cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1000
Views
4
Helpful
3
Replies

CBAC and self-generated traffic (tftp)?

I am running CBAC on a 1811 running IOS 15.1 and can't figure out how to configure it so that I can preform TFTP upgrades with CBAC enabled. It appears that CBAC doesn't catch self-generated traffic and put in a reverse rule in the ACL. I am trying to upgrade the image on this router using a public-addressed TFTP server on the F0 interface. If I drop the ACL the traffic will work, so why isn't CBAC cacthing the TFTP outbound? Here is my config:

ip inspect name trust icmp

ip inspect name trust udp

ip inspect name trust tcp

!

interface FastEthernet0

ip address x.y.z.1 (public)

ip access-group 100 in

no ip unreachables

no ip proxy-arp

ip inspect trust in

no ip route-cache

!

access-list 100 permit tcp any any eq 22

access-list 100 permit udp any any eq tftp

The tftp rule above is for TFTP upgrades on other equipment, using a server behind this router. I tried defining an outbound ACL as well on F0 to get the traffic be "caught" by CBAC but that didn't work. I also tried adding "ip inspect name trust tftp" but that didn't help.

1 Accepted Solution

Accepted Solutions

Hello Mister,

You need the router-traffic command in order to inspect traffic generated from the router itself.

So it will look like:

ip inspect test tftp router-traffic

Regards,

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

3 Replies 3

Also I just thought I would add, I am not interested in moving to ZBF just yet, I just need to get this single thing working. Thanks,

Hello Mister,

You need the router-traffic command in order to inspect traffic generated from the router itself.

So it will look like:

ip inspect test tftp router-traffic

Regards,

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi,


http://blog.ioshints.info/2009/06/tftp-server-protection-with-cbac.html

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: