[c-nsp] Cbac problem
Paul Stewart
pstewart at nexicomgroup.net
Mon Aug 15 15:49:37 EDT 2005
Hi there..
I'm working on a customer site right now with a 3640 router. They want
CBAC put into place primarily for blocking MSN but also blocking peer to
peer etc. from their office network.
They have an OSPF based connection back to us because of two diverse
routes.
I'm having problems with getting CBAC to work and not sure why...
Obviously a config issue...
ip inspect name fw appfw abuse-control
ip inspect name fw http
ip inspect name fw sip
ip inspect name fw pop3
ip inspect name fw imap3
ip inspect name fw imap
ip inspect name fw https
ip inspect name fw ftp
ip inspect name fw icmp
ip inspect name fw nntp
ip inspect name fw ssh
ip inspect name fw telnet
ip inspect name fw esmtp
!
appfw policy-name abuse-control
application http
port-misuse default action reset alarm
(pretty traditional network but they do have some SIP based IP phones
that need to connect to outside world)
interface FastEthernet0/0
description xxxxxxxxxxxxxxxxxxxxx
ip address xxx.xxx.xxx.xxx 255.255.255.252
ip nat outside
ip inspect fw in
ip virtual-reassembly
ip ospf network point-to-point
speed 100
full-duplex
!
interface FastEthernet1/0
description xxxxxxxxxxxxxxxxxxxxxxx
ip address xxx.xxx.xxx.xxx 255.255.255.252
ip nat outside
ip inspect fw in
ip virtual-reassembly
ip ospf network point-to-point
speed 100
full-duplex
interface FastEthernet3/0
description Internal Network
ip address 192.168.0.224 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
NAT works fine as does the OSPF back to out side. With the "ip inspect
fw in" statement applied, the router allows ALL traffic inbound/outbound
which I expected. If I put an access list on the two interfaces
"access-list 115 deny ip any any" I thought that the router would permit
anything that it is inspecting? When I apply an access list as noted,
OSPF and everything drops and no traffic can pass. How do I get around
this? I was sure this was the way I had done it on other configurations
although the other routers wouldn't have NAT in the middle neither...
What I want is to limit traffic specifically to what is listed with "ip
inspect name fw xxxx" statements...
Feeling kinda stupid..;)
Paul
Paul Stewart
Network Specialist
Nexicom Inc.
More information about the cisco-nsp
mailing list