Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
640
Views
0
Helpful
1
Replies

Question on Context-Based Access Control

paul
Level 1
Level 1

‎06-09-2011 07:33 AM - edited ‎03-04-2019 12:39 PM

Hi,

I have CBAC configure on an outbound interface on a 857w router. One particular port is being dropped by the ACL, how can I allow this port through the CBAC list?

CBAC

ip cef

ip inspect name DEFAULT100 cuseeme

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 h323

ip inspect name DEFAULT100 icmp

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 esmtp

ip inspect name DEFAULT100 sqlnet

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 vdolive

ip inspect name DEFAULT100 5566

Interface CBAC is applied to

interface Dialer0

description $FW_OUTSIDE$

ip address negotiated

ip access-group 101 in

ip inspect DEFAULT100 out

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

Debug log

*Mar  1 01:09:40.610: IP: s=192.168.2.50 (BVI1), d=192.168.2.255, len 40, access denied

*Mar  1 01:09:40.610:     UDP src=5567, dst=5567

*Mar  1 01:09:43.611: IP: tableid=0, s=188.94.20.180 (BVI1), d=188.94.20.178 (Dialer0), routed via FIB

*Mar  1 01:09:43.611: IP: s=188.94.20.180 (BVI1), d=188.94.20.178 (Dialer0), len 60, dropped by inspect

*Mar  1 01:09:43.611:     TCP src=1025, dst=5566, seq=2096033422, ack=0, win=8192 SYN

*Mar  1 01:09:43.611: IP: tableid=0, s=188.94.20.178 (Dialer0), d=192.168.2.50 (BVI1), routed via FIB

*Mar  1 01:09:43.611: IP: s=188.94.20.178 (Dialer0), d=192.168.2.50 (BVI1), g=192.168.2.50, len 40, forward

*Mar  1 01:09:43.611:     TCP src=5566, dst=1025, seq=6726647, ack=2096034319, win=8192 ACK

*Mar  1 01:09:47.311: IP: s=209.85.143.99 (Dialer0), d=188.94.20.180, len 40, access denied

*Mar  1 01:09:47.311:     TCP src=80, dst=1114, seq=69182090, ack=0, win=0 RST

Can I allow individual ports out through the CBAC list? is it port 1025 that I need to allow out? If i remove the inspection from DIALER0 all traffic is stopped.

Any assistance greatly appreciated.

Cheers

Paul

Labels:
0 Helpful
1 Reply 1

Eugene Khabarov
Level 7
Level 7

‎06-09-2011 07:39 AM

Hello! Just add you permit statement to the ACL 101.

permit tcp any host eq 1025 any

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card