Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
785
Views
0
Helpful
6
Replies

CBAC: creating temporary entries in another interface?

Go to solution
freemant2000
Level 1
Level 1

‎02-05-2012 02:02 AM - edited ‎03-11-2019 03:24 PM

Hi,

I am trying to understand the example at http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cfg_content_ac.html#wp1002224 in which the "ip inspect" command is applied to Ethernet 1/0 but the document says that the dynamic temporary entries will be created in the ACL 100 which is applied to another interface (Etherent 1/1). Is this true? I am under the impression that "ip inspect ... in" will add entries to the outbound ACL for the same interface, while

"ip inspect ... out" will add entries to the inbound ACL for the same interface.

Thanks in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to freemant2000

‎02-06-2012 08:26 AM

Ka,

It really depends on where you actually applied the Inspection to. Lets assume you have 3 interfaces, and you put the ip inspect in on the "inside interface" Cbac will assume that all of them are outside and if they all have acls applied inbound, no matter if it has a deny IP any any on all of them, the traffic will be allowed to come in.  But if the IP inspect is applied outbound on one interface, the traffic coming in is only going to be allowed on that specific interface, from whenever the traffic started from.

I hope this makes sense.

Mike

Mike

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎02-05-2012 10:28 PM

Hello,

Inside-----ROUTER------Outside

So lets say you have an ACL on the outside interface denying all the inbound traffic.

So if you add a CBAC inspection policy on the inside interface to inspect some traffic, that particular traffic being inspected will override the ACL ( that is why CISCO said it will create temporary entris on the inbound  ACL on the outside interface because even thoug you are denying all the traffic, that traffic will be accepted because of the IP inspect)

Hope I could help,

Julio

Regards,!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
freemant2000
Level 1
Level 1
In response to Julio Carvajal

‎02-05-2012 10:35 PM

Thanks for the reply! If the router has multiple interfaces, how can it determine which is the outside interface to add the temporary entries to?

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to freemant2000

‎02-06-2012 08:26 AM

Ka,

It really depends on where you actually applied the Inspection to. Lets assume you have 3 interfaces, and you put the ip inspect in on the "inside interface" Cbac will assume that all of them are outside and if they all have acls applied inbound, no matter if it has a deny IP any any on all of them, the traffic will be allowed to come in.  But if the IP inspect is applied outbound on one interface, the traffic coming in is only going to be allowed on that specific interface, from whenever the traffic started from.

I hope this makes sense.

Mike

Mike
0 Helpful

Go to solution
freemant2000
Level 1
Level 1
In response to Maykol Rojas

‎02-06-2012 08:17 PM

I see. Thanks! Is there any documentation on this behavior? For the case where inspection is applied to an inside interface, the doc seems to say that we can have either an outbound ACL on that inside inferface or inbound ACL on the outside interface(s) for CBAC to add the temporary entries to. if both are present, I guess both will be added to?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to freemant2000

‎02-06-2012 09:30 PM

Hello Ka,

You do not need it, as soon as you have the inspection the returning traffic that matches the connections being inspected by CBAC will be allowed and will overwrite any ACL denying that traffic.

I think its a way to see things because as an example:

Inside------Router----Outside

Lets say you have an ACL denying all traffic on the outside interface inbound direction, with CBAC configure on the inside for outbound TCP connections, all the TCP traffic returning for a connection that matches the traffic being inspected will be allowed ( so yes a temporary entry will be added to the inbound ACL on the outside interface.

That is the whole purpose of CBAC ( A stateful firewall)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to freemant2000

‎02-07-2012 06:34 AM

Pretty much yes, the only thing you need to make sure is that there is an allow in order for the traffic to be inspected. The return traffic should not be blocked as the session is already up.

Here is a good doc:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

Mike.

Mike
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card