I'm trying to debug an NTP problem and I'm wondering if an interface's access-list is processed BEFORE the IOS Firewall inspections or AFTER
I have Cisco IOS CBAC applied on my WAN interface and set up to inspect NTP packets:
ip inspect name FW ntp
I also have an access-list applied on my WAN interface:
permit udp any eq ntp any log
but I'm not seeing any logged packets from my access-list... is that because my "ip inspect" firewall config is letting the packet through before the packet is checked against the access-list?
1. your inspection is applied to outbound traffic on your wan interface
2. your access-list is applied inbound on your wan interface
generally, traffic being inspected outbound is denied by your inbound acl's. you can think of it, for your question, as if temporary acl entries were added to the beginning of your inbound acl, so your acl entry will never match, because the inspection entry matched first.