cbac-question-ios-12.3

Discussion in 'Cisco' started by cconnell_1@lycos.com, Jun 24, 2005.

  1. Guest

    Hello,

    I am learning cbac, and have set up a mini lab (laptop/router etc), I
    have setup cbac and it does work in that it lets return traffic come
    back to my laptop, e.g. when I telnet/ssh to a host from my laptop
    behind the router to a host external to the router.

    However, in the cisco ios book, it says that when you do sh
    access-lists, you see the temporary opening cbac creates when its used,
    when I telneted and ssh'd to an external box, I did this but it does
    not show the temporary opneings it should for access-list 151.
    In 12.3 is it different behaviour?

    config is(running on 1841)

    Current configuration : 2825 bytes
    !
    version 12.3
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname iss-web-router
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 10 log
    security passwords min-length 6
    no logging buffered
    logging console informational
    enable secret 5 $1$ZljO$a.H7zbOdpLvVDYJgwu6Mv0
    enable password 7 011B570A0B1F035C
    !
    aaa new-model
    !
    !
    aaa authentication login local_auth local
    !
    aaa session-id common
    !
    resource policy
    !
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    ip subnet-zero
    no ip source-route
    no ip gratuitous-arps
    ip cef
    !
    !
    ip inspect name iss-web-router ftp
    ip inspect name iss-web-router h323
    ip inspect name iss-web-router http
    ip inspect name iss-web-router tcp alert on router-traffic
    ip inspect name iss-web-router udp
    ip inspect name iss-web-router icmp
    no ip dhcp use vrf connected
    !
    !
    no ip ips deny-action ips-interface
    no ip bootp server
    no ip domain lookup
    login block-for 10 attempts 3 within 5
    !
    no ftp-server write-enable
    !
    !
    !
    username cisco privilege 15 secret 5 $1$.Ry8$8ml8czOZdwsvRok7kCA700
    !
    !
    !
    !
    !
    interface FastEthernet0/0
    description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
    ip address 192.168.8.1 255.255.255.0
    ip access-group 150 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip inspect iss-web-router in
    speed auto
    full-duplex
    no mop enabled
    !
    interface FastEthernet0/1
    ip address 192.168.52.239 255.255.255.0
    ip access-group 151 in
    ip verify unicast source reachable-via rx allow-default 100
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    speed auto
    full-duplex
    no mop enabled
    !
    ip default-gateway 192.168.52.1
    ip classless
    ip route 0.0.0.0 0.0.0.0 192.168.52.1
    !
    no ip http server
    ip http authentication local
    no ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    !
    !
    no logging trap
    access-list 150 permit ip 192.168.8.0 0.0.0.255 any
    access-list 150 deny ip any any
    access-list 151 permit tcp any any eq telnet
    access-list 151 permit tcp any any eq domain
    access-list 151 deny ip any any log
    dialer-list 1 protocol ip permit
    no cdp run
    !
    !
    control-plane
    !
    banner login ^CISS Webhosting Router^C
    banner motd ^Cuthorized ^C
    !
    line con 0
    exec-timeout 5 0
    timeout login response 300
    login authentication local_auth
    transport output telnet
    line aux 0
    exec-timeout 15 0
    login authentication local_auth
    transport output telnet
    line vty 0 4
    privilege level 15
    password 7 000C4208544F0E55
    login authentication local_auth
    transport input telnet
    line vty 5 15
    privilege level 15
    password 7 141F43055C102F78
    login authentication local_auth
    transport input telnet
    !
    end
     
    , Jun 24, 2005
    #1
    1. Advertising

  2. On Fri, 24 Jun 2005 07:21:23 -0700, cconnell_ wrote:

    > Hello,
    >
    > I am learning cbac, and have set up a mini lab (laptop/router etc), I have
    > setup cbac and it does work in that it lets return traffic come back to my
    > laptop, e.g. when I telnet/ssh to a host from my laptop behind the router
    > to a host external to the router.
    >
    > However, in the cisco ios book, it says that when you do sh access-lists,
    > you see the temporary opening cbac creates when its used, when I telneted
    > and ssh'd to an external box, I did this but it does not show the
    > temporary opneings it should for access-list 151. In 12.3 is it different
    > behaviour?
    >


    Yes. Somewhere in 12.3 they changed it so rather than adding lines to
    ACLs the information about the traffic to allow is kept somewhere else.
    "show ip inspect session" might reveal something, or search CCO for "CBAC
    ACL bypass" perhaps.

    Rgds,
    Martin
     
    Martin Gallagher, Jun 24, 2005
    #2
    1. Advertising

  3. Guest

    There were major changes to the CBAC implementation
    from 123-8.T (I believe).

    The "ip audit" command was replaced by the "ip ips" command.

    http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_qanda_item09186a008009464d.shtml
    Cisco IOS Firewall Feature Set Frequently Asked Questions

    http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
    seems to apply to the old cbac only.

    Mr CISCO - PLEASE FIX ABOVE.

    I have spent about 15 mins looking but cannot find the
    proper description of the changes.
     
    , Jun 27, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Frank
    Replies:
    2
    Views:
    825
  2. Paul Stewart
    Replies:
    7
    Views:
    783
    Paul Stewart
    Jan 22, 2004
  3. Urza
    Replies:
    0
    Views:
    583
  4. Vandegraff

    Question regarding CBAC Firewall IOS

    Vandegraff, Jul 13, 2004, in forum: Cisco
    Replies:
    0
    Views:
    689
    Vandegraff
    Jul 13, 2004
  5. Mike Rahl
    Replies:
    1
    Views:
    1,358
    Trendkill
    May 30, 2007
Loading...

Share This Page