Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CBAC: creating temporary entries in another interface?

Hi,

I am trying to understand the example at http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cfg_content_ac.html#wp1002224 in which the "ip inspect" command is applied to Ethernet 1/0 but the document says that the dynamic temporary entries will be created in the ACL 100 which is applied to another interface (Etherent 1/1). Is this true? I am under the impression that "ip inspect ... in" will add entries to the outbound ACL for the same interface, while

"ip inspect ... out" will add entries to the inbound ACL for the same interface.

Thanks in advance!

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

CBAC: creating temporary entries in another interface?

Ka,

It really depends on where you actually applied the Inspection to. Lets assume you have 3 interfaces, and you put the ip inspect in on the "inside interface" Cbac will assume that all of them are outside and if they all have acls applied inbound, no matter if it has a deny IP any any on all of them, the traffic will be allowed to come in.  But if the IP inspect is applied outbound on one interface, the traffic coming in is only going to be allowed on that specific interface, from whenever the traffic started from.

I hope this makes sense.

Mike

Mike
6 REPLIES

CBAC: creating temporary entries in another interface?

Hello,

Inside-----ROUTER------Outside

So lets say you have an ACL on the outside interface denying all the inbound traffic.

So if you add a CBAC inspection policy on the inside interface to inspect some traffic, that particular traffic being inspected will override the ACL ( that is why CISCO said it will create temporary entris on the inbound  ACL on the outside interface because even thoug you are denying all the traffic, that traffic will be accepted because of the IP inspect)

Hope I could help,

Julio

Regards,!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

CBAC: creating temporary entries in another interface?

Thanks for the reply! If the router has multiple interfaces, how can it determine which is the outside interface to add the temporary entries to?

Cisco Employee

CBAC: creating temporary entries in another interface?

Ka,

It really depends on where you actually applied the Inspection to. Lets assume you have 3 interfaces, and you put the ip inspect in on the "inside interface" Cbac will assume that all of them are outside and if they all have acls applied inbound, no matter if it has a deny IP any any on all of them, the traffic will be allowed to come in.  But if the IP inspect is applied outbound on one interface, the traffic coming in is only going to be allowed on that specific interface, from whenever the traffic started from.

I hope this makes sense.

Mike

Mike
New Member

CBAC: creating temporary entries in another interface?

I see. Thanks! Is there any documentation on this behavior? For the case where inspection is applied to an inside interface, the doc seems to say that we can have either an outbound ACL on that inside inferface or inbound ACL on the outside interface(s) for CBAC to add the temporary entries to. if both are present, I guess both will be added to?

CBAC: creating temporary entries in another interface?

Hello Ka,

You do not need it, as soon as you have the inspection the returning traffic that matches the connections being inspected by CBAC will be allowed and will overwrite any ACL denying that traffic.

I think its a way to see things because as an example:

Inside------Router----Outside

Lets say you have an ACL denying all traffic on the outside interface inbound direction, with CBAC configure on the inside for outbound TCP connections, all the TCP traffic returning for a connection that matches the traffic being inspected will be allowed ( so yes a temporary entry will be added to the inbound ACL on the outside interface.

That is the whole purpose of CBAC ( A stateful firewall)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Cisco Employee

CBAC: creating temporary entries in another interface?

Pretty much yes, the only thing you need to make sure is that there is an allow in order for the traffic to be inspected. The return traffic should not be blocked as the session is already up.

Here is a good doc:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

Mike.

Mike
475
Views
0
Helpful
6
Replies
CreatePlease to create content