CBAC - which 'inspect' statement cause the ACL dyn. entry

Unanswered Question
Oct 12th, 2008
User Badges:

Hi Security gurus,


I was trying CBAC in 2691 router in Dynamips.

I created some telnet connections through the router configured with ACLs & 'inspect' statments then looked at output of "show ip inspect session detail" command.

It tells me which ACL was dynamically altered by CBAC (to permit return traffic)

eg.

In SID 4.1.4.1[7:7]=>4.1.3.1[24049:24049] on ACL from-dmz (2 matches)


but it doesn't tell me which 'inspect' statment was matched and therefore caused this dynamic ACL entry.


Is there some way to tell this?


Regards, MH


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Sun, 10/12/2008 - 04:56
User Badges:
  • Red, 2250 points or more

I don't think you can get that information from a show command atleast, maybe from debugs. But it is usually pretty simple to figure out because the inspect statements are just based on protocols, so all 'tcp' traffic would natually match the tcp inspect statement, except special corner cases like smptp/advanced http etc.


As this topic has come up, there is a hidden command also 'show ip inspect stat' but it also does not show the required information.


Regards


Farrukh

Istvan_Rabai Tue, 11/11/2008 - 21:01
User Badges:
  • Gold, 750 points or more

Hi Mark,


Try the "debug ip inspect" command.

It has several options after it:

events

detail

object-creation

function-trace

..etc.


Those can tell you much more.


Cheers:

Istvan

Actions

This Discussion