Hi,
I'm facing a problem with CBAC on a 12.2-32 1601R : When I try to telnet the https port of a host on the internet, I get the following in the logs : %SEC-6-IPACCESSLOGP: list 103 denied tcp 62.212.107.51(443) ->
193.248.11.153(33794), 1 packetRegarding the configuration, CBAC should add temporary rule in access-list 103 to allow remote host response.
debug ip inspect events doesn't return any information, so I think I'm missing something but what ?
Regards
Éric MassonConfiguration is following :
version 12.2 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname rtrc16nanrtc ! logging buffered 4096 debugging aaa new-model enable secret 5 xxxx ! username xxxx password 7 xxxx clock timezone CET 1 clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00 ip subnet-zero no ip source-route ip domain-name xxxx ip name-server 192.168.1.1 ! ip inspect audit-trail ip inspect name ALLOWED tcp alert on ip inspect name ALLOWED udp alert on isdn switch-type basic-net3 ! ! interface Ethernet0 ip address 192.168.1.25 255.255.255.0 ip nat inside media-type 10BaseT ! interface Serial0 bandwidth 128 no ip address no ip proxy-arp shutdown ntp disable ! interface BRI0 description Connexion physique Itoo no ip address no ip proxy-arp encapsulation ppp dialer pool-member 1 ntp disable isdn switch-type basic-net3 ! interface Dialer1 description Connexion Wanadoo ip address negotiated ip access-group 103 in no ip proxy-arp ip nat outside ip inspect ALLOWED out encapsulation ppp no ip split-horizon dialer pool 1 dialer remote-name WANADOO dialer string xxxx dialer-group 1 ntp disable ppp authentication pap chap callin ppp chap hostname xxxx ppp chap password 7 xxxx ppp pap sent-username xxxx password 7 xxxx ! ip nat inside source list 101 interface Dialer1 overload ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip http server ! logging 192.168.1.1 access-list 101 permit ip 192.168.1.0 0.0.0.255 any access-list 102 permit ip any host 62.212.107.51 access-list 103 deny ip host 255.255.255.255 any log access-list 103 deny ip 192.168.1.0 0.0.0.255 any log access-list 103 deny ip 192.168.0.0 0.0.255.255 any log access-list 103 deny ip 172.16.0.0 0.15.255.255 any log access-list 103 deny ip 10.0.0.0 0.255.255.255 any log access-list 103 permit icmp any any echo access-list 103 permit icmp any any echo-reply access-list 103 permit icmp any any time-exceeded access-list 103 permit icmp any any packet-too-big access-list 103 permit icmp any any traceroute access-list 103 permit icmp any any unreachable access-list 103 deny ip any any log dialer-list 1 protocol ip permit no cdp run ! line con 0 line vty 0 4 transport input ssh ! ntp clock-period 17042663 ntp server 192.168.1.1 end