I am running CBAC on a 1811 running IOS 15.1 and can't figure out how to configure it so that I can preform TFTP upgrades with CBAC enabled. It appears that CBAC doesn't catch self-generated traffic and put in a reverse rule in the ACL. I am trying to upgrade the image on this router using a public-addressed TFTP server on the F0 interface. If I drop the ACL the traffic will work, so why isn't CBAC cacthing the TFTP outbound? Here is my config:
ip inspect name trust icmp
ip inspect name trust udp
ip inspect name trust tcp
!
interface FastEthernet0
ip address x.y.z.1 (public)
ip access-group 100 in
no ip unreachables
no ip proxy-arp
ip inspect trust in
no ip route-cache
!
access-list 100 permit tcp any any eq 22
access-list 100 permit udp any any eq tftp
The tftp rule above is for TFTP upgrades on other equipment, using a server behind this router. I tried defining an outbound ACL as well on F0 to get the traffic be "caught" by CBAC but that didn't work. I also tried adding "ip inspect name trust tftp" but that didn't help.
Solved! Go to Solution.
Hello Mister,
You need the router-traffic command in order to inspect traffic generated from the router itself.
So it will look like:
ip inspect test tftp router-traffic
Regards,
Remember to rate all of the helpful posts
Also I just thought I would add, I am not interested in moving to ZBF just yet, I just need to get this single thing working. Thanks,
Hello Mister,
You need the router-traffic command in order to inspect traffic generated from the router itself.
So it will look like:
ip inspect test tftp router-traffic
Regards,
Remember to rate all of the helpful posts
Hi,
http://blog.ioshints.info/2009/06/tftp-server-protection-with-cbac.html
Regards.
Alain
Don't forget to rate helpful posts.