Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CBAC problems - intermittent connectivity

This is kind of a general question about how CBAC works. If I have the following inspection on my outside (Internet-facing) interface:

ip inspect name ASDF icmp router-traffic

ip inspect name ASDF tcp router-traffic

ip inspect name ASDF udp router-traffic

I also have a PIX on the inside that is NATing interal users to the VLAN of it's outside interface (which is the inside interface of the router). So users are coming from the PIX with a public IP like

I have an inbound ACL on the Internet interface of my router that allows "ip any" to Basically I am wanting to pass all traffic filtering responsibilities on to the PIX for this one IP address.

So I assume that my outbound Internet traffic is triggering TCP inspection and possibly creating dynamic pinholes, but I don't really need this functionality. I mainly wanted to use CBAC to allow other devices and the rotuer itself the ability to have dynamic pinholes. Something to do with CBAC is causing intermittent connectivity for internal users. Most sites are accessible, but a handful appear to be having problems with CBAC; turning it off allows access to all sites.


Re: CBAC problems - intermittent connectivity

CBAC is examined on a given inteface only of the traffic is not explicitely permitted by an ACL on that inteface.

The solution is to permit the traffic manually on the router:

on the lan facing interface: permit ip host any

on the internet interface: permit ip any host

If this helped please rate.



New Member

Re: CBAC problems - intermittent connectivity

Thanks, I had permit ip any host on the Internet interface and permit ip any any on the LAN interface.

CreatePlease login to create content