[c-nsp] Cbac problem

Paul Stewart pstewart at nexicomgroup.net
Mon Aug 15 15:49:37 EDT 2005 

Hi there..

I'm working on a customer site right now with a 3640 router.  They want
CBAC put into place primarily for blocking MSN but also blocking peer to
peer etc. from their office network.

They have an OSPF based connection back to us because of two diverse
routes.

I'm having problems with getting CBAC to work and not sure why...
Obviously a config issue...

ip inspect name fw appfw abuse-control
ip inspect name fw http
ip inspect name fw sip
ip inspect name fw pop3
ip inspect name fw imap3
ip inspect name fw imap
ip inspect name fw https
ip inspect name fw ftp
ip inspect name fw icmp
ip inspect name fw nntp
ip inspect name fw ssh
ip inspect name fw telnet
ip inspect name fw esmtp
!
appfw policy-name abuse-control
  application http
    port-misuse default action reset alarm

(pretty traditional network but they do have some SIP based IP phones
that need to connect to outside world)

interface FastEthernet0/0
 description xxxxxxxxxxxxxxxxxxxxx
 ip address xxx.xxx.xxx.xxx 255.255.255.252
 ip nat outside
 ip inspect fw in
 ip virtual-reassembly
 ip ospf network point-to-point
 speed 100
 full-duplex
!
interface FastEthernet1/0
 description xxxxxxxxxxxxxxxxxxxxxxx
 ip address xxx.xxx.xxx.xxx 255.255.255.252
 ip nat outside
 ip inspect fw in
 ip virtual-reassembly
 ip ospf network point-to-point
 speed 100
 full-duplex

interface FastEthernet3/0
 description Internal Network
 ip address 192.168.0.224 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto

NAT works fine as does the OSPF back to out side.  With the "ip inspect
fw in" statement applied, the router allows ALL traffic inbound/outbound
which I expected.  If I put an access list on the two interfaces
"access-list 115 deny ip any any" I thought that the router would permit
anything that it is inspecting?  When I apply an access list as noted,
OSPF and everything drops and no traffic can pass.  How do I get around
this?  I was sure this was the way I had done it on other configurations
although the other routers wouldn't have NAT in the middle neither...

What I want is to limit traffic specifically to what is listed with "ip
inspect name fw xxxx" statements...

Feeling kinda stupid..;)

Paul




Paul Stewart
Network Specialist
Nexicom Inc.

More information about the cisco-nsp mailing list