CBAC problems - intermittent connectivity

sstone · ‎12-21-2006

This is kind of a general question about how CBAC works. If I have the following inspection on my outside (Internet-facing) interface:

ip inspect name ASDF icmp router-traffic

ip inspect name ASDF tcp router-traffic

ip inspect name ASDF udp router-traffic

I also have a PIX on the inside that is NATing interal users to the VLAN of it's outside interface (which is the inside interface of the router). So users are coming from the PIX with a public IP like 1.2.3.4.

I have an inbound ACL on the Internet interface of my router that allows "ip any" to 1.2.3.4. Basically I am wanting to pass all traffic filtering responsibilities on to the PIX for this one IP address.

So I assume that my outbound Internet traffic is triggering TCP inspection and possibly creating dynamic pinholes, but I don't really need this functionality. I mainly wanted to use CBAC to allow other devices and the rotuer itself the ability to have dynamic pinholes. Something to do with CBAC is causing intermittent connectivity for internal users. Most sites are accessible, but a handful appear to be having problems with CBAC; turning it off allows access to all sites.

5220 · ‎01-04-2007

CBAC is examined on a given inteface only of the traffic is not explicitely permitted by an ACL on that inteface.

The solution is to permit the traffic manually on the router:

on the lan facing interface: permit ip host 1.2.3.4 any

on the internet interface: permit ip any host 1.2.3.4

If this helped please rate.

Regards,

Daniel

sstone · ‎01-04-2007

Thanks, I had permit ip any host 1.2.3.4 on the Internet interface and permit ip any any on the LAN interface.