Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IOS CBAC ("ip inspect") interaction with access-lists question

I'm trying to debug an NTP problem and I'm wondering if an interface's access-list is processed BEFORE the IOS Firewall inspections or AFTER

I have Cisco IOS CBAC applied on my WAN interface and set up to inspect NTP packets:

ip inspect name FW ntp

I also have an access-list applied on my WAN interface:

permit udp any eq ntp any log

but I'm not seeing any logged packets from my access-list... is that because my "ip inspect" firewall config is letting the packet through before the packet is checked against the access-list?

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: IOS CBAC ("ip inspect") interaction with access-lists questi

assumptions:

1. your inspection is applied to outbound traffic on your wan interface

2. your access-list is applied inbound on your wan interface

generally, traffic being inspected outbound is denied by your inbound acl's. you can think of it, for your question, as if temporary acl entries were added to the beginning of your inbound acl, so your acl entry will never match, because the inspection entry matched first.

3 REPLIES

Re: IOS CBAC ("ip inspect") interaction with access-lists questi

Packets entering the firewall are inspected by CBAC only if they first pass the inbound access list at the interface.

So it has nothing to do with CBAC.

Gold

Re: IOS CBAC ("ip inspect") interaction with access-lists questi

assumptions:

1. your inspection is applied to outbound traffic on your wan interface

2. your access-list is applied inbound on your wan interface

generally, traffic being inspected outbound is denied by your inbound acl's. you can think of it, for your question, as if temporary acl entries were added to the beginning of your inbound acl, so your acl entry will never match, because the inspection entry matched first.

Community Member

Re: IOS CBAC ("ip inspect") interaction with access-lists questi

OK, so the "ip inspect" is done before the ACL

That would explain why I'm not seeing any log hits on my ACL.

Excellent information! Thanks!

908
Views
0
Helpful
3
Replies
CreatePlease to create content