IOS FW - CBAC without interfering with l2l vpn

Unanswered Question
Nov 22nd, 2008

Hi all,

Any one know where I can find a config guide / template for an IOS FW that allows all company data (RFC-1918) down a L2L VPN and has a internet traffic bypass secured by CBAC. I know there is lots of info on each but not together. I'm configuring this on a rtr already in place on the other side of the world that I need to secure but do not want to break what is there.

So far I have:

1. Remote ssh access from 2 IPs this side of the world for management

2. The L2L vpn set-up and established - all interesting traffic allowed

3. Internet by-pass of VPN with a NAT overload based on denies of the above interesting traffic and then a permit any any

1 & 2 are controled on an inbound acl on the outside int: permit SSH from x & y, and permit udp-500 & udp-4500 from p.e.e.r

3 is the one I need help securing without nixing 1&2: At this unsecured moment the above acl then permits any any (logged) to allow the Internet retuirn traffic. Luckily the site is not quite prod yet so the various dubious hits are not good but not bad.

So I need to set-up CBAC (in a best practice way) but I do not want to disable the incoming SSH or l2l vpn connection.

Any suggestions and gotchas welcome.

Many thanks,


BTW - its a 2821 with 12.4(20); it may soon have CME but that is down the track

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
m.surtees Sun, 11/23/2008 - 22:44

Hi all

Here is some new info after giving CBAC a bit of a go:

Inbound on outside (internet facing) interface (The is statically NATed on the ISP provided DSL router)

ip access-list extended PROTECT

permit udp host p.e.e.r host eq isakmp log

permit udp host p.e.e.r host eq non500-isakmp

permit tcp host x.x.x.x host eq 22 log

permit tcp host y.y.y.y host eq 22 log

deny tcp any any log

deny udp any any log

deny icmp any any log

This does not block any vpn traffic - i thought it would after reading some Order of Operation docs! But that's good.

ip inspect name CBAC.1 echo

ip inspect name CBAC.1 http

ip inspect name CBAC.1 https

ip inspect name CBAC.1 icmp

ip inspect name CBAC.1 imap

ip inspect name CBAC.1 imap3

ip inspect name CBAC.1 imaps

ip inspect name CBAC.1 ssh

ip inspect name CBAC.1 tcp audit-trail on

ip inspect name CBAC.1 udp audit-trail on

interface fa0/0/0


ip address

ip access-group PROTECT in

ip inspect CBAC.1 out

I tried CBAC.1 "in" at first but this prevented internet access. Auditing reported a lot of normal VPN bound traffic which was allowed but confusing as to why CBAC saw it but the PROTECT acl did not.

With CBAC.1 "out" the internet works and the VPN traffic flows ... all good from that point of view. But I'm still confused and not sure everything is tip-top:

1. When I do a "show access-list" I do not get the dynamic entries CBAC is supposed to have created. Something is up with my config and I'd like to understand what it is.

2. The VPN traffic is still being audited by the CBAC.1 inspect - I'd prefer it wasn't. I don't want unnecessary traffic down the VPN because performance is pretty poor to being with. At this stage I just want to log Internet bound traffic that does not meet the predefined ports so that I can tweak what's necessary over first few weeks of the office in full prod mode.

Any help much appreciated

- Mike


This Discussion