[c-nsp] IOS CBAC Experience

[Kevin Graham]

--- Ahmad Cheikh-Moussa <acm at netuse.de> wrote:

> I've got a strange behaviour from IOS CBAC.
> Can someone tell me how to debug it ?
> 
> For example:
> ip inspect name FW tcp
> ip inspect name FW udp
> ip inspect name FW icmp
> ip inspect name FW ftp
> ip inspect name FW tftp

You should probably reconsider using 'tcp' and 'udp' as inspect rules, as
they'll be passing anything, but that's unrelated to your problem...

> outside:(dialer1)
>  ip access-list extended out-in
>  permit ip 11.11.11.0 0.0.0.255 10.10.10.0 0.0.0.255 
>  deny ip any

Especially if you leave the 'tcp' and 'udp' inspect rules in place, go ahead
and add a log option to that deny as it will be very useful to flag return
traffic that's not associated with a session.

> When I activate it on the outside interface (dialer 1), then I can
> not get traffic through it, in this case http traffic.

Your config snippets didn't indicate such, but are you applying 'ip inspect
FW out' on dialer1? Do you also intend to allow traffic from 11.11.11/24 to
bypass CBAC? 

> With snoop I can see the syn packet and the syn ack is send back to
> the router, but this packet never receive the client.

The best thing to start with is to watch 'sh ip inspect session' and ensure 
that sessions are actually being created. In this case, it sounds like 
they're either not getting created at all, or the return traffic isn't making
it, in which case they'll be all stuck in SIS_OPENING.

Also go ahead and add a "ip inspect log drop-pkt" -- its output is
frustratingly terse, but will help a little...

Lastly, if this is a new install, consider skipping legacy CBAC and go
straight to ZPF:

http://rds.yahoo.com/_ylt=A0oGkxZABJ1G9OMA8blXNyoA;_ylu=X3oDMTE5bGtlYjh1BHNlYwNzcgRwb3MDMQRjb2xvA3NrMQR2dGlkA0RGRDVfMTQ4BGwDV1Mx/SIG=136atl25g/EXP=1184781760/**http%3a//www.cisco.com/univercd/cc/td/doc/product/software/ios124/124sup/zone_dg.htm