[c-nsp] IOS CBAC Experience

Ahmad Cheikh-Moussa acm at netuse.de
Tue Jul 17 12:18:23 EDT 2007


Hi Guys,

I've got a strange behaviour from IOS CBAC.
Can someone tell me how to debug it ?

For example:
 ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW icmp
ip inspect name FW ftp
ip inspect name FW tftp

inside: (eth0)
 ip access-list extended test-in
 permit ip 10.10.10.0 0.0.0.255 any
 deny   ip any any
 

outside:(dialer1)
 ip access-list extended out-in
 permit ip 11.11.11.0 0.0.0.255 10.10.10.0 0.0.0.255 
 deny ip any

When I activate it on the outside interface (dialer 1), then I can
not get traffic through it, in this case http traffic.
With snoop I can see the syn packet and the syn ack is send back to
the router, but this packet never receive the client. On the server
I can see, that the server retransmit several times the packet and 
sent after that a reset packet.
 
Any hints ?

Regards,
 Ahmad



-- 
Ahmad Cheikh-Moussa 
NetUSE AG
Dr.-Hell-Straße, 24107 Kiel, Germany
Telefon: +49 431 2390 400 --  Telefax: +49 431 2390 499
Service: Service at NetUSE.DE --  http://NetUSE.DE/

Vorstand: Andreas Seeger (Vorsitz), Dr. Roland Kaltefleiter, Dr. Joerg Posewang
Aufsichtsrat: Detlev Huebner (Vorsitz)
Sitz der AG: Kiel, HRB 5358 USt.ID: DE156073942

Diese E-Mail enthaelt vertrauliche oder rechtlich geschuetzte Informationen.
Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der
enthaltenen Informationen ist nicht gestattet.

The information contained in this message is confidential or protected by
law. Any unauthorised copying of this message or unauthorised distribution
of the information contained herein is prohibited.



More information about the cisco-nsp mailing list