I've been experimenting with the Context-Based Access Control feature,
but a degenerately simple configuration doesn't seem to want to work
properly for me. I grabbed a 7204 out of the junk room and (more or
less randomly) selected c7200-io3s-mz.121-12 as what I was going to
run on it. A simple inspect rule:
ip inspect name foo tcp
ip inspect name foo udp
ip inspect name foo ftp
with access-group:
access-list 105 deny ip host 255.255.255.255 any
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any any time-exceeded
access-list 105 permit icmp any any packet-too-big
access-list 105 permit icmp any any traceroute
access-list 105 permit icmp any any unreachable
when applied thus:
interface FastEthernet0/0
...
...
ip access-group 105 in
ip inspect foo out
works for about half a minute (sessions show up in "show ip inspect
sessions") and then gives up; can't create new sessions and old ones
go dead. I suppose I could be doing something wrong (and any hints
based on what I show above would be greatly appreciated), but in the
interests of eliminating the possibility that a bug of some sort is
making the (very simple) configuration that I'm trying to put in place
misbehave, could someone offer a recommendation of an IOS version to
run for CBAC?
Thanks,
---Rob
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:07 EDT