Interesting ...
Now I have to check some links. ;-)
Piotr, not sure the state table is consulted first ... maybe this is newer
behavior.
The way i remembered this was that if it was permitted via an inbound access
list, it was not checked via CBAC ... it was simply allowed in since the
inbound access list said so. This was needed for internal mail and web
servers.
If it was denied via an inbound access list, it would then have a second
check via CBAC to see if it was permitted via CBAC. In this way the access
list came first.
Now you no longer need the access list, this is good. However ... I believe
the order of operations are still the same.
Humm ... not that it matters too much to me (as long as it works) ... but
now I am more curious.
When searching for order of operations, there are many links that still show
an inbound ACL comes before NAT and then of course before CBAC.
Any thoughts? Appreciate your teaching me!
Andrew
On Tue, Jan 19, 2010 at 9:56 AM, Divin Mathew John <divinjohn_at_gmail.com>wrote:
> ACL Bypass normally occurs in the direction opposite to the INSPECT.!
>
>
> On Tue, Jan 19, 2010 at 8:21 PM, Piotr Matusiak <piotr_at_ccie1.com> wrote:
>
>> Actually, the state table is checked before an ACL:
>>
>> ACL bypassing subjects the packet to one search the inspection session
>> search during its processing path through the router. When a packet is
>> subjected to a single inspection session search before the ACL checks, the
>> packet is matched against the list of session identifiers that already
>> exist
>> on the interface. (Session identifiers keep track of the source and
>> destination IP addresses and ports of the packets and on which interface
>> the
>> packet arrived.)
>>
>>
>> http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_aclby.html#
>> wp1046054<http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_aclby.html#wp1046054>
>>
>> HTH,
>> --
>> Piotr Matusiak
>> CCIE #19860 (R&S, Security)
>> Technical Instructor
>> website: www.MicronicsTraining.com
>>
>> If you can't explain it simply, you don't understand it well enough -
>> Albert Einstein
>>
>>
>> 2010/1/19 ALL From_NJ <all.from.nj_at_gmail.com>
>>
>> > Just to add a little here ...
>> >
>> > As I recall, an inbound ACL will be checked before the state table and
>> thus
>> > no existing connection is required. This is why you would add an ACL
>> when
>> > a
>> > FW is configured on the router.
>> >
>> > The order of operations in important for incoming packets ... ACLs can
>> get
>> > you out of ... and into trouble.
>> >
>> > Andrew Lee Lissitz
>> >
>> >
>> > On Tue, Jan 19, 2010 at 8:24 AM, Piotr Matusiak <piotr_at_ccie1.com>
>> wrote:
>> >
>> > > Hi,
>> > >
>> > > Old version of CBAC (prior 12.3(4)T) automatically added ACEs to the
>> > > inbound
>> > > ACL to permit returning traffic. Now it was changes to only check CBAC
>> > > state
>> > > table in order to allow that traffic back.
>> > >
>> > > If you have Web server in inside (trusted) network and you try to get
>> > there
>> > > from the outside (untrusted), you'll need an ACL on untrusted
>> interface
>> > (in
>> > > inbound direction) as the traffic is originated from the outside. This
>> is
>> > > normal behavior and has nothing to CBAC deployment.
>> > >
>> > > HTH,
>> > > --
>> > > Piotr Matusiak
>> > > CCIE #19860 (R&S, Security)
>> > > Technical Instructor
>> > > website: www.MicronicsTraining.com
>> > >
>> > > If you can't explain it simply, you don't understand it well enough
>> -
>> > > Albert Einstein
>> > >
>> > >
>> > > 2010/1/19 Ajay mehra <ajaymehra01_at_gmail.com>
>> > >
>> > > > Hi Guys,
>> > > >
>> > > > I could not understand why do we bypass the ACLs when CBAC is
>> enabled.
>> > If
>> > > > we
>> > > > have a http server inside trusted network that has client on
>> outside
>> > in
>> > > > that case we permit http connection explicitly in ACL on outside
>> > > interface,
>> > > > inspection can be enabled inbound on trusted or outbound on
>> untrusted
>> > > > interface. If firewall acl bypass feature is enabled (default ) then
>> > > these
>> > > > ACLs will not be checked. From the configs and testing point of
>> view I
>> > > > know
>> > > > these ACLs are checked.
>> > > >
>> > > > Are these ACLs which are dynamically created when CBAC inspection is
>> > > > enabled
>> > > > and different from manually defined acls ?
>> > > >
>> > > > Thanks,
>> > > > Ajay
>> > > >
>> > > >
>> > > > Blogs and organic groups at http://www.ccie.net
>> > > >
>> > > >
>> _______________________________________________________________________
>> > > > Subscription information may be found at:
>> > > > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
>> > > Blogs and organic groups at http://www.ccie.net
>> > >
>> > >
>> _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> >
>> >
>> > --
>> > Andrew Lee Lissitz
>> > all.from.nj_at_gmail.com
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
>
> Sent from Bangalore, KA, India
>
-- Andrew Lee Lissitz all.from.nj_at_gmail.com Blogs and organic groups at http://www.ccie.netReceived on Tue Jan 19 2010 - 10:22:21 ART
This archive was generated by hypermail 2.2.0 : Thu Feb 04 2010 - 20:28:41 ART