[c-nsp] Cbac problem

Joe Maimon jmaimon at ttec.com
Tue Aug 16 07:09:35 EDT 2005 

I work around this by combining reflexive ACL's with CBAC.

YMMV

Richmond, Jeff (ELI) wrote:
> CBAC for the most part only inspects TCP and UDP traffic. CBAC opens ports for return traffic that it inspected when that traffic first left your network. If the particular traffic flow is not a TCP or UDP port, or doesn't match one of the possible CBAC options, CBAC won't inspect it, and hence has no ability to dynamically add entries to the top of your ACL. Thus, return traffic for non-inspected flows gets dropped.
> 
> Look at it this way: you inspect traffic going out, and you ACL traffic coming in. CBAC just dynamically places "allowed" entries in the inbound ACL as necessary (and it removes them too of course). For any traffic that CBAC can't inspect or isn't configured to inspect, you must manually create a line in your ACL to allow the return traffic.
> 
> Hope this helps.
> -Jeff
> 
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Paul Stewart
> Sent: Monday, August 15, 2005 1:51 PM
> To: Kevin Graham
> Cc: cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] Cbac problem
> 
> 
> Perfect... Thanks...:)
> 
> I thought that CBAC would dynamically open the ports needed?  I can
> understand OSPF after feeling kinda dumb, but what about http for
> example?  I have an inspect statement setup and it's applied to both
> inbound interfaces but without an access list it won't pass traffic?
> 
> Thanks,
> 
> Paul
>  
> 
> -----Original Message-----
> From: Kevin Graham [mailto:mahargk at gmail.com] 
> Sent: Monday, August 15, 2005 4:06 PM
> To: Paul Stewart
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Cbac problem
> 
> On 8/15/05, Paul Stewart <pstewart at nexicomgroup.net> wrote:
> 
> 
>>When I apply an access list as noted, OSPF and everything drops and no
> 
> 
>>traffic can pass.  How do I get around this?
> 
> 
> CBAC isn't going to inspect OSPF -- make sure you slip a permit for it
> before the deny
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
>

More information about the cisco-nsp mailing list