Hi,
I have CBAC configure on an outbound interface on a 857w router. One particular port is being dropped by the ACL, how can I allow this port through the CBAC list?
CBAC
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 5566
Interface CBAC is applied to
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
Debug log
*Mar 1 01:09:40.610: IP: s=192.168.2.50 (BVI1), d=192.168.2.255, len 40, access denied
*Mar 1 01:09:40.610: UDP src=5567, dst=5567
*Mar 1 01:09:43.611: IP: tableid=0, s=188.94.20.180 (BVI1), d=188.94.20.178 (Dialer0), routed via FIB
*Mar 1 01:09:43.611: IP: s=188.94.20.180 (BVI1), d=188.94.20.178 (Dialer0), len 60, dropped by inspect
*Mar 1 01:09:43.611: TCP src=1025, dst=5566, seq=2096033422, ack=0, win=8192 SYN
*Mar 1 01:09:43.611: IP: tableid=0, s=188.94.20.178 (Dialer0), d=192.168.2.50 (BVI1), routed via FIB
*Mar 1 01:09:43.611: IP: s=188.94.20.178 (Dialer0), d=192.168.2.50 (BVI1), g=192.168.2.50, len 40, forward
*Mar 1 01:09:43.611: TCP src=5566, dst=1025, seq=6726647, ack=2096034319, win=8192 ACK
*Mar 1 01:09:47.311: IP: s=209.85.143.99 (Dialer0), d=188.94.20.180, len 40, access denied
*Mar 1 01:09:47.311: TCP src=80, dst=1114, seq=69182090, ack=0, win=0 RST
Can I allow individual ports out through the CBAC list? is it port 1025 that I need to allow out? If i remove the inspection from DIALER0 all traffic is stopped.
Any assistance greatly appreciated.
Cheers
Paul
