Hi,
Old version of CBAC (prior 12.3(4)T) automatically added ACEs to the inbound
ACL to permit returning traffic. Now it was changes to only check CBAC state
table in order to allow that traffic back.
If you have Web server in inside (trusted) network and you try to get there
from the outside (untrusted), you'll need an ACL on untrusted interface (in
inbound direction) as the traffic is originated from the outside. This is
normal behavior and has nothing to CBAC deployment.
HTH,
--
Piotr Matusiak
CCIE #19860 (R&S, Security)
Technical Instructor
website: www.MicronicsTraining.com
�If you can't explain it simply, you don't understand it well enough� -
Albert Einstein
2010/1/19 Ajay mehra <ajaymehra01_at_gmail.com>
> Hi Guys,
>
> I could not understand why do we bypass the ACLs when CBAC is enabled. If
> we
> have a http server inside trusted network that has client on outside in
> that case we permit http connection explicitly in ACL on outside interface,
> inspection can be enabled inbound on trusted or outbound on untrusted
> interface. If firewall acl bypass feature is enabled (default ) then these
> ACLs will not be checked. From the configs and testing point of view I
> know
> these ACLs are checked.
>
> Are these ACLs which are dynamically created when CBAC inspection is
> enabled
> and different from manually defined acls ?
>
> Thanks,
> Ajay
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Tue Jan 19 2010 - 14:24:57 ART