11-30-2004 02:01 AM - edited 03-02-2019 08:17 PM
Hi, I have a 3745 router. I have configured CBAC on one interface, the FE4/1.
Now I have installed IP telephones (192.168.111.10) on the FE0/1 and an IP Office (192.168.30.50) on the FE4/1 but it doesn't work.
I don't understand why I see the return traffic of the telephone by CBAC and not by the access-list.
Can anybody help me?
Extended IP access list 102
permit tcp host 192.168.111.2 eq 445 host 172.16.204.64 eq 2672 (1 match)
permit udp host 192.168.111.10 eq 3000 host 192.168.30.50 eq 1719 (1 match)
permit tcp host 192.168.111.2 eq 139 host 172.16.204.64 eq 2674 (3 matches)
permit tcp host 192.168.111.2 eq 139 host 172.16.204.64 eq 2673 (3 matches)
10 permit tcp host 192.168.111.10 any (2 matches)
20 permit udp host 192.168.111.10 any (18 matches)
150 permit ip host 192.168.111.24 10.1.0.0 0.0.0.255 (104 matches)
160 permit ip host 192.168.111.26 10.1.0.0 0.0.0.255 (27 matches)
170 permit ip host 192.168.111.28 10.1.0.0 0.0.0.255 (27 matches)
This is the entire configuration:
router#sh run
version 12.3
no aaa new-model
ip subnet-zero
!
ip inspect name intranet tcp
ip inspect name intranet udp
ip inspect name intranet h323
ip audit notify log
ip audit po max-events 100
!
interface FastEthernet0/0
ip address 10.120.105.6 255.255.255.248
ip access-group 103 in
!
interface FastEthernet0/1
ip address 192.168.111.30 255.255.255.224
ip access-group 102 in
!
interface FastEthernet4/1
ip address 172.16.215.217 255.255.0.0
ip access-group 101 in
ip inspect intranet in
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.1.250
ip route 10.1.0.0 255.255.255.0 192.168.111.129
ip route 10.105.253.0 255.255.255.0 10.120.105.1
!
access-list 101 permit tcp any host 172.16.215.217 eq telnet
access-list 101 permit ip host 172.16.201.56 192.168.111.0 0.0.0.31
access-list 101 permit ip host 172.16.201.56 10.120.105.0 0.0.0.7
access-list 101 permit ip host 172.16.201.56 10.105.253.0 0.0.0.255
access-list 101 permit icmp host 172.16.201.56 any
access-list 101 permit ip host 172.16.245.37 192.168.111.0 0.0.0.31
access-list 101 permit ip host 172.16.245.37 10.120.105.0 0.0.0.7
access-list 101 permit ip host 172.16.245.37 10.105.253.0 0.0.0.255
access-list 101 permit icmp host 172.16.245.37 any
access-list 101 permit ip host 192.168.215.49 192.168.111.0 0.0.0.31
access-list 101 permit ip host 192.168.215.49 10.120.105.0 0.0.0.7
access-list 101 permit ip host 192.168.215.49 10.105.253.0 0.0.0.255
access-list 101 permit icmp host 192.168.215.49 any
access-list 101 permit ip host 172.16.20.190 host 192.168.111.2
access-list 101 permit ip host 172.16.204.64 host 192.168.111.2
access-list 101 permit ip host 192.168.30.50 any
access-list 102 permit tcp host 192.168.111.10 any
access-list 102 permit udp host 192.168.111.10 any
access-list 102 permit ip host 192.168.111.1 10.105.253.0 0.0.0.255
access-list 102 permit ip host 192.168.111.2 10.105.253.0 0.0.0.255
access-list 102 permit ip host 192.168.111.3 10.105.253.0 0.0.0.255
access-list 102 permit ip host 192.168.111.4 10.105.253.0 0.0.0.255
access-list 102 permit ip host 192.168.111.5 10.105.253.0 0.0.0.255
access-list 102 permit ip host 192.168.111.6 10.105.253.0 0.0.0.255
access-list 102 permit icmp host 192.168.111.1 any
access-list 102 permit icmp host 192.168.111.2 any
access-list 102 permit icmp host 192.168.111.3 any
access-list 102 permit icmp host 192.168.111.4 any
access-list 102 permit icmp host 192.168.111.5 any
access-list 102 permit icmp host 192.168.111.6 any
access-list 102 permit ip host 192.168.111.24 10.1.0.0 0.0.0.255
access-list 102 permit ip host 192.168.111.26 10.1.0.0 0.0.0.255
access-list 102 permit ip host 192.168.111.28 10.1.0.0 0.0.0.255
end
12-03-2004 03:30 AM
Hi there,
I might be wrong, but thats how I see situation:
1. When session innitiated from IP Office (f4/1->f0/1), packets passed ACL 101 and goes to CBAC. CBAC creates temporary entry at the top of ACL 102 and after that packet gets forwarded out of f0/1. When return traffic coming back it hits first temporary entry and pass through to f4/1. Ofcourse, it wouldn't hit later entry in ACL 102.
2. When session innitiated by IP Phone (f0/1->f4/1) - and your temporary entry from prevoius communication is timed-out/removed from ACL 102 - traffic goes to ACL 102, in which you don't have temporary entry for that session and hits entry #20.
Maybe this link will help:
Regards,
Oleg.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide