I have a problem with a 2811 box running CBAC on 12.4(1a) advanced security.
without the ip inspect command on the inside interface, and with the access-list inbound on the outside interface, everything is working fine. As soon as I add the ip inspect to the inside interface inbound, web connections stop. PINGs verify that the link is still available and very clean. other traffic from the inside to the outside, which I do not fully know the ports for, are also affected by the addition of the cbac.
I was of the impression that CBAC only added dynamic entries to the opposing list to permit return traffic, not affect detrimentally the existing access list! It appears to me to be a bug.
Due to restrictions with the Cisco Secure PIX Firewall, the alias command and nat 0 access-list command cannot be used simultaneously for the same traffic. Cisco Secure Policy Manager generates the nat 0 access-list when you specify disable NAT for an IPSec tunnel group. This option creates a "no nat tunnel" for the specified traffic. The Cisco Secure PIX Firewall generates a static command if the mapping is from a higher security interface to a lower security interface. However, if the mapping is from a lower security interface to a higher security interface, an alias command is used. In this case, Cisco Secure Policy Manager will generate an alias command for the inside interface of the appropriate Cisco Secure PIX Firewall. The no NAT access-list command is not generated.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...