Hi,
I have a cisco WS-C6509 running IOS s72033_rp-IPSERVICESK9-M, Version 12.2(33)SXI5
with a WS-SUP720-3B Rev 5.2 + WS-SUP720 MSFC3 Daughterboard Rev. 2.5.
The problem: I want to use reflexive ACL's to allow machines on the intranet to only access internet stuff and allow the returning packets!
I followed this guide: http://etutorials.org/Networking/Router+firewall+security/Part+IV+Stateful+and+Advanced+Filtering+Technologies/Chapter+8.+Reflexive+Access+Lists/Overview+of+Reflexive+ACLs/
To have all ACL's processed in hardware I can only use access-group ... in statements.
So I use following configuration:
sh run in Vlan2
interface Vlan2
description IntranetVlan
ip address 10.0.0.1 255.255.255.0
ip access-group intranet_in in
ip nat inside
sh ip access-lists intranet_in
10 deny ip any addrgroup OtherLocalNets
20 permit ip any any reflect intranet_in_racl
30 deny ip any any
sh run in t7/5
interface TenGigabitEthernet7/5
description InternetUplink
ip address 123.123.123.123 255.255.255.252
no ip unreachables
no cdp enable
spanning-tree bpdufilter enable
ip nat outside
ip access-group internet_in in
sh ip access-lists internet_in
10 evaluate intranet_in_racl
[...] permit [...]
200 deny ip any any
Now the problem is that it does not work this way!#
The entries in intranet_in_racl look like this:
permit tcp host 234.234.234.234 eq 80 host 10.0.0.100 eq 43432
If I move the access-list intranet_in into the t7/5 Interface config as
ip access-group intranet_in out
It works - however in software only - slow!
So it seems as if the nat translation is done after the access-group ... in statement on t7/5...
How can I fix this?!
Please help!
Thanks,
Justus
PS: I cannot afford a fwsm module to use ip inspect CBAC rules