03-07-2006 03:44 AM - edited 03-09-2019 02:10 PM
With an inspect rule (tcp/udp) placed on the outside interface (direction out), an outbound ACL that enable any outbound traffic and an inbound ACL that deny any traffic:
- CBAC router does not place dynamic entries in the inbound ACL (outside int) that still deny any traffic.
- CBAC inspects outbound telnet traffic and even have record of the session.
IOS 12.2 --------------------------------------
01:03:43: CBAC sis 80F80C1C pak 80DA74FC TCP SYN SEQ 3591068383 LEN 0 (10.0.0.3
1053) => (100.0.0.2:23)
CBAC#
CBAC#sh ip inspect sessions
Half-open Sessions
Session 80F80C1C (10.0.0.3:1053)=>(100.0.0.2:23) tcp SIS_OPENING
CBAC#
Any idea about this issue?
Think you in advance
03-07-2006 07:59 AM
Not completely sure what you are asking - but if you're asking why you don't see any entries added by CBAC into the inbound access-list (to allow the returning traffic), when you 'sh access-list' - then you might want to have a read of this:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d33da.html
As of 12.3T - CBAC bypasses the processing of the inbound access-list for traffic which is permitted by CBAC - to speed up the packet processing - so you won't see entries dynamically added to the access-lists - you have to look in 'sh ip inspect sessions' instead.
Hope that helps.
Rob...
03-07-2006 10:53 AM
Hi,the problem is that the firewall doesn't open an entry in the inbound acl (on external interface) whitch block the traffic back.
The router use IOS 12.2 so ot doesn't bypass the acl BUT add a dynamic entry.
03-08-2006 03:48 AM
Not sure then - why don't you paste your config into here - along with what session you're trying to create - source/dest ip's/ports etc, and I'll take a look.
Rob...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide