Solved: IOS CBAC ("ip inspect") interaction with access-lists question

thomasdzubin · ‎07-15-2008

I'm trying to debug an NTP problem and I'm wondering if an interface's access-list is processed BEFORE the IOS Firewall inspections or AFTER

I have Cisco IOS CBAC applied on my WAN interface and set up to inspect NTP packets:

ip inspect name FW ntp

I also have an access-list applied on my WAN interface:

permit udp any eq ntp any log

but I'm not seeing any logged packets from my access-list... is that because my "ip inspect" firewall config is letting the packet through before the packet is checked against the access-list?

srue · ‎07-15-2008

assumptions:

1. your inspection is applied to outbound traffic on your wan interface

2. your access-list is applied inbound on your wan interface

generally, traffic being inspected outbound is denied by your inbound acl's. you can think of it, for your question, as if temporary acl entries were added to the beginning of your inbound acl, so your acl entry will never match, because the inspection entry matched first.

View solution in original post

dhananjoy chowdhury · ‎07-15-2008

Packets entering the firewall are inspected by CBAC only if they first pass the inbound access list at the interface.

So it has nothing to do with CBAC.

srue · ‎07-15-2008

assumptions:

1. your inspection is applied to outbound traffic on your wan interface

2. your access-list is applied inbound on your wan interface

generally, traffic being inspected outbound is denied by your inbound acl's. you can think of it, for your question, as if temporary acl entries were added to the beginning of your inbound acl, so your acl entry will never match, because the inspection entry matched first.

thomasdzubin · ‎07-15-2008

OK, so the "ip inspect" is done before the ACL

That would explain why I'm not seeing any log hits on my ACL.

Excellent information! Thanks!