RE: CBAC : never work for me :(

From: Jared Scrivener (jscrivener@ipexpert.com)
Date: Thu Jan 29 2009 - 14:53:04 ARST

Yep, you're getting the hang of it Gaurav.

 

If you use the "router-traffic" keyword you don't need to permit the router
traffic inbound on the ACL. If you don't use the "router-traffic" keyword
but you need router traffic to come back in then the inbound ACL need to
permit it.

 

Generally, if your question requires router traffic to come back in I'd
recommend the first method: it is cleaner and easier. :-)

 

Just keep in mind that the ACL is processed AFTER the CBAC return traffic
(and independently of it). If something is permitted by CBAC then it will
bypass the ACL. If something is denied by CBAC then it will be compared
against the ACL. (Well that's true for TCP, UDP and ICMP anyway).

 

Cheers,

 

Jared Scrivener CCIE3 #16983 (R&S, Security, SP), CISSP

Technical Instructor - IPexpert, Inc.

Telephone: +1.810.326.1444

Fax: +1.810.454.0130

Mailto: <mailto:jscrivener@ipexpert.com> jscrivener@ipexpert.com

  _____

From: GAURAV MADAN [mailto:gauravmadan1177@gmail.com]
Sent: Thursday, 29 January 2009 11:48 AM
To: jscrivener@ipexpert.com
Cc: Cisco certification
Subject: Re: CBAC : never work for me :(

 

Wow ,,,, things started to make a littlke sense .

 

I have :

 

ip inspect name CBAC udp
ip inspect name CBAC tcp router-traffic
ip inspect name CBAC icmp router-traffic

 

 

Extended IP access list 101
    10 deny tcp any any

 

 

Rack1R5(config)#do sh run int f0/0.52
Building configuration...

Current configuration : 142 bytes
!
interface FastEthernet0/0.52
 encapsulation dot1Q 52
 ip address 192.10.1.5 255.255.255.0
 ip access-group 101 in
 ip inspect CBAC out
end

 

[A] I am able to ping because :

I have ip inspect name CBAC icmp router-tr in place

AND

this is denied by inbond ACL

 

[B] My BGP session is up because

I have TCP as protocol

and i have denied tcp by inbound ACL

Last question

As I am noticing ; we can either have router-traffic option or not .. Cant
have both

SO in ACL we are expectd to allow for local router and deny for internal
routers /

This will solve purpose .. right ?

On Thu, Jan 29, 2009 at 10:08 PM, Jared Scrivener <jscrivener@ipexpert.com>
wrote:

Yep, that's exactly right, Gaurav.

 

The ACL doesn't really have any effect on CBAC (it just allows certain
packets in after CBAC has allowed "its" packets in).

 

If you used "ip inspect CBAC tcp" and applied that outbound on the f0/0.52
interface then all TCP sessions that leave the f0/0.52 interface (except
packets generated by the router) will be allowed to return through that
interface.

 

You'll find that your BGP still won't work however (as the router generates
those packets). If you want the BGP session to work use "ip inspect CBAC tcp
router-traffic". That'll inspect router-generated packets too.

 

In summary, CBAC inspects the traffic in the direction of the *source*
packet flows. This is normally outbound on the egress interface, but (as
Anthony noted) can be inbound on the ingress interface too.

 

Cheers,

 

Jared Scrivener CCIE3 #16983 (R&S, Security, SP), CISSP

Technical Instructor - IPexpert, Inc.

Telephone: +1.810.326.1444

Fax: +1.810.454.0130

Mailto: <mailto:jscrivener@ipexpert.com> jscrivener@ipexpert.com

  _____

From: GAURAV MADAN [mailto:gauravmadan1177@gmail.com]
Sent: Thursday, 29 January 2009 11:33 AM
To: jscrivener@ipexpert.com
Cc: Cisco certification
Subject: Re: CBAC : never work for me :(

 

Hi Jared

 

more confusion..

 

if I say "ip inspect CBAC tcp"

 

what i mean to say by this statement is that any tcp trafic going out my
network is allowed to return..

so if my inbound ACL denies tcp ; this statemt will allow TCP ? i.e

 

Rack1R5(config)#do sh ip access-li
Extended IP access list 101
    10 deny tcp any any

 

and applying this to inbound will help ?

 

I am seeing this dont work

 

Gaurav madan

On Thu, Jan 29, 2009 at 9:51 PM, Jared Scrivener <jscrivener@ipexpert.com>
wrote:

Hey Gaurav,

For what you want to achieve I'd suggest the following:

ip inspect name CBAC udp

access-list 101 deny ip any any

int f0/0.52
ip inspect CBAC out

ip access-group 101 in

For CBAC to function it creates a list of traffic flows that are allowed to
bypass the access-list for return traffic. If there is no ACL then all
traffic gets back in.

Cheers,

Jared Scrivener CCIE3 #16983 (R&S, Security, SP), CISSP
Technical Instructor - IPexpert, Inc.
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
Mailto: jscrivener@ipexpert.com

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
GAURAV MADAN
Sent: Thursday, 29 January 2009 11:05 AM
To: Cisco certification
Subject: CBAC : never work for me :(

Hi Friends

CBAC is one gray area that i dont undertsnd at all.. please help me in
poiintg whre am i wrong

R5 192.10.1.5 f0/0.52============= 192.10.1.254BB

I want traffic from outside to come in my network if and only if initiated
from inside my network.

first i configured :

ip inspect name CBAC udp

int f0/0.52
ip inspect CBAC out

i expect that all my tcp sessions to BB (like BGP ) will fail .. also i
expect ping to BB will fail etc etc (because i have permitted only udp)..
rest policies i will appply later . But here only my understainding is
failing . I am able to pin BB , tcp sessions are UP

Also please clearify about the direction of this

Thnx in advace
Gaurav Madan

Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:40 ARST