Problems getting traffic sourced from router through CBAC
I'm having some problems with my 1711 (12.4(15)T1) router.
I'm protecting my network with CBAC. Everything is working fine. But as soon as I send traffic that originates from the router instead of the clients behind it, the traffic is getting blocked (like pings from console, or telnets / SSH from console to another router).
This is my config:
ip inspect udp idle-time 15
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 1
ip inspect tcp synwait-time 15
ip inspect name WAN_OUT_CBAC tcp
ip inspect name WAN_OUT_CBAC udp
ip inspect name WAN_OUT_CBAC icmp
ip access-list extended WAN_IN
permit udp any any eq isakmp
permit esp any any
permit udp any any eq bootpc
permit tcp any any eq www
deny ip any any
ip access-list extended WAN_OUT
deny ip any 10.0.0.0 0.255.255.255
deny ip any 169.254.0.0 0.0.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 188.8.131.52 184.108.40.206
permit ip any any
As soon as I remove WAN_IN from the WAN interface everything works just fine. I can ping from the console to a public IP, dns lookups are working and SSH is working again.
PS. The CBAC inspection rule in configured on the WAN interface pointing outwards.
PS2. Summary: All traffic that has the router as source doesnt seem to get inspected by CBAC. Why is that?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :