Problems getting traffic sourced from router through CBAC
I'm having some problems with my 1711 (12.4(15)T1) router.
I'm protecting my network with CBAC. Everything is working fine. But as soon as I send traffic that originates from the router instead of the clients behind it, the traffic is getting blocked (like pings from console, or telnets / SSH from console to another router).
This is my config:
ip inspect udp idle-time 15
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 1
ip inspect tcp synwait-time 15
ip inspect name WAN_OUT_CBAC tcp
ip inspect name WAN_OUT_CBAC udp
ip inspect name WAN_OUT_CBAC icmp
ip access-list extended WAN_IN
permit udp any any eq isakmp
permit esp any any
permit udp any any eq bootpc
permit tcp any any eq www
deny ip any any
ip access-list extended WAN_OUT
deny ip any 10.0.0.0 0.255.255.255
deny ip any 169.254.0.0 0.0.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 184.108.40.206 220.127.116.11
permit ip any any
As soon as I remove WAN_IN from the WAN interface everything works just fine. I can ping from the console to a public IP, dns lookups are working and SSH is working again.
PS. The CBAC inspection rule in configured on the WAN interface pointing outwards.
PS2. Summary: All traffic that has the router as source doesnt seem to get inspected by CBAC. Why is that?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...