Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How many entrys are dinamically created by cbac in an access-list in a http connection?

Inspecting http traffic:

!

ip inspect name fw ftp

ip inspect name fw http

!

!

!

interface FastEthernet0/0

ip address 10.10.10.1 255.255.255.0

ip access-group interior_in in

ip access-group interior_out out

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.10.20.174 255.255.255.0

ip access-group exterior_in in

ip access-group exterior_out out

ip nat outside

ip inspect fw out

duplex auto

speed auto

!

ip nat inside source static 10.10.10.16 10.10.20.16

ip classless

ip route 0.0.0.0 0.0.0.0 10.10.20.1

no ip http server

ip pim bidir-enable

!

!

ip access-list extended exterior_in

permit ip any any

ip access-list extended exterior_out

permit ip any any

ip access-list extended interior_in

permit ip any any

ip access-list extended interior_out

permit ip any any

logging trap notifications

logging 10.10.20.80

access-list 51 permit any

!

dial-peer cor custom

!

!

Several entries are introduced by cbac, but it is only one connection. (10.10.10.16 -> 10.10.20.7)

This is a problem if I had lots of http connections.

outer#sh access-l

Standard IP access list 51

permit any

Extended IP access list exterior_in

permit tcp host 10.10.20.7 eq www host 10.10.20.16 eq 1307 (6 matches)

permit tcp host 10.10.20.7 eq www host 10.10.20.16 eq 1305 (13 matches)

permit ip any any (10124 matches)

Extended IP access list exterior_out

permit ip any any (5452 matches)

Extended IP access list interior_in

permit ip any any (6834 matches)

Extended IP access list interior_out

permit tcp host 10.10.20.7 eq www host 10.10.10.16 eq 1307 (10 matches)

permit tcp host 10.10.20.7 eq www host 10.10.10.16 eq 1305 (23 matches)

permit ip any any (1496 matches)

1 REPLY
Anonymous
N/A

Re: How many entrys are dinamically created by cbac in an access

What you see here is normal browser behavior. IE and Netscape will open multiple sessions to the same target site to retrieve parts of the page. For example, the main page HTML code will come through one session, another session may be opened to load each JPG file for the main page. You will find that these sessions are not long-lived except when using persistant HTTP.

83
Views
0
Helpful
1
Replies