ā04-28-2013 04:42 PM - edited ā03-11-2019 06:36 PM
Hi all,
My router interface gets ip from ISP modem.
router interface has command
ip address dhcp.
I applied ACL to deny all incoming traffic to router interface fa0/0 which connects to ISP
I have applied CBAC on router and currently allow this traffic to go outside
ip inspect name REMEMBER tcp
ip inspect name REMEMBER udp
ip inspect name REMEMBER icmp
ip inspect name REMEMBER dns
ip inspect name REMEMBER ntp
ip inspect name REMEMBER bootps
ip inspect name REMEMBER bootpc
Need to know what inspect i should allow so that router can get ip,dns,gateway address from ISP?
if i need to access the http or https websites do i need to add the inspect http or https?
also am i missing something under inspection to allow from inside?
Thanks
Mahesh
Message was edited by: mahesh parmar
Solved! Go to Solution.
ā04-29-2013 01:17 AM
Hi,
add this to your config because by default CBAC won't inspect traffic generated by the router.
ip inspect name REMEMBER dns router-traffic
ip inspect name REMEMBER ntp router-traffic
ip inspect name REMEMBER bootps router-traffic
ip inspect name REMEMBER bootpc router-traffic
Regards
Alain
Don't forget to rate helpful posts.
ā04-29-2013 01:17 AM
Hi,
add this to your config because by default CBAC won't inspect traffic generated by the router.
ip inspect name REMEMBER dns router-traffic
ip inspect name REMEMBER ntp router-traffic
ip inspect name REMEMBER bootps router-traffic
ip inspect name REMEMBER bootpc router-traffic
Regards
Alain
Don't forget to rate helpful posts.
ā04-29-2013 11:51 AM
Hi Alain,
I will test this today and will update you.
Regards
Mahesh
ā04-29-2013 05:37 PM
Hi Alain,
Seems my router has no option for router traffic
ip inspect name REMEMBER bootpc ?
alert Turn on/off alert
audit-trail Turn on/off audit trail
timeout Specify the inactivity timeout time
But i applied ACL on inside to allow
permit udp any any eq bootpc
that fixed the issue.
Many thanks for answering the questions and letting me know about router traffic option.
Regards
MAhesh
ā04-30-2013 12:08 AM
Hi,
don't forget the DNS and the NTP traffic too as you mentioned in your first post.
theree's also a router trick to make the CBAC take into account this router generated traffic: make it a transit traffic by sending it to a loopback interface with a local PBR.
Regards
Alain
Don't forget to rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide