Re: CBAC : never work for me :(

From: GAURAV MADAN (gauravmadan1177@gmail.com)
Date: Thu Jan 29 2009 - 14:32:51 ARST

• Next message: Jared Scrivener: "RE: CBAC : never work for me :("
• Previous message: GAURAV MADAN: "Re: CBAC : never work for me :("
• Maybe in reply to: GAURAV MADAN: "CBAC : never work for me :("
• Next in thread: Jared Scrivener: "RE: CBAC : never work for me :("
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Jared

more confusion..

if I say "ip inspect CBAC tcp"

what i mean to say by this statement is that any tcp trafic going out my
network is allowed to return..
so if my inbound ACL denies tcp ; this statemt will allow TCP ? i.e

Rack1R5(config)#do sh ip access-li
Extended IP access list 101
    10 deny tcp any any

and applying this to inbound will help ?

I am seeing this dont work

Gaurav madan

On Thu, Jan 29, 2009 at 9:51 PM, Jared Scrivener <jscrivener@ipexpert.com>wrote:

> Hey Gaurav,
>
> For what you want to achieve I'd suggest the following:
>
> ip inspect name CBAC udp
> access-list 101 deny ip any any
>
> int f0/0.52
> ip inspect CBAC out
> ip access-group 101 in
>
> For CBAC to function it creates a list of traffic flows that are allowed to
> bypass the access-list for return traffic. If there is no ACL then all
> traffic gets back in.
>
> Cheers,
>
> Jared Scrivener CCIE3 #16983 (R&S, Security, SP), CISSP
> Technical Instructor - IPexpert, Inc.
> Telephone: +1.810.326.1444
> Fax: +1.810.454.0130
> Mailto: jscrivener@ipexpert.com
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> GAURAV MADAN
> Sent: Thursday, 29 January 2009 11:05 AM
> To: Cisco certification
> Subject: CBAC : never work for me :(
>
> Hi Friends
>
> CBAC is one gray area that i dont undertsnd at all.. please help me in
> poiintg whre am i wrong
>
>
> R5 192.10.1.5 f0/0.52============= 192.10.1.254BB
>
> I want traffic from outside to come in my network if and only if initiated
> from inside my network.
>
> first i configured :
>
> ip inspect name CBAC udp
>
> int f0/0.52
> ip inspect CBAC out
>
> i expect that all my tcp sessions to BB (like BGP ) will fail .. also i
> expect ping to BB will fail etc etc (because i have permitted only udp)..
> rest policies i will appply later . But here only my understainding is
> failing . I am able to pin BB , tcp sessions are UP
>
> Also please clearify about the direction of this
>
> Thnx in advace
> Gaurav Madan
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Jared Scrivener: "RE: CBAC : never work for me :("
• Previous message: GAURAV MADAN: "Re: CBAC : never work for me :("
• Maybe in reply to: GAURAV MADAN: "CBAC : never work for me :("
• Next in thread: Jared Scrivener: "RE: CBAC : never work for me :("
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:40 ARST