12-21-2006 12:07 PM
This is kind of a general question about how CBAC works. If I have the following inspection on my outside (Internet-facing) interface:
ip inspect name ASDF icmp router-traffic
ip inspect name ASDF tcp router-traffic
ip inspect name ASDF udp router-traffic
I also have a PIX on the inside that is NATing interal users to the VLAN of it's outside interface (which is the inside interface of the router). So users are coming from the PIX with a public IP like 1.2.3.4.
I have an inbound ACL on the Internet interface of my router that allows "ip any" to 1.2.3.4. Basically I am wanting to pass all traffic filtering responsibilities on to the PIX for this one IP address.
So I assume that my outbound Internet traffic is triggering TCP inspection and possibly creating dynamic pinholes, but I don't really need this functionality. I mainly wanted to use CBAC to allow other devices and the rotuer itself the ability to have dynamic pinholes. Something to do with CBAC is causing intermittent connectivity for internal users. Most sites are accessible, but a handful appear to be having problems with CBAC; turning it off allows access to all sites.
01-04-2007 01:53 AM
CBAC is examined on a given inteface only of the traffic is not explicitely permitted by an ACL on that inteface.
The solution is to permit the traffic manually on the router:
on the lan facing interface: permit ip host 1.2.3.4 any
on the internet interface: permit ip any host 1.2.3.4
If this helped please rate.
Regards,
Daniel
01-04-2007 08:01 AM
Thanks, I had permit ip any host 1.2.3.4 on the Internet interface and permit ip any any on the LAN interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide