topic CBAC on 2811 not working after Router reboot in Network Security

CBAC on 2811 not working after Router reboot

Chris McManaway — Mon, 11 Mar 2019 16:51:43 GMT

We are running CBAC on a 2811 route with the following IOS c2800nm-adventerprisek9-mz.12-24.T2 This works fine and allows and blocks the traffic as designed. However if we reboot the router CBAC stops working, to get it working we remove a rule from the ACL and put it back in and CBAC starts allowing traffic. In the same ACL we have a rule to allow ssh, which we use to connect to the router for management, this works fine, as its not using CBAC and doesn't need to be passed out to the public side of the network. This shows that its not an issue with the ACL.

Any help would ba appreciated

Cheers

Chris

Re: CBAC on 2811 not working after Router reboot

Kureli Sankar — Wed, 23 Dec 2009 22:29:02 GMT

With the description I am assuming that you have the following:

1. CBAC applied IN on the inside interface.

2. ACL also applied IN on the inside interafce.

Is this correct?

Usually we see

1. CBAC applied OUT on the outside interface

2. ACL applied IN on the outside interface

You may want to copy and paste the output of "sh run int <>" as well as the acl that you are talking about is not working so we understand what is broken.

-KS

Re: CBAC on 2811 not working after Router reboot

Chris McManaway — Wed, 23 Dec 2009 22:46:23 GMT

Here is the config

Note that once this is working it is fine, only breaks after a reboot. Manual removal of the rule in the ACL and putting back in makes it work again.

Router#show run
Building configuration...

Current configuration : 1411 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
logging message-counter syslog
no aaa new-model
dot11 syslog
ip source-route
ip cef

ip inspect name CELTrust icmp
ip inspect name CELTrust bgp
no ipv6 cef
voice-card 0
object-group service BGP
tcp eq bgp
object-group service ICMP
icmp echo
icmp traceroute
icmp echo-reply

archive
log config
hidekeys

interface FastEthernet0/0
description to CELAK1-S15 2/3/43
ip address 192.168.179.3 255.255.255.0
ip access-group 101 in
ip inspect CELTrust in
duplex auto
speed auto
!
interface FastEthernet0/1
description to One Office IDL
ip address 192.168.255.142 255.255.255.252
ip access-group 110 in
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.179.1 10
no ip http server
no ip http secure-server

access-list 101 permit object-group ICMP host 192.168.179.1 host 192.168.255.141
access-list 101 permit object-group BGP host 192.168.179.1 host 192.168.255.141
access-list 101 deny ip any any
access-list 110 deny ip any any

!line con 0
line aux 0
line vty 0 4
login
scheduler allocate 20000 1000
end

Thanks

Chris

Re: CBAC on 2811 not working after Router reboot

Kureli Sankar — Thu, 24 Dec 2009 00:10:24 GMT

access-list 101 permit object-group BGP host 192.168.179.1 host 192.168.255.141

That line says only 192.168.179.1 can initiate BGP peering. 192.168.255.141 cannot initiate as the ACL applied on the other interface only had deny ip any any.

May be you should also have this line

access-list 101 permit object-group BGP host 192.168.255.141 host 192.168.179.1

Give that a shot and let us know.

-KS