01-28-2012 07:19 AM - edited 03-11-2019 03:20 PM
Hello,
i´ve migrated a working IOS configuration from an 2811 (12.4) to a 2921 (15.2(2)T) and it seems that
CBAC is behaving different.
ip inspect log drop-pkt
ip inspect name OUTBOUND tcp
ip inspect name OUTBOUND ftp
ip inspect name OUTBOUND udp
ip inspect name OUTBOUND pptp
ip inspect name OUTBOUND icmp
interface GigabitEthernet0/0
description Internal Network
ip address 10.20.0.1 255.255.255.0
ip access-group ACLtoLAN out
ip nat inside
ip inspect OUTBOUND in
ip virtual-reassembly in
end
ip access-list extended ACLtoLAN
remark Outgoing Traffic to LAN
permit ip 10.21.0.0 0.0.1.255 any
deny ip any any log-input
Traffic initiated from the inside LAN (GigabitEthernet0/0) should be inspected by OUTBOUND rule, so returning
packets should be allowed going out of g0/0 back to the LAN.
But this is not working anymore on the 2921 under IOS 15. The returning packets are now being blocked by the
ACL ACLtoLAN.
Any ideas?
Thanks!
Solved! Go to Solution.
01-29-2012 12:29 AM
Ok Let me try to explain -might help.
---------> -------->
ACL IN (permit any any) Interface LAN -------------------- Interface ANY ACL IN (deny any any)
<--------- < ---------
Suppose things are allowed from LAN to any interface and deny on interface from return traffic is coming. Here inpection should work and ignore deny any any and return traffic will not be blocked by ACL.
Let me add one more statement - you need to identify two interfaces on router internal or external to make it work.
With your current config if you feel CBAC feature is not working- These command can help you to verify use-show ip inspect session
Other Show Commands
show ip inspect config
show ip inspect interfaces
show ip inspect stat
Debug Commands
debug ip inspect detail
debug ip inspect tcp
debug ip inspect object-cre
debug ip inspect object-del
debug ip inspect event
Thanks
Ajay
01-28-2012 11:40 PM
Frank,
I think in CBAC feature this does allow return traffic on inbound interface. You can check by removing -
ip access-group ACLtoLAN out this command and put deny any any on outside interface. configuring in/out on same interface i something manually opening the ports bi-directional.
Thanks
Ajay
01-29-2012 12:18 AM
Hi Ajay,
thanks for the info. I´m not sure if i got you. If i remove the ACLtoLAN the returning packets are
coming in of course, but this would allow any other incoming packets as well.
The router is doing IPSec to several private networks and NAT to the internet; beside from that
it terminates a 802.1q-trunk, where one subinterface acts as a gateway to a Wireless LAN.
I don´t want to let incoming traffic in from these networks to GigabitEthernet0/0; just returning
traffic orginated from g0/0 should be allowed.
This has worked with IOS 12.4T on a 2811 platform using the configuration i´ve depicted here,
but after migrating it to IOS 15.2T it seems to be that CBAC does not dynamically open the
ports for returning traffic destined for g0/0.
Any other ideas how to get this working again?
Thanks
Frank
01-29-2012 12:29 AM
Ok Let me try to explain -might help.
---------> -------->
ACL IN (permit any any) Interface LAN -------------------- Interface ANY ACL IN (deny any any)
<--------- < ---------
Suppose things are allowed from LAN to any interface and deny on interface from return traffic is coming. Here inpection should work and ignore deny any any and return traffic will not be blocked by ACL.
Let me add one more statement - you need to identify two interfaces on router internal or external to make it work.
With your current config if you feel CBAC feature is not working- These command can help you to verify use-show ip inspect session
Other Show Commands
show ip inspect config
show ip inspect interfaces
show ip inspect stat
Debug Commands
debug ip inspect detail
debug ip inspect tcp
debug ip inspect object-cre
debug ip inspect object-del
debug ip inspect event
Thanks
Ajay
01-29-2012 01:37 AM
What you´ve described is how it currently works; there are already IN access lists with a
deny any any on all the other interfaces of the router, example:
interface Serial0/0/0.50 point-to-point
description Internet
ip address
ip access-group int-acl_internet in
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci
crypto map vpn
The problem here is that this incoming access list cannot examine the ESP payload; so when
traffic from the VPN is coming in, the encrypted packets are first traversing the IN access-list
(and are allowed there, because the destination is the router itself), before they are decrypted
and forwarded to the other interfaces (in this case the g0/0). In other words: It makes no sense
to modify this IN ACL by CBAC, because the returning packets are all encrypted.
So i need to have a mechanism that unwanted traffic initiated from outside (VPN) networks will
be prevented from beeing forwarded to the private segment behind g0/0, and this was the OUT
access list in conjunction with CBAC which worked perfect under 12.4.
Thanks
Frank
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide