Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
925
Views
0
Helpful
3
Replies

CBAC on 2811 not working after Router reboot

Chris McManaway
Level 1
Level 1

‎12-23-2009 01:28 PM - edited ‎03-11-2019 09:51 AM

We are running CBAC on a 2811 route with the following IOS c2800nm-adventerprisek9-mz.12-24.T2 This works fine and allows and blocks the traffic as designed. However if we reboot the router CBAC stops working, to get it working we remove a rule from the ACL and put it back in and CBAC starts allowing traffic. In the same ACL we have a rule to allow ssh, which we use to connect to the router for management, this works fine, as its not using CBAC and doesn't need to be passed out to the public side of the network. This shows that its not an issue with the ACL.

Any help would ba appreciated

Cheers

Chris  

Labels:
0 Helpful
3 Replies 3

Kureli Sankar
Cisco Employee
Cisco Employee

‎12-23-2009 02:29 PM

With the description I am assuming that you have the following:

1. CBAC applied IN on the inside interface.

2. ACL also applied IN on the inside interafce.

Is this correct?

Usually we see

1. CBAC applied OUT on the outside interface

2. ACL applied IN on the outside interface

You may want to copy and paste the output of "sh run int <>" as well as the acl that you are talking about is not working so we understand what is broken.

-KS

0 Helpful

Chris McManaway
Level 1
Level 1
In response to Kureli Sankar

‎12-23-2009 02:46 PM

Here is the config

Note that once this is working it is fine, only breaks after a reboot. Manual removal of the rule in the ACL and putting back in makes it work again.

Router#show run
Building configuration...


Current configuration : 1411 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
logging message-counter syslog
no aaa new-model
dot11 syslog
ip source-route
ip cef

ip inspect name CELTrust icmp
ip inspect name CELTrust bgp
no ipv6 cef
voice-card 0
object-group service BGP
tcp eq bgp
object-group service ICMP
icmp echo
icmp traceroute
icmp echo-reply

archive
log config
  hidekeys


interface FastEthernet0/0
description to CELAK1-S15 2/3/43
ip address 192.168.179.3 255.255.255.0
ip access-group 101 in
ip inspect CELTrust in
duplex auto
speed auto
!
interface FastEthernet0/1
description to One Office IDL
ip address 192.168.255.142 255.255.255.252
ip access-group 110 in
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.179.1 10
no ip http server
no ip http secure-server

access-list 101 permit object-group ICMP host 192.168.179.1 host 192.168.255.141
access-list 101 permit object-group BGP host 192.168.179.1 host 192.168.255.141
access-list 101 deny   ip any any
access-list 110 deny   ip any any

!line con 0
line aux 0
line vty 0 4
login
scheduler allocate 20000 1000
end

Thanks

Chris

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to Chris McManaway

‎12-23-2009 04:10 PM

access-list 101 permit object-group BGP host 192.168.179.1 host 192.168.255.141

That line says only 192.168.179.1 can initiate BGP peering. 192.168.255.141 cannot initiate as the ACL applied on the other interface only had deny ip any any.

May be you should also have this line

access-list 101 permit object-group BGP host 192.168.255.141 host 192.168.179.1

Give that a shot and let us know.

-KS

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card