Actually, the state table is checked before an ACL:
ACL bypassing subjects the packet to one search�the inspection session
search�during its processing path through the router. When a packet is
subjected to a single inspection session search before the ACL checks, the
packet is matched against the list of session identifiers that already exist
on the interface. (Session identifiers keep track of the source and
destination IP addresses and ports of the packets and on which interface the
packet arrived.)
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_aclby.html#
wp1046054
HTH,
--
Piotr Matusiak
CCIE #19860 (R&S, Security)
Technical Instructor
website: www.MicronicsTraining.com
�If you can't explain it simply, you don't understand it well enough� -
Albert Einstein
2010/1/19 ALL From_NJ <all.from.nj_at_gmail.com>
> Just to add a little here ...
>
> As I recall, an inbound ACL will be checked before the state table and thus
> no existing connection is required. This is why you would add an ACL when
> a
> FW is configured on the router.
>
> The order of operations in important for incoming packets ... ACLs can get
> you out of ... and into trouble.
>
> Andrew Lee Lissitz
>
>
> On Tue, Jan 19, 2010 at 8:24 AM, Piotr Matusiak <piotr_at_ccie1.com> wrote:
>
> > Hi,
> >
> > Old version of CBAC (prior 12.3(4)T) automatically added ACEs to the
> > inbound
> > ACL to permit returning traffic. Now it was changes to only check CBAC
> > state
> > table in order to allow that traffic back.
> >
> > If you have Web server in inside (trusted) network and you try to get
> there
> > from the outside (untrusted), you'll need an ACL on untrusted interface
> (in
> > inbound direction) as the traffic is originated from the outside. This is
> > normal behavior and has nothing to CBAC deployment.
> >
> > HTH,
> > --
> > Piotr Matusiak
> > CCIE #19860 (R&S, Security)
> > Technical Instructor
> > website: www.MicronicsTraining.com
> >
> > If you can't explain it simply, you don't understand it well enough -
> > Albert Einstein
> >
> >
> > 2010/1/19 Ajay mehra <ajaymehra01_at_gmail.com>
> >
> > > Hi Guys,
> > >
> > > I could not understand why do we bypass the ACLs when CBAC is enabled.
> If
> > > we
> > > have a http server inside trusted network that has client on outside
> in
> > > that case we permit http connection explicitly in ACL on outside
> > interface,
> > > inspection can be enabled inbound on trusted or outbound on untrusted
> > > interface. If firewall acl bypass feature is enabled (default ) then
> > these
> > > ACLs will not be checked. From the configs and testing point of view I
> > > know
> > > these ACLs are checked.
> > >
> > > Are these ACLs which are dynamically created when CBAC inspection is
> > > enabled
> > > and different from manually defined acls ?
> > >
> > > Thanks,
> > > Ajay
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> Andrew Lee Lissitz
> all.from.nj_at_gmail.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Tue Jan 19 2010 - 15:51:51 ART