[c-nsp] Cbac problem
Matt Hill
Matt.Hill at aapt.com.au
Mon Aug 15 21:02:16 EDT 2005
Hi Paul,
CBAC works like this, or you can "reverse" your directions:
Interface ethernet 0 (outside)
Access-list xxx in
Interface ethernet 1 (inside)
Ip inspect xxx in
CBAC will inspect inbound packets to e1 (ie outbound from your network)
and dynamically open the acl on e0 to suit. You can also make the acl
outbound on e1, or the inspect outbound on e0.
HTH
Cheers,
Matt
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
Sent: Tuesday, 16 August 2005 9:12 AM
To: Richmond, Jeff (ELI); cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Cbac problem
Thanks for the reply....
Where I'm confused though is that I currently have cbac inspection going
one way (http) and without an access list specifically permitting return
http traffic it won't allow people to surf. Why is there no dynamic
inbound acl being created?
Having said that, the access list and the cbac rules are applied in the
same direction on the interface .... Does this matter or did I miss
something obvious?
Thanks again,
Paul
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Richmond, Jeff
(ELI)
Sent: Monday, August 15, 2005 5:39 PM
To: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Cbac problem
CBAC for the most part only inspects TCP and UDP traffic. CBAC opens
ports for return traffic that it inspected when that traffic first left
your network. If the particular traffic flow is not a TCP or UDP port,
or doesn't match one of the possible CBAC options, CBAC won't inspect
it, and hence has no ability to dynamically add entries to the top of
your ACL. Thus, return traffic for non-inspected flows gets dropped.
Look at it this way: you inspect traffic going out, and you ACL traffic
coming in. CBAC just dynamically places "allowed" entries in the inbound
ACL as necessary (and it removes them too of course). For any traffic
that CBAC can't inspect or isn't configured to inspect, you must
manually create a line in your ACL to allow the return traffic.
Hope this helps.
-Jeff
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Paul Stewart
Sent: Monday, August 15, 2005 1:51 PM
To: Kevin Graham
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Cbac problem
Perfect... Thanks...:)
I thought that CBAC would dynamically open the ports needed? I can
understand OSPF after feeling kinda dumb, but what about http for
example? I have an inspect statement setup and it's applied to both
inbound interfaces but without an access list it won't pass traffic?
Thanks,
Paul
-----Original Message-----
From: Kevin Graham [mailto:mahargk at gmail.com]
Sent: Monday, August 15, 2005 4:06 PM
To: Paul Stewart
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cbac problem
On 8/15/05, Paul Stewart <pstewart at nexicomgroup.net> wrote:
> When I apply an access list as noted, OSPF and everything drops and no
> traffic can pass. How do I get around this?
CBAC isn't going to inspect OSPF -- make sure you slip a permit for it
before the deny
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
This communication, including any attachments, is confidential. If
you are not the intended recipient, you should not read it - please
contact me immediately, destroy it, and do not copy or use any part of
this communication or disclose anything about it.
More information about the cisco-nsp
mailing list