Solved: Re: CBAC on 2921

Frank Hobrecht · ‎01-28-2012

Hello,

i´ve migrated a working IOS configuration from an 2811 (12.4) to a 2921 (15.2(2)T) and it seems that

CBAC is behaving different.

ip inspect log drop-pkt

ip inspect name OUTBOUND tcp

ip inspect name OUTBOUND ftp

ip inspect name OUTBOUND udp

ip inspect name OUTBOUND pptp

ip inspect name OUTBOUND icmp

interface GigabitEthernet0/0

description Internal Network

ip address 10.20.0.1 255.255.255.0

ip access-group ACLtoLAN out

ip nat inside

ip inspect OUTBOUND in

ip virtual-reassembly in

end

ip access-list extended ACLtoLAN

remark Outgoing Traffic to LAN

permit ip 10.21.0.0 0.0.1.255 any

deny ip any any log-input

Traffic initiated from the inside LAN (GigabitEthernet0/0) should be inspected by OUTBOUND rule, so returning

packets should be allowed going out of g0/0 back to the LAN.

But this is not working anymore on the 2921 under IOS 15. The returning packets are now being blocked by the
ACL ACLtoLAN.

Any ideas?

Thanks!

ajay chauhan · ‎01-29-2012

Ok Let me try to explain -might help.

---------> -------->

ACL IN (permit any any) Interface LAN -------------------- Interface ANY ACL IN (deny any any)

<--------- < ---------

Suppose things are allowed from LAN to any interface and deny on interface from return traffic is coming. Here inpection should work and ignore deny any any and return traffic will not be blocked by ACL.

Let me add one more statement - you need to identify two interfaces on router internal or external to make it work.

With your current config if you feel CBAC feature is not working- These command can help you to verify use-show ip inspect session

Other Show Commands

show ip inspect config

show ip inspect interfaces

show ip inspect stat

Debug Commands

debug ip inspect detail

debug ip inspect tcp

debug ip inspect object-cre

debug ip inspect object-del

debug ip inspect event

Thanks

Ajay

View solution in original post

ajay chauhan · ‎01-28-2012

Frank,

I think in CBAC feature this does allow return traffic on inbound interface. You can check by removing -

ip access-group ACLtoLAN out this command and put deny any any on outside interface. configuring in/out on same interface i something manually opening the ports bi-directional.

Thanks

Ajay

Frank Hobrecht · ‎01-29-2012

Hi Ajay,

thanks for the info. I´m not sure if i got you. If i remove the ACLtoLAN the returning packets are

coming in of course, but this would allow any other incoming packets as well.

The router is doing IPSec to several private networks and NAT to the internet; beside from that

it terminates a 802.1q-trunk, where one subinterface acts as a gateway to a Wireless LAN.

I don´t want to let incoming traffic in from these networks to GigabitEthernet0/0; just returning

traffic orginated from g0/0 should be allowed.

This has worked with IOS 12.4T on a 2811 platform using the configuration i´ve depicted here,

but after migrating it to IOS 15.2T it seems to be that CBAC does not dynamically open the

ports for returning traffic destined for g0/0.

Any other ideas how to get this working again?

Thanks

Frank

ajay chauhan · ‎01-29-2012

Ok Let me try to explain -might help.

---------> -------->

ACL IN (permit any any) Interface LAN -------------------- Interface ANY ACL IN (deny any any)

<--------- < ---------

Suppose things are allowed from LAN to any interface and deny on interface from return traffic is coming. Here inpection should work and ignore deny any any and return traffic will not be blocked by ACL.

Let me add one more statement - you need to identify two interfaces on router internal or external to make it work.

With your current config if you feel CBAC feature is not working- These command can help you to verify use-show ip inspect session

Other Show Commands

show ip inspect config

show ip inspect interfaces

show ip inspect stat

Debug Commands

debug ip inspect detail

debug ip inspect tcp

debug ip inspect object-cre

debug ip inspect object-del

debug ip inspect event

Thanks

Ajay

Frank Hobrecht · ‎01-29-2012

What you´ve described is how it currently works; there are already IN access lists with a

deny any any on all the other interfaces of the router, example:

interface Serial0/0/0.50 point-to-point

description Internet

ip address

ip access-group int-acl_internet in

ip nat outside

ip virtual-reassembly

frame-relay interface-dlci

crypto map vpn

The problem here is that this incoming access list cannot examine the ESP payload; so when

traffic from the VPN is coming in, the encrypted packets are first traversing the IN access-list

(and are allowed there, because the destination is the router itself), before they are decrypted

and forwarded to the other interfaces (in this case the g0/0). In other words: It makes no sense

to modify this IN ACL by CBAC, because the returning packets are all encrypted.

So i need to have a mechanism that unwanted traffic initiated from outside (VPN) networks will

be prevented from beeing forwarded to the private segment behind g0/0, and this was the OUT

access list in conjunction with CBAC which worked perfect under 12.4.

Thanks

Frank