Re: CBAC : Firewall ACL bypass from ALL From_NJ on 2010-01-19 (Ccielab archives 01/2010)

From: ALL From_NJ <all.from.nj_at_gmail.com>
Date: Tue, 19 Jan 2010 09:42:44 -0500

Just to add a little here ...

As I recall, an inbound ACL will be checked before the state table and thus
no existing connection is required. This is why you would add an ACL when a
FW is configured on the router.

The order of operations in important for incoming packets ... ACLs can get
you out of ... and into trouble.

Andrew Lee Lissitz

On Tue, Jan 19, 2010 at 8:24 AM, Piotr Matusiak <piotr_at_ccie1.com> wrote:

> Hi,
>
> Old version of CBAC (prior 12.3(4)T) automatically added ACEs to the
> inbound
> ACL to permit returning traffic. Now it was changes to only check CBAC
> state
> table in order to allow that traffic back.
>
> If you have Web server in inside (trusted) network and you try to get there
> from the outside (untrusted), you'll need an ACL on untrusted interface (in
> inbound direction) as the traffic is originated from the outside. This is
> normal behavior and has nothing to CBAC deployment.
>
> HTH,
> --
> Piotr Matusiak
> CCIE #19860 (R&S, Security)
> Technical Instructor
> website: www.MicronicsTraining.com
>
> If you can't explain it simply, you don't understand it well enough -
> Albert Einstein
>
>
> 2010/1/19 Ajay mehra <ajaymehra01_at_gmail.com>
>
> > Hi Guys,
> >
> > I could not understand why do we bypass the ACLs when CBAC is enabled. If
> > we
> > have a http server inside trusted network that has client on outside in
> > that case we permit http connection explicitly in ACL on outside
> interface,
> > inspection can be enabled inbound on trusted or outbound on untrusted
> > interface. If firewall acl bypass feature is enabled (default ) then
> these
> > ACLs will not be checked. From the configs and testing point of view I
> > know
> > these ACLs are checked.
> >
> > Are these ACLs which are dynamically created when CBAC inspection is
> > enabled
> > and different from manually defined acls ?
> >
> > Thanks,
> > Ajay
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Andrew Lee Lissitz
all.from.nj_at_gmail.com
Blogs and organic groups at http://www.ccie.net

Received on Tue Jan 19 2010 - 09:42:44 ART

This archive was generated by hypermail 2.2.0 : Thu Feb 04 2010 - 20:28:41 ART