[c-nsp] Cbac problem
Richard Doty (US)
richard.doty at us.didata.com
Mon Aug 15 21:04:12 EDT 2005
The inspection option for HTTP is just for java applet inspection, not
for HTTP traffic on 80 or 443.
HTTP Inspection Syntax
ip inspect name inspection-name http [java-list access-list] [alert {on
| off}] [audit-trail {on | off}] [timeout seconds] (Java protocol only)
no ip inspect name inspection-name protocol (removes the inspection rule
for a protocol)
Rich
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
Sent: Monday, August 15, 2005 7:12 PM
To: Richmond, Jeff (ELI); cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Cbac problem
Thanks for the reply....
Where I'm confused though is that I currently have cbac inspection going
one way (http) and without an access list specifically permitting return
http traffic it won't allow people to surf. Why is there no dynamic
inbound acl being created?
Having said that, the access list and the cbac rules are applied in the
same direction on the interface .... Does this matter or did I miss
something obvious?
Thanks again,
Paul
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Richmond, Jeff
(ELI)
Sent: Monday, August 15, 2005 5:39 PM
To: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Cbac problem
CBAC for the most part only inspects TCP and UDP traffic. CBAC opens
ports for return traffic that it inspected when that traffic first left
your network. If the particular traffic flow is not a TCP or UDP port,
or doesn't match one of the possible CBAC options, CBAC won't inspect
it, and hence has no ability to dynamically add entries to the top of
your ACL. Thus, return traffic for non-inspected flows gets dropped.
Look at it this way: you inspect traffic going out, and you ACL traffic
coming in. CBAC just dynamically places "allowed" entries in the inbound
ACL as necessary (and it removes them too of course). For any traffic
that CBAC can't inspect or isn't configured to inspect, you must
manually create a line in your ACL to allow the return traffic.
Hope this helps.
-Jeff
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Paul Stewart
Sent: Monday, August 15, 2005 1:51 PM
To: Kevin Graham
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Cbac problem
Perfect... Thanks...:)
I thought that CBAC would dynamically open the ports needed? I can
understand OSPF after feeling kinda dumb, but what about http for
example? I have an inspect statement setup and it's applied to both
inbound interfaces but without an access list it won't pass traffic?
Thanks,
Paul
-----Original Message-----
From: Kevin Graham [mailto:mahargk at gmail.com]
Sent: Monday, August 15, 2005 4:06 PM
To: Paul Stewart
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cbac problem
On 8/15/05, Paul Stewart <pstewart at nexicomgroup.net> wrote:
> When I apply an access list as noted, OSPF and everything drops and no
> traffic can pass. How do I get around this?
CBAC isn't going to inspect OSPF -- make sure you slip a permit for it
before the deny
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
-----------------------------------------
Disclaimer:
This e-mail communication and any attachments may contain confidential
and privileged information and is for use by the designated
addressee(s) named above only. If you are not the intended addressee,
you are hereby notified that you have received this communication in
error and that any use or reproduction of this email or its contents is
strictly prohibited and may be unlawful. If you have received this
communication in error, please notify us immediately by replying to
this message and deleting it from your computer. Thank you.
More information about the cisco-nsp
mailing list