Question about CBAC

shikamarunara · ‎07-23-2007

Hello,

I have CBAC configured on an ISR and was wondering if temporary openings in ACLs will always show up when comitting the "show ip access-list" command. My assumption is that CBAC is not really opening temporary ports on acls at all if it doesn't show.

-Shikamaru

sundar.palaniappan · ‎07-23-2007

Shikamaru,

Your understanding is correct. You should see the temporary entries when you issue the 'show ip access-list' command. If you don't see the entry then the traffic isn't being permitted by CBAC.

HTH

Sundar

shikamarunara · ‎07-23-2007

Sundar,, help me understand. I always throught that, especially in the case of CBAC, traffic isn't being filtered by CBAC that it passes through the ACL via temporary opening anyway. The reason I mention this is because CBAC on the firewall feature set can't filter every kind of traffic. So, if something makes it through the interface and CBAC doesn't have a protocol entry for it in the "ip inspect X" list", isn't it allowed to go through?

-Shikamaru

sundar.palaniappan · ‎07-23-2007

Yes that's correct.

CBAC will only create temporary opening(s) for the return traffic that's configured to be inspected at first place. Typically traffic from the inside is inspected to create temporary opening for return traffic on outside interface.

HTH

Sundar