Re: [OSL | CCIE_Security] Dynamic entries in the ACL with CBAC

Sat, 24 Mar 2012 18:12:35 -0700 

It depends on the IOS version. In 12.3(4)T "Firewall ACL Bypass" feature
was intoduced and as a result packets are allowed based on the
existing inspection
sessions instead of entries in dynamic ACLs. So before the version 12.3(4)T
you could see dynamic entries in ACLs created by CBAC (and of course also
by typing "show ip inspect session detail"). In version 12.3(4)T and higher
dynamic entries are visible only in "show ip inspect session detail" - they
are not created in ACLs to prevent double checking (ACL entries and
exisiting session) by the router.

Firewall ACL Bypass feature was first described here:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_aclby.html

and is also included in CBAC document in 12.4T (as a separate chapter):
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_cbac_fw/configuration/12-4/sec-cbac-acl-bypass.html

Marta Sokolowska.

2012/3/24 Eugene Pefti <[email protected]>

 Guys,****
>
> Am I supposed to see dynamic entries in the ACL by doing “show ip
> access-list” after CBAC firewall created a temporary hole while matching
> the defined inspection rule ?****
>
> I see only those that I defined in the ACL applied to the interface.
>  Currently I’m able to see some details about dynamic entries created by
> running “show ip inspect session detail”****
>
> ** **
>
> R3#show ip inspect session detail ****
>
> Established Sessions****
>
> Session 64D265B0 (136.1.23.2:8)=>(150.1.1.1:0) icmp SIS_OPEN****
>
>   Created 00:00:03, Last heard 00:00:03****
>
>    ECHO request****
>
>   Bytes sent (initiator:responder) [360:360]****
>
>   In  SID 150.1.1.1[0:0]=>136.1.23.2[0:0] on ACL VLAN13-EGRESS  (5
> matches)****
>
>   In  SID 0.0.0.0[0:0]=>136.1.23.2[3:3] on ACL VLAN13-EGRESS ****
>
>   In  SID 0.0.0.0[0:0]=>136.1.23.2[11:11] on ACL VLAN13-EGRESS****
>
> ** **
>
> Eugene****
>
>

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to