Question about CBAC

Unanswered Question
Jul 23rd, 2007
User Badges:

Hello,

I have CBAC configured on an ISR and was wondering if temporary openings in ACLs will always show up when comitting the "show ip access-list" command. My assumption is that CBAC is not really opening temporary ports on acls at all if it doesn't show.


-Shikamaru

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
sundar.palaniappan Mon, 07/23/2007 - 13:50
User Badges:
  • Green, 3000 points or more

Shikamaru,


Your understanding is correct. You should see the temporary entries when you issue the 'show ip access-list' command. If you don't see the entry then the traffic isn't being permitted by CBAC.


HTH


Sundar

shikamarunara Mon, 07/23/2007 - 14:01
User Badges:

Sundar,, help me understand. I always throught that, especially in the case of CBAC, traffic isn't being filtered by CBAC that it passes through the ACL via temporary opening anyway. The reason I mention this is because CBAC on the firewall feature set can't filter every kind of traffic. So, if something makes it through the interface and CBAC doesn't have a protocol entry for it in the "ip inspect X" list", isn't it allowed to go through?


-Shikamaru

sundar.palaniappan Mon, 07/23/2007 - 14:20
User Badges:
  • Green, 3000 points or more

Yes that's correct.


CBAC will only create temporary opening(s) for the return traffic that's configured to be inspected at first place. Typically traffic from the inside is inspected to create temporary opening for return traffic on outside interface.


HTH


Sundar

Actions

This Discussion