Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
391
Views
3
Helpful
3
Replies

CBAC java problem

brymiller
Level 1
Level 1

‎07-27-2005 04:08 PM - edited ‎03-09-2019 11:58 AM

in the case below we want to java applets to be downloaded from 150.50.4.80. The INFILTER allows just about everything in. TCP, UDP, and HTTP-Java are allowed out.

Now access-list 1 permits a *source* of 150.50.4.80 yet the outbound inspection should be keying on a *destination* of 150.50.4.80. Am I missing something?

<snip>

!

ip inspect name FW tcp

ip inspect name FW udp

ip inspect name FW http java-list 1

!

<snip>

!

interface Serial0/1/0.2 point-to-point

ip address 150.50.25.5 255.255.255.0

ip access-group INFILTER in

ip inspect FW out

frame-relay interface-dlci 501

!

<snip>

!

ip access-list extended INFILTER

deny ip 10.0.0.0 0.255.255.255 any log

deny ip 172.16.0.0 0.15.255.255 any log

deny ip 192.168.0.0 0.0.255.255 any log

deny ip 127.0.0.0 0.255.255.255 any log

deny ip 169.254.0.0 0.0.255.255 any log

deny ip 224.0.0.0 15.255.255.255 any log

deny ip host 0.0.0.0 any log

deny ip host 255.255.255.255 any log

permit ip any any

!

access-list 1 permit 150.50.4.80

!

<snip>

Labels:
0 Helpful
3 Replies 3

nkhawaja
Cisco Employee
Cisco Employee

‎07-27-2005 04:36 PM

to filter JAVA applet from this source, you need to apply this inspection on inbound. but you also need to apply an inspection on outbound for the return traffic for your inside network

0 Helpful

brymiller
Level 1
Level 1
In response to nkhawaja

‎07-28-2005 06:37 AM

My understanding of CBAC is that a router "inspects" on the outbound traffic which modifies a restrictive ACL for the returning traffic.

My question is about the purpose of the http java-list ACL. Why is this needed at all since the http traffic is inspected on the way out; why is an ACL needed to specify the source of the java applet? I expect the source to already be known and cached since that http host is a destination that I am inspecting already. Is it just for finer granularity? If so, it seems odd to make it a required param.

Any further insight?

0 Helpful

nkhawaja
Cisco Employee
Cisco Employee
In response to brymiller

‎07-28-2005 10:20 AM

My understanding of CBAC is that a router "inspects" on the outbound traffic which modifies a restrictive ACL for the returning traffic.

>> true

My question is about the purpose of the http java-list ACL. Why is this needed at all since the http traffic is inspected on the way out;

>> http inspection is not at all needed unless you wan t to filter java. the http traffic comes under tcp , so a tcp inspection takes care of it. unless you want java filtering you dont need http inspection.

why is an ACL needed to specify the source of the java applet? I expect the source to already be known and cached since that http host is a destination that I am inspecting already. Is it just for finer granularity? If so, it seems odd to make it a required param.

>> i think i answered it already and now i think you dont need anohter inspection inbound, the outbound should take care of it. when you define the http inspection , you should always define the source to be allowed, otherwise you dont even need http inspection

Any further insight?

Customers Also Viewed These Support Documents