CBAC troubleshooting!

abdel_n · ‎03-07-2006

With an inspect rule (tcp/udp) placed on the outside interface (direction out), an outbound ACL that enable any outbound traffic and an inbound ACL that deny any traffic:

- CBAC router does not place dynamic entries in the inbound ACL (outside int) that still deny any traffic.

- CBAC inspects outbound telnet traffic and even have record of the session.

IOS 12.2 --------------------------------------

01:03:43: CBAC sis 80F80C1C pak 80DA74FC TCP SYN SEQ 3591068383 LEN 0 (10.0.0.3

1053) => (100.0.0.2:23)

CBAC#

CBAC#sh ip inspect sessions

Half-open Sessions

Session 80F80C1C (10.0.0.3:1053)=>(100.0.0.2:23) tcp SIS_OPENING

CBAC#

Any idea about this issue?

Think you in advance

robdowson · ‎03-07-2006

Not completely sure what you are asking - but if you're asking why you don't see any entries added by CBAC into the inbound access-list (to allow the returning traffic), when you 'sh access-list' - then you might want to have a read of this:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d33da.html

As of 12.3T - CBAC bypasses the processing of the inbound access-list for traffic which is permitted by CBAC - to speed up the packet processing - so you won't see entries dynamically added to the access-lists - you have to look in 'sh ip inspect sessions' instead.

Hope that helps.

Rob...

abdel_n · ‎03-07-2006

Hi,the problem is that the firewall doesn't open an entry in the inbound acl (on external interface) whitch block the traffic back.

The router use IOS 12.2 so ot doesn't bypass the acl BUT add a dynamic entry.

robdowson · ‎03-08-2006

Not sure then - why don't you paste your config into here - along with what session you're trying to create - source/dest ip's/ports etc, and I'll take a look.

Rob...