From: Jared Scrivener (jscrivener@ipexpert.com)
Date: Thu Jan 29 2009 - 14:38:05 ARST
Yep, that's exactly right, Gaurav.
The ACL doesn't really have any effect on CBAC (it just allows certain
packets in after CBAC has allowed "its" packets in).
If you used "ip inspect CBAC tcp" and applied that outbound on the f0/0.52
interface then all TCP sessions that leave the f0/0.52 interface (except
packets generated by the router) will be allowed to return through that
interface.
You'll find that your BGP still won't work however (as the router generates
those packets). If you want the BGP session to work use "ip inspect CBAC tcp
router-traffic". That'll inspect router-generated packets too.
In summary, CBAC inspects the traffic in the direction of the *source*
packet flows. This is normally outbound on the egress interface, but (as
Anthony noted) can be inbound on the ingress interface too.
Cheers,
Jared Scrivener CCIE3 #16983 (R&S, Security, SP), CISSP
Technical Instructor - IPexpert, Inc.
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
Mailto: <mailto:jscrivener@ipexpert.com> jscrivener@ipexpert.com
_____
From: GAURAV MADAN [mailto:gauravmadan1177@gmail.com]
Sent: Thursday, 29 January 2009 11:33 AM
To: jscrivener@ipexpert.com
Cc: Cisco certification
Subject: Re: CBAC : never work for me :(
Hi Jared
more confusion..
if I say "ip inspect CBAC tcp"
what i mean to say by this statement is that any tcp trafic going out my
network is allowed to return..
so if my inbound ACL denies tcp ; this statemt will allow TCP ? i.e
Rack1R5(config)#do sh ip access-li
Extended IP access list 101
10 deny tcp any any
and applying this to inbound will help ?
I am seeing this dont work
Gaurav madan
On Thu, Jan 29, 2009 at 9:51 PM, Jared Scrivener <jscrivener@ipexpert.com>
wrote:
Hey Gaurav,
For what you want to achieve I'd suggest the following:
ip inspect name CBAC udp
access-list 101 deny ip any any
int f0/0.52
ip inspect CBAC out
ip access-group 101 in
For CBAC to function it creates a list of traffic flows that are allowed to
bypass the access-list for return traffic. If there is no ACL then all
traffic gets back in.
Cheers,
Jared Scrivener CCIE3 #16983 (R&S, Security, SP), CISSP
Technical Instructor - IPexpert, Inc.
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
Mailto: jscrivener@ipexpert.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
GAURAV MADAN
Sent: Thursday, 29 January 2009 11:05 AM
To: Cisco certification
Subject: CBAC : never work for me :(
Hi Friends
CBAC is one gray area that i dont undertsnd at all.. please help me in
poiintg whre am i wrong
R5 192.10.1.5 f0/0.52============= 192.10.1.254BB
I want traffic from outside to come in my network if and only if initiated
from inside my network.
first i configured :
ip inspect name CBAC udp
int f0/0.52
ip inspect CBAC out
i expect that all my tcp sessions to BB (like BGP ) will fail .. also i
expect ping to BB will fail etc etc (because i have permitted only udp)..
rest policies i will appply later . But here only my understainding is
failing . I am able to pin BB , tcp sessions are UP
Also please clearify about the direction of this
Thnx in advace
Gaurav Madan
Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:40 ARST