Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
334
Views
0
Helpful
1
Replies

IOS ACL interaction w/ CBAC inspect

Go to solution
jeremyneedle
Level 1
Level 1

‎06-20-2007 01:01 PM

Sorry to bother you guys, but I'm banging my head against the wall w/ this one

[ACL's vs CBAC's ip inspect]

Specifically, SDM created the following config:

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

!

!

interface FastEthernet4

ip address 100.100.100.1 255.255.255.0

ip access-group 101 in

ip inspect SDM_LOW out

access-list 101 deny ip 10.10.10.0 0.0.0.255 any

access-list 101 permit icmp any host 100.100.100.1 echo-reply

access-list 101 permit icmp any host 100.100.100.1 time-exceeded

access-list 101 permit icmp any host 100.100.100.1 unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any log

So as you can see, the DENY ANY ANY of the ACL would block returning traffic wouldn't it? I thought ACL's are applied FIRST? So I'm assuming by looking at this config that when CBAC examines OUTBOUND traffic on the external interface, it can -then- create holes in the ACL to allow returning traffic. Is this correct?

And if so, why not just allow the implicit DENY ALL; does it require deny ip any any be explicitly listed in the ACL?

I have read through the 12-4 Security Config guide from Cisco's site and its not answering this question.

Thanks in advance

:-(

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
shomar
Level 1
Level 1

‎06-20-2007 11:51 PM

Your assumption is absolutely right, CBAC will open a hole in the ACL to permit returning traffic back.

As for the deny ip any any at the end of the access list, this is a best practice line added to the access list, if you look at the line, you can notice that there is a log keyword at the end of the line, so this is to log the denied traffic to a syslog server for example for you to review the traffic later and analyze that in case you get attacked or sth like that.

you can safely remove that line if you feel it unnecessary, but as I mentioned to you this is a best practice when dealing with access lists.

Regrads,

Shadi`

View solution in original post

0 Helpful
1 Reply 1

Go to solution
shomar
Level 1
Level 1

‎06-20-2007 11:51 PM

Your assumption is absolutely right, CBAC will open a hole in the ACL to permit returning traffic back.

As for the deny ip any any at the end of the access list, this is a best practice line added to the access list, if you look at the line, you can notice that there is a log keyword at the end of the line, so this is to log the denied traffic to a syslog server for example for you to review the traffic later and analyze that in case you get attacked or sth like that.

you can safely remove that line if you feel it unnecessary, but as I mentioned to you this is a best practice when dealing with access lists.

Regrads,

Shadi`

0 Helpful
Customers Also Viewed These Support Documents