Re: Query CBAC implementation

This is just what I was looking for.

Where are the ACLs? I thought "read" (Cisco Router Firewall Security)
rather that CBAC functions the same as RACL and that dynamic entries are
added to the extended ACLs.

R5 fa0/0 ------- fa0/0 R2 s0/0/0 ----- remainder of the network

Restrict R5 from initiating ip traffic into the rest of the network. Apply
the config on R2. Ip traffic, such as routing updates and icmp are excluded
from this requirement.

in addition - block all java applets except those originating from
172.16.105.0 /24.

According to the AK - R2's config is:

access-list 101 permit icmp any any
access-list 101 permit eigrp any any

access-list 5 deny 172.16.105.0 0.0.0.255
access-list 5 permit any

ip inspect cbac-java http java-list 5

int fa0/0
ip access-group in 101 in
ip inspect cbac-java out

I can't understand how the http-java traffic is going to get out the
interface if it's never allowed in?

Shouldn't the solution be:

access-list 101 remark cbac-in
 access-list 101 permit icmp any any
access-list 101 permit eigrp any any
access-list 101 permit http 172.16.105.0 0.0.0.255 any

access-list 102 remark cbac-out
access-li 102 permit eigrp any any
access-li 102 deny any any

ip inspect cbac-java java-list 5
ip inspect cbac-java icmp

int fa 0/0
ip access-group 101 in

int s 0/0/0
ip access-group 102 in
ip inspect cbac-java out

Now the dynamic entries are based off what is sent out s 0/0/0

I'm really having a hard time comprehending an inbound acl coupled with an
inbound inspect and where the dynamic entries are going.

many thanks!

LG

On Fri, Apr 30, 2010 at 10:37 AM, S Malik <ccie.09_at_gmail.com> wrote:

> Is this correct to do inspection on incoming and outside traffic especially
> in this case?
>
> I thought we can use "ip inspect <name> in" under fa0/0 or in "out"
> direction on serial interface only.
>
> On Thu, Apr 29, 2010 at 3:55 PM, Keith Barker <kbarker_at_ine.com> wrote:
>
> > Hello Vibs-
> >
> > Great question. As you stated, as long as the traffic is inspected
> before
> > it hits the wire on S0/0/0 it should work.
> >
> > So regarding the lab, if it was really ONLY those 2 interfaces, I would
> > consider how it may be graded.
> >
> > Do they run traffic through, and measure results?
> > Do they use a show ip inspect all, and look at the results?
> > Do they look for the inspection rule applied to an interface?
> >
> > In any case, make sure that the name of the inspection rule exactly
> matches
> > what was asked for, including case.
> >
> > My opinion, if it was me in the lab today, I would do this:
> >
> > R5(config)#int fa 0/0
> >
> > R5(config-if)# I put the inspection rule ingress here and egress on
> > S0/0/0-so you would be sure to see it :)
> >
> > R5(config-if)#ip inspect inspection-name1 in
> >
> > R5(config-if)#int ser 0/0/0
> >
> > R5(config-if)#ip inspect inspection-name1 out
> >
> > R5(config-if)# I put the inspection rule egress here and ingress on
> > Fa0/0-so
> > you would be sure to see it :)
> >
> >
> >
> > That way, if a human actually does look at it, you are demonstrating that
> > you were covering your bases, and not fishing.
> >
> >
> > Best wishes,
> >
> > Keith
> >
> > -----Original Message-----
> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> > Vibeesh S
> > Sent: Thursday, April 29, 2010 6:39 AM
> > To: Cisco certification
> > Subject: Query CBAC implementation
> >
> > Hi,
> >
> > Assuming that I have router with the following interfaces
> >
> >
> >
> > F0/0 ---- Router ---- S0/0/0
> >
> >
> > If I am configuring cbac for traffic going out of my lan to the internet
> >
> > Is this
> >
> > conf t
> > inte f0/0
> > ip inspect inspection-name1 in
> >
> >
> > the same desired implementation as
> >
> > conf t
> > inter s0/0/0
> > ip inspect inspection-name1 out
> >
> >
> > If so, is configuring either one of them acceptable in the lab.
> > Or is there any limitation/practises
> >
> > Thanks,
> > Vibs
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
r/
LG
Blogs and organic groups at http://www.ccie.net