It depends on the IOS version. In 12.3(4)T "Firewall ACL Bypass" feature was intoduced and as a result packets are allowed based on the existing inspection sessions instead of entries in dynamic ACLs. So before the version 12.3(4)T you could see dynamic entries in ACLs created by CBAC (and of course also by typing "show ip inspect session detail"). In version 12.3(4)T and higher dynamic entries are visible only in "show ip inspect session detail" - they are not created in ACLs to prevent double checking (ACL entries and exisiting session) by the router.
Firewall ACL Bypass feature was first described here: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_aclby.html and is also included in CBAC document in 12.4T (as a separate chapter): http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_cbac_fw/configuration/12-4/sec-cbac-acl-bypass.html Marta Sokolowska. 2012/3/24 Eugene Pefti <[email protected]> Guys,**** > > Am I supposed to see dynamic entries in the ACL by doing “show ip > access-list” after CBAC firewall created a temporary hole while matching > the defined inspection rule ?**** > > I see only those that I defined in the ACL applied to the interface. > Currently I’m able to see some details about dynamic entries created by > running “show ip inspect session detail”**** > > ** ** > > R3#show ip inspect session detail **** > > Established Sessions**** > > Session 64D265B0 (136.1.23.2:8)=>(150.1.1.1:0) icmp SIS_OPEN**** > > Created 00:00:03, Last heard 00:00:03**** > > ECHO request**** > > Bytes sent (initiator:responder) [360:360]**** > > In SID 150.1.1.1[0:0]=>136.1.23.2[0:0] on ACL VLAN13-EGRESS (5 > matches)**** > > In SID 0.0.0.0[0:0]=>136.1.23.2[3:3] on ACL VLAN13-EGRESS **** > > In SID 0.0.0.0[0:0]=>136.1.23.2[11:11] on ACL VLAN13-EGRESS**** > > ** ** > > Eugene**** > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
