[c-nsp] IOS FW oddness

Brian Stiff (bstiff) bstiff at cisco.com
Wed Feb 27 11:58:34 EST 2008


Hi Chuck-

Is there any chance that you have a TAC case open on this?  If you do,
please unicast the SR # to me.

You won't see any firewall ACEs in the ACL that the FW is pinholing if
you're running 12.3(4)T or newer, due to ACL Bypass:

http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/h_ac
lby.html

Is all traffic affected by the problem you're seeing, or just the sip
traffic that's associated with the session indicated in your 'show'
output?  Truth be told, there are shortcomings in the present
voice-protocol support.  A forthcoming release seeks to address many of
these shortcomings in the Zone-Based Policy Firewall, but, I'm sorry to
say, Classic FW (CBAC) won't be similarly graced.  

Anyone who is interested in said enhancements (specifically, interested
in beta-test opportunities) is welcome to email me off the alias.

Thanks,
Brian


Brian Stiff
720.562.6462
IOS Firewall
Technical Marketing Eng.
Security Technology Group
http://www.cisco.com/go/iosfw


Date: Wed, 27 Feb 2008 09:31:58 -0600
From: "Church, Charles" <cchurc05 at harris.com>
Subject: [c-nsp] IOS FW oddness
To: <cisco-nsp at puck.nether.net>
Message-ID:
	<FA1BA229357DB640B944218F3585FECABA3266 at mspe2k1.cs.myharris.net>
Content-Type: text/plain;	charset="us-ascii"

Anyone,
 
    I've got an issue with a 2650 running 12.4(18) Adv Sec and using IOS
FW.  It's doing NAT, and that portion works fine.  The problem is the
CBAC isn't opening the holes in the inbound ACL on the exterior
interface like it's supposed to.  IP Inspect is enabled on the outside
interface outbound, there is a restrictive ACL inbound on the outside
interface, and a permissive ACL outbound on the outside interface.  'sh
ip inspect sis det' shows the various sessions (http, sip, etc) and
references the ACLs involved:
 
<snip>

But I never see those dynamic entries added to the ACL, and the return
traffic gets dropped.  I've done it before, worked as designed.  Is
there something I'm just not getting here?
 


More information about the cisco-nsp mailing list