Hi,

I have a cisco WS-C6509 running IOS s72033_rp-IPSERVICESK9-M, Version 12.2(33)SXI5

with a WS-SUP720-3B Rev 5.2 + WS-SUP720 MSFC3 Daughterboard Rev. 2.5.

The problem: I want to use reflexive ACL's to allow machines on the intranet to only access internet stuff and allow the returning packets!

I followed this guide: http://etutorials.org/Networking/Router+firewall+security/Part+IV+Stateful+and+Advanced+Filtering+Technologies/Chapter+8.+Reflexive+Access+Lists/Overview+of+Reflexive+ACLs/

To have all ACL's processed in hardware I can only use access-group ... in statements.

So I use following configuration:

sh run in Vlan2

interface Vlan2
description IntranetVlan
ip address 10.0.0.1 255.255.255.0
ip access-group intranet_in in
ip nat inside

sh ip access-lists intranet_in

10 deny ip any addrgroup OtherLocalNets
20 permit ip any any reflect intranet_in_racl
30 deny ip any any

sh run in t7/5

interface TenGigabitEthernet7/5
description InternetUplink
ip address 123.123.123.123 255.255.255.252
no ip unreachables
no cdp enable
spanning-tree bpdufilter enable
ip nat outside
ip access-group internet_in in

sh ip access-lists internet_in

10 evaluate intranet_in_racl
[...] permit [...]
200 deny ip any any

Now the problem is that it does not work this way!#

The entries in intranet_in_racl look like this:

permit tcp host 234.234.234.234 eq 80 host 10.0.0.100 eq 43432

If I move the access-list intranet_in into the t7/5 Interface config as

ip access-group intranet_in out

It works - however in software only - slow!

So it seems as if the nat translation is done after the access-group ... in statement on t7/5...

How can I fix this?!

Please help!

Thanks,

Justus

PS: I cannot afford a fwsm module to use ip inspect CBAC rules