cbac, nat & dialer issues

Discussion in 'Cisco' started by Eric Masson, Jan 12, 2006.

  1. Eric Masson

    Eric Masson Guest

    Hi,

    I'm facing a problem with CBAC on a 12.2-32 1601R :
    When I try to telnet the https port of a host on the internet, I get the
    following in the logs :
    %SEC-6-IPACCESSLOGP: list 103 denied tcp 62.212.107.51(443) -> 193.248.11.153(33794), 1 packet

    Regarding the configuration, CBAC should add temporary rule in
    access-list 103 to allow remote host response.

    debug ip inspect events doesn't return any information, so I think I'm
    missing something but what ?

    Regards

    Éric Masson

    Configuration is following :

    version 12.2
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    !
    hostname rtrc16nanrtc
    !
    logging buffered 4096 debugging
    aaa new-model
    enable secret 5 xxxx
    !
    username xxxx password 7 xxxx
    clock timezone CET 1
    clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
    ip subnet-zero
    no ip source-route
    ip domain-name xxxx
    ip name-server 192.168.1.1
    !
    ip inspect audit-trail
    ip inspect name ALLOWED tcp alert on
    ip inspect name ALLOWED udp alert on
    isdn switch-type basic-net3
    !
    !
    interface Ethernet0
    ip address 192.168.1.25 255.255.255.0
    ip nat inside
    media-type 10BaseT
    !
    interface Serial0
    bandwidth 128
    no ip address
    no ip proxy-arp
    shutdown
    ntp disable
    !
    interface BRI0
    description Connexion physique Itoo
    no ip address
    no ip proxy-arp
    encapsulation ppp
    dialer pool-member 1
    ntp disable
    isdn switch-type basic-net3
    !
    interface Dialer1
    description Connexion Wanadoo
    ip address negotiated
    ip access-group 103 in
    no ip proxy-arp
    ip nat outside
    ip inspect ALLOWED out
    encapsulation ppp
    no ip split-horizon
    dialer pool 1
    dialer remote-name WANADOO
    dialer string xxxx
    dialer-group 1
    ntp disable
    ppp authentication pap chap callin
    ppp chap hostname xxxx
    ppp chap password 7 xxxx
    ppp pap sent-username xxxx password 7 xxxx
    !
    ip nat inside source list 101 interface Dialer1 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip http server
    !
    logging 192.168.1.1
    access-list 101 permit ip 192.168.1.0 0.0.0.255 any
    access-list 102 permit ip any host 62.212.107.51
    access-list 103 deny ip host 255.255.255.255 any log
    access-list 103 deny ip 192.168.1.0 0.0.0.255 any log
    access-list 103 deny ip 192.168.0.0 0.0.255.255 any log
    access-list 103 deny ip 172.16.0.0 0.15.255.255 any log
    access-list 103 deny ip 10.0.0.0 0.255.255.255 any log
    access-list 103 permit icmp any any echo
    access-list 103 permit icmp any any echo-reply
    access-list 103 permit icmp any any time-exceeded
    access-list 103 permit icmp any any packet-too-big
    access-list 103 permit icmp any any traceroute
    access-list 103 permit icmp any any unreachable
    access-list 103 deny ip any any log
    dialer-list 1 protocol ip permit
    no cdp run
    !
    line con 0
    line vty 0 4
    transport input ssh
    !
    ntp clock-period 17042663
    ntp server 192.168.1.1
    end
     
    Eric Masson, Jan 12, 2006
    #1
    1. Advertisements

  2. Eric Masson

    Eric Masson Guest

    Hi,
    I was missing point 3 of the following paragraph :
    http://www.cisco.com/univercd/cc/td...22cgcr/fsecur_c/ftrafwl/scfcbac.htm#wp1001140

    Packets with the firewall as the source or destination address are not
    inspected by CBAC.

    Thanks to Luc on nerim.comp.cisco for the answer.

    Regards

    Éric Masson
     
    Eric Masson, Jan 17, 2006
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.