Re: CBAC - Inspect vs Old school reflexive acl

From: Pavel Bykov (slidersv@gmail.com)
Date: Fri Feb 06 2009 - 06:31:23 ARST

• Next message: abderrahim sadki: "RE: Leaving for R&S lab in Sydney"
• Previous message: Pavel Bykov: "Re: 3550 cos on Metro Tag VLAN"
• Maybe in reply to: Sadiq Yakasai: "Re: CBAC - Inspect vs Old school reflexive acl"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Where is your deny access list on the interface?
Without it, the firewall serves no purpose.

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_content_ac_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1002224

On Thu, Feb 5, 2009 at 8:40 PM, Han Solo <emaillists@me.com> wrote:

> I have been playing with my home comcast 6 Mbit/sec homenet . I replaced
> soho firewall with a Cisco 2851 to be able to play with nbar matching more
> frequently to learn all that c / s header stuff. And boy I got bit by that
> technology recently somewhere ;) ... My worst problem home user ( wifey )
> complains that with cbac setup so basically config as follows , it is very
> slow.. I have played with various timer settings etc , but it is indeed
> slowing down internet browsing experience. So I have been playing with the
> old fashion reflexive acl's and boy that really fixes things wife stops
> complaining and I get dinner again , wonder if anyone else has seen this ?
> Also here is a funny output from "show ip access-list internet " which is
> the reflected acl when vpn'd out note the " non500-isakmp " funny it puts
> that in there vs the port it is using like the other entries ....
>
> permit udp host 171.70.100.8 eq non500-isakmp host 24.16.24.200 eq
> 64838 (6129 matches) (time left 292) ----> Reflexive acl automaticly
> created when vpn'd from inside to outside with cisco vpn solution
>
>
> interface GigabitEthernet0/0
> description UNTRUSTED OUTSIDE INTERFACE TO COMCAST
> ip address dhcp
> ip inspect outbound
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat outside
> ip virtual-reassembly
> ip route-cache flow
> load-interval 30
> duplex auto
> speed auto
> no mop enabled
> end
>
>
> ip inspect log drop-pkt
> ip inspect audit-trail
> ip inspect max-incomplete low 2
> ip inspect max-incomplete high 7
> ip inspect one-minute low 2
> ip inspect one-minute high 5
> ip inspect udp idle-time 1
> ip inspect name internet tcp
> ip inspect name internet udp
>
>
> permit udp host 171.70.100.8 eq non500-isakmp host 24.16.24.200 eq
> 64838 (6129 matches) (time left 292)
>
>
>
> Han Solo
> May the force be with you
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Pavel Bykov
----------------
Don't forget to help stopping the braindumps, use of which reduces value of
your certifications. Sign the petition at http://www.stopbraindumps.com/
Blogs and organic groups at http://www.ccie.net

• Next message: abderrahim sadki: "RE: Leaving for R&S lab in Sydney"
• Previous message: Pavel Bykov: "Re: 3550 cos on Metro Tag VLAN"
• Maybe in reply to: Sadiq Yakasai: "Re: CBAC - Inspect vs Old school reflexive acl"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:10 ARST