Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

CBAC on 2811 not working after Router reboot

We are running CBAC on a 2811 route with the following IOS c2800nm-adventerprisek9-mz.12-24.T2 This works fine and allows and blocks the traffic as designed. However if we reboot the router CBAC stops working, to get it working we remove a rule from the ACL and put it back in and CBAC starts allowing traffic. In the same ACL we have a rule to allow ssh, which we use to connect to the router for management, this works fine, as its not using CBAC and doesn't need to be passed out to the public side of the network. This shows that its not an issue with the ACL.

Any help would ba appreciated

Cheers

Chris  

3 REPLIES
Cisco Employee

Re: CBAC on 2811 not working after Router reboot

With the description I am assuming that you have the following:

1. CBAC applied IN on the inside interface.

2. ACL also applied IN on the inside interafce.

Is this correct?

Usually we see

1. CBAC applied OUT on the outside interface

2. ACL applied IN on the outside interface

You may want to copy and paste the output of "sh run int <>" as well as the acl that you are talking about is not working so we understand what is broken.

-KS

New Member

Re: CBAC on 2811 not working after Router reboot

Here is the config

Note that once this is working it is fine, only breaks after a reboot. Manual removal of the rule in the ACL and putting back in makes it work again.

Router#show run
Building configuration...


Current configuration : 1411 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
logging message-counter syslog
no aaa new-model
dot11 syslog
ip source-route
ip cef

ip inspect name CELTrust icmp
ip inspect name CELTrust bgp
no ipv6 cef
voice-card 0
object-group service BGP
tcp eq bgp
object-group service ICMP
icmp echo
icmp traceroute
icmp echo-reply

archive
log config
  hidekeys


interface FastEthernet0/0
description to CELAK1-S15 2/3/43
ip address 192.168.179.3 255.255.255.0
ip access-group 101 in
ip inspect CELTrust in
duplex auto
speed auto
!
interface FastEthernet0/1
description to One Office IDL
ip address 192.168.255.142 255.255.255.252
ip access-group 110 in
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.179.1 10
no ip http server
no ip http secure-server

access-list 101 permit object-group ICMP host 192.168.179.1 host 192.168.255.141
access-list 101 permit object-group BGP host 192.168.179.1 host 192.168.255.141
access-list 101 deny   ip any any
access-list 110 deny   ip any any

!line con 0
line aux 0
line vty 0 4
login
scheduler allocate 20000 1000
end

Thanks

Chris

Cisco Employee

Re: CBAC on 2811 not working after Router reboot

access-list 101 permit object-group BGP host 192.168.179.1 host 192.168.255.141

That line says only 192.168.179.1 can initiate BGP peering. 192.168.255.141 cannot initiate as the ACL applied on the other interface only had deny ip any any.

May be you should also have this line

access-list 101 permit object-group BGP host 192.168.255.141 host 192.168.179.1

Give that a shot and let us know.

-KS

675
Views
0
Helpful
3
Replies
CreatePlease to create content