IOS ACL interaction w/ CBAC inspect

Answered Question
Jun 20th, 2007
User Badges:

Sorry to bother you guys, but I'm banging my head against the wall w/ this one


[ACL's vs CBAC's ip inspect]

Specifically, SDM created the following config:

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

!

!

interface FastEthernet4

ip address 100.100.100.1 255.255.255.0

ip access-group 101 in

ip inspect SDM_LOW out

access-list 101 deny ip 10.10.10.0 0.0.0.255 any

access-list 101 permit icmp any host 100.100.100.1 echo-reply

access-list 101 permit icmp any host 100.100.100.1 time-exceeded

access-list 101 permit icmp any host 100.100.100.1 unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any log

So as you can see, the DENY ANY ANY of the ACL would block returning traffic wouldn't it? I thought ACL's are applied FIRST? So I'm assuming by looking at this config that when CBAC examines OUTBOUND traffic on the external interface, it can -then- create holes in the ACL to allow returning traffic. Is this correct?


And if so, why not just allow the implicit DENY ALL; does it require deny ip any any be explicitly listed in the ACL?

I have read through the 12-4 Security Config guide from Cisco's site and its not answering this question.


Thanks in advance

:-(


Correct Answer by shomar about 9 years 9 months ago

Your assumption is absolutely right, CBAC will open a hole in the ACL to permit returning traffic back.


As for the deny ip any any at the end of the access list, this is a best practice line added to the access list, if you look at the line, you can notice that there is a log keyword at the end of the line, so this is to log the denied traffic to a syslog server for example for you to review the traffic later and analyze that in case you get attacked or sth like that.


you can safely remove that line if you feel it unnecessary, but as I mentioned to you this is a best practice when dealing with access lists.


Regrads,

Shadi`

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
shomar Wed, 06/20/2007 - 23:51
User Badges:

Your assumption is absolutely right, CBAC will open a hole in the ACL to permit returning traffic back.


As for the deny ip any any at the end of the access list, this is a best practice line added to the access list, if you look at the line, you can notice that there is a log keyword at the end of the line, so this is to log the denied traffic to a syslog server for example for you to review the traffic later and analyze that in case you get attacked or sth like that.


you can safely remove that line if you feel it unnecessary, but as I mentioned to you this is a best practice when dealing with access lists.


Regrads,

Shadi`

Actions

This Discussion