Great. So we cant trust config guides and as I heard from someone sometimes you cant access the config guides too:) It gets better. Any idea if we can use search function in the lab. I have been getting mixed reports on this.
Thanks and regards Yogesh Gawankar --- On Mon, 7/12/10, Tyson Scott <[email protected]> wrote: From: Tyson Scott <[email protected]> Subject: Re: [OSL | CCIE_Security] ICMP v/s CBAC To: "'Vybhav Ramachandran'" <[email protected]>, "'OSL Security'" <[email protected]> Date: Monday, July 12, 2010, 3:56 PM TaCACK Although the product documentation should be used as your primary resource it isn't always 100% accurate. This may have been the case for ICMP at one time, but would have had to have been before 12.2T when I started studying. But what this document states for other IP protocols is true with protocols like ESP or GRE that are not supported by CBAC. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Vybhav Ramachandran Sent: Monday, July 12, 2010 1:52 AM To: OSL Security Subject: [OSL | CCIE_Security] ICMP v/s CBAC Hello All, I was going through the CBAC section of the doc-cd yesterday and i found this : (Other IP traffic, such as ICMP, cannot be inspected with CBAC and should be filtered with basic access lists instead.) I thought CBAC inspect icmp and i labbed it up. I found that ICMP traffic triggered CBAC session creation and the return traffic was permitted ( even though i had a "deny ip any any" access-list on the outside interface in an inbound direction) Here's the article -> http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cfg_content_ac_ps6441_TSD_Products_Configuration_Guide_Chapter.html Would appreciate your thoughts on this. Cheers, TacACK -----Inline Attachment Follows----- _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
