Re: problem with CBAC !

abdel_n · ‎04-23-2006

Hi all,

I'm testing IOS fw so in a lab envirement i connected 2 host through a router(IOSfw) in such way:

(internalhost)----------[e0/0](IOSfw)[s1/0]-----------(external host)

It seems that "ip inspect" has no effect and acl 101 is still blocking traffic from external zone

Here is ACL logs:

*Mar 1 01:16:38.730: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.0.1(23) (

Serial0/0 ) -> 10.0.0.1(57410), 1 packet

*Mar 1 01:17:06.595: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 10.0.0.1(0) (E

thernet0/0 0007.ebff.35a0) -> 192.168.0.1(0), 4 packets

*Mar 1 01:17:06.595: %SEC-6-IPACCESSLOGP: list 102 permitted tcp 10.0.0.1(0) (E

thernet0/0 0007.ebff.35a0) -> 192.168.0.1(0), 4 packets

ping the external host is successful as i'm allowing it through acl 101

Any idea? think you in advance

=========================================

IOSFW config

========================

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname IOS-FW

!

boot-start-marker

boot-end-marker

!

logging monitor notifications

!

no aaa new-model

ip subnet-zero

!

ip inspect audit-trail

ip inspect udp idle-time 1800

ip inspect dns-timeout 7

ip inspect tcp idle-time 14400

ip inspect name http_out http alert on audit-trail on

ip inspect name http_out tcp alert on audit-trail on

ip inspect name http_out udp alert on audit-trail on

ip inspect name http_out icmp alert on audit-trail on

!

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

interface Ethernet0/0

ip address 10.0.0.2 255.255.255.0

ip access-group 100 in

ip access-group 101 out

half-duplex

!

interface Serial0/0

ip address 192.168.0.2 255.255.255.0

ip access-group 102 out

!

ip classless

ip http server

no ip http secure-server

!

logging facility local4

logging source-interface Ethernet0/0

logging 10.0.0.3

access-list 100 permit ip host 10.0.0.3 any

access-list 100 permit ip any host 10.0.0.3

access-list 100 permit icmp host 10.0.0.1 host 192.168.0.1 log-input

access-list 100 permit tcp host 10.0.0.1 host 192.168.0.1 log-input

access-list 101 permit ip host 10.0.0.3 any log-input

access-list 101 permit ip any host 10.0.0.3 log-input

access-list 101 permit icmp any any echo-reply log-input

access-list 101 permit icmp any any time-exceeded log-input

access-list 101 permit icmp any any traceroute log-input

access-list 101 permit icmp any any unreachable log-input

access-list 101 permit icmp any any packet-too-big log-input

access-list 101 deny tcp any any log-input

access-list 101 deny udp any any log-input

access-list 101 deny ip any any log-input

access-list 102 permit ip host 10.0.0.3 any

access-list 102 permit ip any host 10.0.0.3

access-list 102 permit icmp host 10.0.0.1 host 192.168.0.1 log-input

access-list 102 permit tcp host 10.0.0.1 host 192.168.0.1 log-input

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

login

!

end

IOS-FW#

a.kiprawih · ‎04-23-2006

Hi,

In the ACL 101, it seems that the tcp, udp & IP, e.g telnet TCP 23 (based on your log) was blocked.

Maybe you need to test it again by only permitting TCP, and maintain the remaining deny statements (for UDP & IP). BTW, the statement 'deny IP' is probably not necessary as you already specify TCP and UDP in the previous line. IP covers both TCP and UDP.

Rgds,

AK

Fernando_Meza · ‎04-23-2006

Hi,

Even though IP inspect is enabled .. it will not work util you applied it ot the interfaces. ip inspect < options> from the interface mode. Yu cn check this link for some info

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1831/products_command_reference_chapter09186a00800d9806.html#wp1017470

abdel_n · ‎04-24-2006

Sorry I posted the configuration before enabling "ip inspect" on the external interface and still didn't work even with it.

Fernando_Meza · ‎04-24-2006

Please see the attached doco I have together for you .. let me know how you go and rate it is you find it useful