(
>
>
>
> Hi Jared
>
>
>
> more confusion..
>
>
>
> if I say "ip inspect CBAC tcp"
>
>
>
> what i mean to say by this statement is that any tcp trafic going out my
> network is allowed to return..
>
> so if my inbound ACL denies tcp ; this statemt will allow TCP ? i.e
>
>
>
> Rack1R5(config)#do sh ip access-li
> Extended IP access list 101
> 10 deny tcp any any
>
>
>
> and applying this to inbound will help ?
>
>
>
> I am seeing this dont work
>
>
>
> Gaurav madan
>
> On Thu, Jan 29, 2009 at 9:51 PM, Jared Scrivener <jscrivener@ipexpert.com>
> wrote:
>
> Hey Gaurav,
>
> For what you want to achieve I'd suggest the following:
>
>
> ip inspect name CBAC udp
>
> access-list 101 deny ip any any
>
>
> int f0/0.52
> ip inspect CBAC out
>
> ip access-group 101 in
>
> For CBAC to function it creates a list of traffic flows that are allowed to
> bypass the access-list for return traffic. If there is no ACL then all
> traffic gets back in.
>
> Cheers,
>
> Jared Scrivener CCIE3 #16983 (R&S, Security, SP), CISSP
> Technical Instructor - IPexpert, Inc.
> Telephone: +1.810.326.1444
> Fax: +1.810.454.0130
> Mailto: jscrivener@ipexpert.com
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> GAURAV MADAN
> Sent: Thursday, 29 January 2009 11:05 AM
> To: Cisco certification
> Subject: CBAC : never work for me :(
>
> Hi Friends
>
> CBAC is one gray area that i dont undertsnd at all.. please help me in
> poiintg whre am i wrong
>
>
> R5 192.10.1.5 f0/0.52============= 192.10.1.254BB
>
> I want traffic from outside to come in my network if and only if initiated
> from inside my network.
>
> first i configured :
>
> ip inspect name CBAC udp
>
> int f0/0.52
> ip inspect CBAC out
>
> i expect that all my tcp sessions to BB (like BGP ) will fail .. also i
> expect ping to BB will fail etc etc (because i have permitted only udp)..
> rest policies i will appply later . But here only my understainding is
> failing . I am able to pin BB , tcp sessions are UP
>
> Also please clearify about the direction of this
>
> Thnx in advace
> Gaurav Madan
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: GAURAV MADAN: "Re: CBAC : never work for me :("
• Previous message: Anthony Sequeira: "Re: CBAC : never work for me :("
• Maybe in reply to: GAURAV MADAN: "CBAC : never work for me :("
• Next in thread: GAURAV MADAN: "Re: CBAC : never work for me :("
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:40 ARST