[c-nsp] Cisco CBAC one stateful rule on an interface bypasses rules on other interfaces
Lukasz Bromirski
lukasz at bromirski.net
Thu Dec 11 14:24:51 EST 2025
Marco,
First of all, you should move to ZBFW from CBAC, CBAC is deprecated.
Yes, that's expected behavior, CBAC inspect rule opens up channels in
any of the other interfaces if the session is allowed to be established.
You have to check ingress traffic using ACL *before* it creates state
via inspect engine to stop it from allowing traffic to go through.
--
Ćukasz Bromirski
CCIE R&S/SP #15929, CCDE #2012::17, PGP Key ID: 0xFD077F6A
More information about the cisco-nsp
mailing list