Hi Guys, I think cisco doc is wrong on this one, can somebody please comment it?
" ICMP traffic is not inspected by CBAC, meaning specific entries are needed in the access list to permit return traffic for ICMP commands." http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_cbac_fw/configuration/12-4t/config-cbac-fw.html#GUID-34DF258E-A125-40B9-A451-CC8617B1DD1D I have the following config: ip inspect name inspection icmp ip access-list extended deny-any deny ip any any log interface FastEthernet0/1 ip address 136.1.121.5 255.255.255.0 ip inspect inspection in interface FastEthernet0/0 ip address 136.1.122.5 255.255.255.0 ip access-group deny-any in I have a PC on the 136.1.121.0/24 network and I'm able to ping/traceroute hosts on 136.1.122.0/24 network. If I enable the udp inspection unix style traceroute works as well. debug: icmp echo: *Mar 10 07:16:41.350: FIREWALL* OBJ_CREATE: Pak 6751B5F0 sis 67E17334 initiator_addr (136.1.121.100:8) responder_addr (136.1.122.6:0) initiator_alt_addr (136.1.121.100:8) responder_alt_addr (136.1.122.6:0) *Mar 10 07:16:41.350: FIREWALL icmp_info created: 0x67849F80 *Mar 10 07:16:41.350: FIREWALL OBJ-CREATE: sid 67BCE204 acl deny-any Prot: icmp *Mar 10 07:16:41.350: Src 136.1.122.6 Port [0:0] *Mar 10 07:16:41.350: Dst 136.1.121.100 Port [0:0] *Mar 10 07:16:41.350: FIREWALL OBJ-CREATE: sid 67BCE258 acl deny-any Prot: icmp *Mar 10 07:16:41.350: Src 0.0.0.0 Port [0:0] *Mar 10 07:16:41.350: Dst 136.1.121.100 Port [3:3] *Mar 10 07:16:41.350: FIREWALL OBJ-CREATE: sid 67BCE300 acl deny-any Prot: icmp *Mar 10 07:16:41.350: Src 0.0.0.0 Port [0:0] *Mar 10 07:16:41.350: Dst 136.1.121.100 Port [11:11] Thanks, Oszkar
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
