[c-nsp] Cbac problem

Paul Stewart pstewart at nexicomgroup.net
Mon Aug 15 21:21:48 EDT 2005 

Ahhhh..... That explains it a lot better.  I've used it before but kind
of fumbled my way through it..;)  I didn't realize it was smart enough
to allow ports on another interface... Was looking at one single
interface as the only option hence my confusion...

Thanks again,

Paul
 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matt Hill
Sent: Monday, August 15, 2005 9:02 PM
To: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Cbac problem

Hi Paul,

CBAC works like this, or you can "reverse" your directions:

Interface ethernet 0 (outside)
Access-list xxx in

Interface ethernet 1 (inside)
Ip inspect xxx in

CBAC will inspect inbound packets to e1 (ie outbound from your network)
and dynamically open the acl on e0 to suit.  You can also make the acl
outbound on e1, or the inspect outbound on e0.

HTH

Cheers,
Matt

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
Sent: Tuesday, 16 August 2005 9:12 AM
To: Richmond, Jeff (ELI); cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Cbac problem


Thanks for the reply....

Where I'm confused though is that I currently have cbac inspection going
one way (http) and without an access list specifically permitting return
http traffic it won't allow people to surf.  Why is there no dynamic
inbound acl being created?

Having said that, the access list and the cbac rules are applied in the
same direction on the interface .... Does this matter or did I miss
something obvious?

Thanks again,

Paul
 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Richmond, Jeff
(ELI)
Sent: Monday, August 15, 2005 5:39 PM
To: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Cbac problem

CBAC for the most part only inspects TCP and UDP traffic. CBAC opens
ports for return traffic that it inspected when that traffic first left
your network. If the particular traffic flow is not a TCP or UDP port,
or doesn't match one of the possible CBAC options, CBAC won't inspect
it, and hence has no ability to dynamically add entries to the top of
your ACL. Thus, return traffic for non-inspected flows gets dropped.

Look at it this way: you inspect traffic going out, and you ACL traffic
coming in. CBAC just dynamically places "allowed" entries in the inbound
ACL as necessary (and it removes them too of course). For any traffic
that CBAC can't inspect or isn't configured to inspect, you must
manually create a line in your ACL to allow the return traffic.

Hope this helps.
-Jeff



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Paul Stewart
Sent: Monday, August 15, 2005 1:51 PM
To: Kevin Graham
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Cbac problem


Perfect... Thanks...:)

I thought that CBAC would dynamically open the ports needed?  I can
understand OSPF after feeling kinda dumb, but what about http for
example?  I have an inspect statement setup and it's applied to both
inbound interfaces but without an access list it won't pass traffic?

Thanks,

Paul
 

-----Original Message-----
From: Kevin Graham [mailto:mahargk at gmail.com]
Sent: Monday, August 15, 2005 4:06 PM
To: Paul Stewart
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cbac problem

On 8/15/05, Paul Stewart <pstewart at nexicomgroup.net> wrote:

> When I apply an access list as noted, OSPF and everything drops and no

> traffic can pass.  How do I get around this?

CBAC isn't going to inspect OSPF -- make sure you slip a permit for it
before the deny

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


This communication, including any attachments, is confidential. If  you
are not the intended recipient, you should not read it - please  contact
me immediately, destroy it, and do not copy or use any part of  this
communication or disclose anything about it.



_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list