Problems getting traffic sourced from router through CBAC

Unanswered Question
Jan 26th, 2008

Hi,

I'm having some problems with my 1711 (12.4(15)T1) router.

I'm protecting my network with CBAC. Everything is working fine. But as soon as I send traffic that originates from the router instead of the clients behind it, the traffic is getting blocked (like pings from console, or telnets / SSH from console to another router).

This is my config:

ip inspect udp idle-time 15

ip inspect tcp idle-time 1800

ip inspect tcp finwait-time 1

ip inspect tcp synwait-time 15

ip inspect name WAN_OUT_CBAC tcp

ip inspect name WAN_OUT_CBAC udp

ip inspect name WAN_OUT_CBAC icmp

ip access-list extended WAN_IN

permit udp any any eq isakmp

permit esp any any

permit udp any any eq bootpc

permit tcp any any eq www

deny ip any any

ip access-list extended WAN_OUT

deny ip any 10.0.0.0 0.255.255.255

deny ip any 169.254.0.0 0.0.255.255

deny ip any 172.16.0.0 0.15.255.255

deny ip any 192.168.0.0 0.0.255.255

deny ip any 224.0.0.0 31.255.255.255

permit ip any any

As soon as I remove WAN_IN from the WAN interface everything works just fine. I can ping from the console to a public IP, dns lookups are working and SSH is working again.

Any idea's?

PS. The CBAC inspection rule in configured on the WAN interface pointing outwards.

PS2. Summary: All traffic that has the router as source doesnt seem to get inspected by CBAC. Why is that?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
2044418Puts Sat, 01/26/2008 - 03:02

I just found out that I need to add "router-traffic" to the inspection rules..

ip inspect name WAN_OUT_CBAC tcp router-traffic

ip inspect name WAN_OUT_CBAC udp router-traffic

ip inspect name WAN_OUT_CBAC icmp router-traffic

Can I give myself 5 points for this? ;)

Actions

This Discussion