Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

problem with CBAC !

Hi all,

I'm testing IOS fw so in a lab envirement i connected 2 host through a router(IOSfw) in such way:

(internalhost)----------[e0/0](IOSfw)[s1/0]-----------(external host)

It seems that "ip inspect" has no effect and acl 101 is still blocking traffic from external zone

Here is ACL logs:

*Mar 1 01:16:38.730: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.0.1(23) (

Serial0/0 ) -> 10.0.0.1(57410), 1 packet

*Mar 1 01:17:06.595: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 10.0.0.1(0) (E

thernet0/0 0007.ebff.35a0) -> 192.168.0.1(0), 4 packets

*Mar 1 01:17:06.595: %SEC-6-IPACCESSLOGP: list 102 permitted tcp 10.0.0.1(0) (E

thernet0/0 0007.ebff.35a0) -> 192.168.0.1(0), 4 packets

ping the external host is successful as i'm allowing it through acl 101

Any idea? think you in advance

=========================================

IOSFW config

========================

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname IOS-FW

!

boot-start-marker

boot-end-marker

!

logging monitor notifications

!

no aaa new-model

ip subnet-zero

!

!

ip inspect audit-trail

ip inspect udp idle-time 1800

ip inspect dns-timeout 7

ip inspect tcp idle-time 14400

ip inspect name http_out http alert on audit-trail on

ip inspect name http_out tcp alert on audit-trail on

ip inspect name http_out udp alert on audit-trail on

ip inspect name http_out icmp alert on audit-trail on

!

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

!

!

!

interface Ethernet0/0

ip address 10.0.0.2 255.255.255.0

ip access-group 100 in

ip access-group 101 out

half-duplex

!

interface Serial0/0

ip address 192.168.0.2 255.255.255.0

ip access-group 102 out

!

ip classless

ip http server

no ip http secure-server

!

logging facility local4

logging source-interface Ethernet0/0

logging 10.0.0.3

access-list 100 permit ip host 10.0.0.3 any

access-list 100 permit ip any host 10.0.0.3

access-list 100 permit icmp host 10.0.0.1 host 192.168.0.1 log-input

access-list 100 permit tcp host 10.0.0.1 host 192.168.0.1 log-input

access-list 101 permit ip host 10.0.0.3 any log-input

access-list 101 permit ip any host 10.0.0.3 log-input

access-list 101 permit icmp any any echo-reply log-input

access-list 101 permit icmp any any time-exceeded log-input

access-list 101 permit icmp any any traceroute log-input

access-list 101 permit icmp any any unreachable log-input

access-list 101 permit icmp any any packet-too-big log-input

access-list 101 deny tcp any any log-input

access-list 101 deny udp any any log-input

access-list 101 deny ip any any log-input

access-list 102 permit ip host 10.0.0.3 any

access-list 102 permit ip any host 10.0.0.3

access-list 102 permit icmp host 10.0.0.1 host 192.168.0.1 log-input

access-list 102 permit tcp host 10.0.0.1 host 192.168.0.1 log-input

!

!

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

login

!

!

!

end

IOS-FW#

4 REPLIES

Re: problem with CBAC !

Hi,

In the ACL 101, it seems that the tcp, udp & IP, e.g telnet TCP 23 (based on your log) was blocked.

Maybe you need to test it again by only permitting TCP, and maintain the remaining deny statements (for UDP & IP). BTW, the statement 'deny IP' is probably not necessary as you already specify TCP and UDP in the previous line. IP covers both TCP and UDP.

Rgds,

AK

Re: problem with CBAC !

Hi,

Even though IP inspect is enabled .. it will not work util you applied it ot the interfaces. ip inspect < options> from the interface mode. Yu cn check this link for some info

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1831/products_command_reference_chapter09186a00800d9806.html#wp1017470

New Member

Re: problem with CBAC !

Sorry I posted the configuration before enabling "ip inspect" on the external interface and still didn't work even with it.

Re: problem with CBAC !

Please see the attached doco I have together for you .. let me know how you go and rate it is you find it useful

88
Views
0
Helpful
4
Replies
CreatePlease to create content