12-22-2011 09:22 AM - edited 03-11-2019 03:05 PM
Hello
My config:
ip inspect name CBAC tcp timeout 10
ip inspect max-incomplete high 100
int fa0/1
ip access_group permit_all in
int fa 0/2
ip access_group permit_all in
ip inspect CBAC in
Access-list on both interfaces accept all ip traffic.
What happens when:
1. Incoming TCP SYN packet arrives on fa0/1 and TCP session is built. I assume that this session will not be inspected ?
2. TCP session is initiated from fa0/2 interface. Such session will be inspected - and after 10 seconds of idle:
a) when packet within this session will be received on fa0/1 it will be accepted ?
b) when packet within this session will be received on fa0/2 it will be dropped ?
3. When TCP ACK packet is received on fa0/2 - but there is no session which matches this packet - will it be dropped ?
4. Only 100 half-opened session are accepted but only when initiated from fa0/2, when initiated from fa0/1 - there is no limit ?
Thanx
12-22-2011 02:05 PM
Here are the answers to your questions.
1. Incoming TCP SYN packet arrives on fa0/1 and TCP session is built. I assume that this session will not be inspected ?
2. TCP session is initiated from fa0/2 interface. Such session will be inspected - and after 10 seconds of idle:
a) when packet within this session will be received on fa0/1 it will be accepted ?
b) when packet within this session will be received on fa0/2 it will be dropped ?
3. When TCP ACK packet is received on fa0/2 - but there is no session which matches this packet - will it be dropped ?
4. Only 100 half-opened session are accepted but only when initiated from fa0/2, when initiated from fa0/1 - there is no limit ?
1. Yes this session will not be inspected.
2. a) No, after the session has gone idle. it will be removed and the next packet should have the Syn Flag not ACK.
b) Yes, they will not be dropped.
3. Yes.
4. This value is defined globally , not interface wise.
Puneet
12-22-2011 11:01 PM
Thanx for the answers.
12-22-2011 11:10 PM
Thanx for the answers.
2. a) Next packet should have SYN only for new session. There might be network stale or application problems and, application resend ACK segment which will arrive after the router has cleared connection (both endpoints of this connection belives it's still alive). But it will arrive on interface which is not inspected. Should not "yes" (packet permitted) be answer to my question ?
4. Value is defined globally but the inspection is enabled only on fa0/2, so i am correct in point4 or not ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide