From: NET HE (he_net@hotmail.com)
Date: Sun Feb 08 2009 - 01:17:32 ARST
Pavel
CBAC works without deny access-list if CBAC is only used to inspect traffic to
prevent DoS attack. For example, interface Fa0/0 is connected to untrusted
networks and you want to prevent tcp DoS attack from untrusted networks, you
can put CBAC inspect under fa0/0 for inbound traffic to inspect inbound TCP
sessions.Best Regards, Net (Xin) He > Date: Fri, 6 Feb 2009 09:31:23 +0100>
Subject: Re: CBAC - Inspect vs Old school reflexive acl> From:
slidersv@gmail.com> To: emaillists@me.com> CC: ccielab@groupstudy.com> > Where
is your deny access list on the interface?> Without it, the firewall serves no
purpose.> >
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_cont
ent_ac_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1002224> > > On
Thu, Feb 5, 2009 at 8:40 PM, Han Solo <emaillists@me.com> wrote:> > > I have
been playing with my home comcast 6 Mbit/sec homenet . I replaced> > soho
firewall with a Cisco 2851 to be able to play with nbar matching more> >
frequently to learn all that c / s header stuff. And boy I got bit by that> >
technology recently somewhere ;) ... My worst problem home user ( wifey )> >
complains that with cbac setup so basically config as follows , it is very> >
slow.. I have played with various timer settings etc , but it is indeed> >
slowing down internet browsing experience. So I have been playing with the> >
old fashion reflexive acl's and boy that really fixes things wife stops> >
complaining and I get dinner again , wonder if anyone else has seen this ?> >
Also here is a funny output from "show ip access-list internet " which is> >
the reflected acl when vpn'd out note the " non500-isakmp " funny it puts> >
that in there vs the port it is using like the other entries ....> >> > permit
udp host 171.70.100.8 eq non500-isakmp host 24.16.24.200 eq> > 64838 (6129
matches) (time left 292) ----> Reflexive acl automaticly> > created when vpn'd
from inside to outside with cisco vpn solution> >> >> > interface
GigabitEthernet0/0> > description UNTRUSTED OUTSIDE INTERFACE TO COMCAST> > ip
address dhcp> > ip inspect outbound> > no ip redirects> > no ip unreachables>
> no ip proxy-arp> > ip nat outside> > ip virtual-reassembly> > ip route-cache
flow> > load-interval 30> > duplex auto> > speed auto> > no mop enabled> >
end> >> >> > ip inspect log drop-pkt> > ip inspect audit-trail> > ip inspect
max-incomplete low 2> > ip inspect max-incomplete high 7> > ip inspect
one-minute low 2> > ip inspect one-minute high 5> > ip inspect udp idle-time
1> > ip inspect name internet tcp> > ip inspect name internet udp> >> >> >
permit udp host 171.70.100.8 eq non500-isakmp host 24.16.24.200 eq> > 64838
(6129 matches) (time left 292)> >> >> >> > Han Solo> > May the force be with
you> >> >> > Blogs and organic groups at http://www.ccie.net> >> >
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:10 ARST