Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

IOS Firewall/CBAC - Router initiated return packets dropped?

I have configured an IOS router with CBAC/Firewall. I have configured an outbound inspect on the external interface, which adds the appropriate entries for return packets from the internet. And accordingly, I have an inbound ACL on the external interface that deny's most traffic inbound.

This works just fine when traffic is initiated by the workstations on the inside network to the internet (through the external interface), the configuration is not much different than most of the examples I have found.

My problem is that connections initiated from the router itself (DNS, telnet, traceroute, etc) do not seem to be caught by the outbound inspect, causing dynamic ACL entries to not be created for inbound data, and the return packets get denied.

Is this normal behavior for CBAC, or am I missing something simple?

Thanks for any input.

VIP Purple

Re: IOS Firewall/CBAC - Router initiated return packets dropped?

This is normal behaviour, sorry.

New Member

Re: IOS Firewall/CBAC - Router initiated return packets dropped?

Packets with the firewall as the source or destination address are not inspected by CBAC or evaluated by access lists.

CreatePlease to create content