Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CBAC breaking existing access list

Hi gurus!

I have a problem with a 2811 box running CBAC on 12.4(1a) advanced security.

without the ip inspect command on the inside interface, and with the access-list inbound on the outside interface, everything is working fine. As soon as I add the ip inspect to the inside interface inbound, web connections stop. PINGs verify that the link is still available and very clean. other traffic from the inside to the outside, which I do not fully know the ports for, are also affected by the addition of the cbac.

I was of the impression that CBAC only added dynamic entries to the opposing list to permit return traffic, not affect detrimentally the existing access list! It appears to me to be a bug.

Here is the config. Any insights welcomed.

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname firewall

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret

no aaa new-model

!

resource policy

!

ip subnet-zero

!

!

ip cef

ip inspect name FIREWALL tcp

ip inspect name FIREWALL udp

ip inspect name FIREWALL icmp

ip inspect name FIREWALL isakmp

no ip dhcp use vrf connected

!

!

no ip ips deny-action ips-interface

ip domain name yourdomain.com

!

!

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$

ip address 61.x.x.x.255.255.240 secondary

ip address 192.168.0.250 255.255.255.0 secondary

ip address 192.168.0.74 255.255.255.0

ip inspect FIREWALL in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/0/0

ip address 61.x.x.x.x.255.0

ip access-group 101 in

ip nat outside

ip virtual-reassembly

encapsulation ppp

!

ip classless

ip route 0.0.0.0 0.0.0.0 61.88.128.217

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

ip nat inside source list 1 interface Serial0/0/0 overload

ip nat inside source static 192.168.0.251 61.88.107.19

ip nat inside source static 192.168.0.38 61.88.107.22

ip nat inside source static 192.168.0.245 61.88.107.23

ip nat inside source static 192.168.0.174 61.88.107.24

!

access-list 1 deny 192.168.0.38

access-list 1 deny 192.168.0.251

access-list 1 deny 192.168.0.245

access-list 1 deny 192.168.0.174

access-list 1 permit 192.168.0.0 0.0.255.255

access-list 101 deny icmp any any echo

access-list 101 permit icmp any any

access-list 101 permit ip host 12.158.238.131 any

access-list 101 permit ip host 209.96.13.201 any

access-list 101 permit ip host 139.130.75.4 any

access-list 101 permit tcp any host 61.88.107.23 eq 7291

access-list 101 permit tcp any host 61.88.107.22 eq smtp

access-list 101 permit tcp any host 61.88.107.22 eq pop3

access-list 101 permit udp host 211.29.132.139 eq ntp host 61.88.107.22

access-list 101 permit tcp any any eq 6160

access-list 101 permit tcp any eq 6160 any

access-list 101 permit tcp any host 61.88.107.24 eq www

access-list 101 permit tcp any host 61.88.107.24 eq 443

access-list 101 permit tcp any host 61.88.107.19 eq ftp

access-list 101 permit tcp any host 61.88.107.19 eq ftp-data

access-list 101 permit tcp host 192.65.90.202 eq domain host 61.88.107.22 eq dom

ain

access-list 101 permit udp any eq domain any

access-list 101 permit tcp any host 61.88.107.22 eq 3000

access-list 101 permit ip any host 61.88.107.26

access-list 101 permit ip any host 61.88.107.27

access-list 101 permit tcp any host 61.88.107.22 eq 143

access-list 101 permit tcp any any established

Thanks all!

1 REPLY
Silver

Re: CBAC breaking existing access list

Due to restrictions with the Cisco Secure PIX Firewall, the alias command and nat 0 access-list command cannot be used simultaneously for the same traffic. Cisco Secure Policy Manager generates the nat 0 access-list when you specify disable NAT for an IPSec tunnel group. This option creates a "no nat tunnel" for the specified traffic. The Cisco Secure PIX Firewall generates a static command if the mapping is from a higher security interface to a lower security interface. However, if the mapping is from a lower security interface to a higher security interface, an alias command is used. In this case, Cisco Secure Policy Manager will generate an alias command for the inside interface of the appropriate Cisco Secure PIX Firewall. The no NAT access-list command is not generated.

118
Views
0
Helpful
1
Replies