Problems getting traffic sourced from router through CBAC
I'm having some problems with my 1711 (12.4(15)T1) router.
I'm protecting my network with CBAC. Everything is working fine. But as soon as I send traffic that originates from the router instead of the clients behind it, the traffic is getting blocked (like pings from console, or telnets / SSH from console to another router).
This is my config:
ip inspect udp idle-time 15
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 1
ip inspect tcp synwait-time 15
ip inspect name WAN_OUT_CBAC tcp
ip inspect name WAN_OUT_CBAC udp
ip inspect name WAN_OUT_CBAC icmp
ip access-list extended WAN_IN
permit udp any any eq isakmp
permit esp any any
permit udp any any eq bootpc
permit tcp any any eq www
deny ip any any
ip access-list extended WAN_OUT
deny ip any 10.0.0.0 0.255.255.255
deny ip any 169.254.0.0 0.0.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 126.96.36.199 188.8.131.52
permit ip any any
As soon as I remove WAN_IN from the WAN interface everything works just fine. I can ping from the console to a public IP, dns lookups are working and SSH is working again.
PS. The CBAC inspection rule in configured on the WAN interface pointing outwards.
PS2. Summary: All traffic that has the router as source doesnt seem to get inspected by CBAC. Why is that?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...