Hello Joseph, If you wish it to work against an inbound acl, CBAC has to be outbound.
CBAC, quite simply put, inspects traffic as applicable to an interface ACL. If the ACL is inbound-on-an-interface, "ip inspect CBAC would be OUT; so it can punch a hole in the INBOUND ACL for return-traffic. Conversely, if you have an OUTBOUND ACL it would be "ip inspect CBAC in"; once again for return traffic. That is how a poor-man's-firewall works. Regards, ./Randy --- On Fri, 7/22/11, Joseph Mays <[email protected]> wrote: > From: Joseph Mays <[email protected]> > Subject: Re: [c-nsp] Problem with IP Inspect > To: [email protected] > Date: Friday, July 22, 2011, 4:29 PM > Tried your suggestion, thanks. > Created a the following ACL... > > ip access-list extended FaInboundACL > permit ip any any > > Added it to the inbound traffic on the LAN interface.... > > interface FastEthernet0/0 > description Win.net Chestnut St Office LAN > ip address 216.24.33.1 255.255.255.0 > ip access-group FaInboundACL in > ip verify unicast reverse-path > no ip redirects > no ip unreachables > ip route-cache same-interface > speed 100 > full-duplex > no cdp enable > > Not surprisingly, no effect, web browsing and everything > work normally. I then added the "ip inspect" ... > > > interface FastEthernet0/0 > description Win.net Chestnut St Office LAN > ip address 216.24.33.1 255.255.255.0 > ip access-group FaInboundACL in > ip verify unicast reverse-path > no ip redirects > no ip unreachables > ip inspect WinnetOffice in > ip route-cache same-interface > speed 100 > full-duplex > no cdp enable > > And web browsing from the LAN stops working again. > > ----- Original Message ----- From: "Kevin Graham" > <[email protected]> > To: "Joseph Mays" <[email protected]> > Cc: <[email protected]> > Sent: Friday, July 22, 2011 6:32 PM > Subject: Re: [c-nsp] Problem with IP Inspect > > > > On Jul 22, 2011, at 1:23 PM, "Joseph Mays" <[email protected]> > wrote: > > > There is no way turning on ip inspection should > break communications anywhere in the absence of an ACL list, > is there? > > IIRC, ip inspect is creating a pseudo-acl, so you're being > bitten by the default deny. You should apply a "permit ip > any any" ACL inbound on that interface. (Adding more > specific permits and making sure ACE counters aren't > excessively increasing is also a really good way of making > sure inspection is handling the traffic you intended it to > during initial deployment without breaking anything). > > > > > > > _______________________________________________ > > cisco-nsp mailing list [email protected] > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
