06-20-2007 01:01 PM
Sorry to bother you guys, but I'm banging my head against the wall w/ this one
[ACL's vs CBAC's ip inspect]
Specifically, SDM created the following config:
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
interface FastEthernet4
ip address 100.100.100.1 255.255.255.0
ip access-group 101 in
ip inspect SDM_LOW out
access-list 101 deny ip 10.10.10.0 0.0.0.255 any
access-list 101 permit icmp any host 100.100.100.1 echo-reply
access-list 101 permit icmp any host 100.100.100.1 time-exceeded
access-list 101 permit icmp any host 100.100.100.1 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
So as you can see, the DENY ANY ANY of the ACL would block returning traffic wouldn't it? I thought ACL's are applied FIRST? So I'm assuming by looking at this config that when CBAC examines OUTBOUND traffic on the external interface, it can -then- create holes in the ACL to allow returning traffic. Is this correct?
And if so, why not just allow the implicit DENY ALL; does it require deny ip any any be explicitly listed in the ACL?
I have read through the 12-4 Security Config guide from Cisco's site and its not answering this question.
Thanks in advance
:-(
Solved! Go to Solution.
06-20-2007 11:51 PM
Your assumption is absolutely right, CBAC will open a hole in the ACL to permit returning traffic back.
As for the deny ip any any at the end of the access list, this is a best practice line added to the access list, if you look at the line, you can notice that there is a log keyword at the end of the line, so this is to log the denied traffic to a syslog server for example for you to review the traffic later and analyze that in case you get attacked or sth like that.
you can safely remove that line if you feel it unnecessary, but as I mentioned to you this is a best practice when dealing with access lists.
Regrads,
Shadi`
06-20-2007 11:51 PM
Your assumption is absolutely right, CBAC will open a hole in the ACL to permit returning traffic back.
As for the deny ip any any at the end of the access list, this is a best practice line added to the access list, if you look at the line, you can notice that there is a log keyword at the end of the line, so this is to log the denied traffic to a syslog server for example for you to review the traffic later and analyze that in case you get attacked or sth like that.
you can safely remove that line if you feel it unnecessary, but as I mentioned to you this is a best practice when dealing with access lists.
Regrads,
Shadi`
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide