Hello,
I am learning cbac, and have set up a mini lab (laptop/router etc), I have setup cbac and it does work in that it lets return traffic come back to my laptop, e.g. when I telnet/ssh to a host from my laptop behind the router to a host external to the router.
However, in the cisco ios book, it says that when you do sh access-lists, you see the temporary opening cbac creates when its used, when I telneted and ssh'd to an external box, I did this but it does not show the temporary opneings it should for access-list 151. In 12.3 is it different behaviour?
config is(running on 1841)
Current configuration : 2825 bytes ! version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname iss-web-router ! boot-start-marker boot-end-marker ! security authentication failure rate 10 log security passwords min-length 6 no logging buffered logging console informational enable secret 5 $1$ZljO$a.H7zbOdpLvVDYJgwu6Mv0 enable password 7 011B570A0B1F035C ! aaa new-model ! ! aaa authentication login local_auth local ! aaa session-id common ! resource policy ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero no ip source-route no ip gratuitous-arps ip cef ! ! ip inspect name iss-web-router ftp ip inspect name iss-web-router h323 ip inspect name iss-web-router http ip inspect name iss-web-router tcp alert on router-traffic ip inspect name iss-web-router udp ip inspect name iss-web-router icmp no ip dhcp use vrf connected ! ! no ip ips deny-action ips-interface no ip bootp server no ip domain lookup login block-for 10 attempts 3 within 5 ! no ftp-server write-enable ! ! ! username cisco privilege 15 secret 5 $1$.Ry8$8ml8czOZdwsvRok7kCA700 ! ! ! ! ! interface FastEthernet0/0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$ ip address 192.168.8.1 255.255.255.0 ip access-group 150 in no ip redirects no ip unreachables no ip proxy-arp ip inspect iss-web-router in speed auto full-duplex no mop enabled ! interface FastEthernet0/1 ip address 192.168.52.239 255.255.255.0 ip access-group 151 in ip verify unicast source reachable-via rx allow-default 100 no ip redirects no ip unreachables no ip proxy-arp speed auto full-duplex no mop enabled ! ip default-gateway 192.168.52.1 ip classless ip route 0.0.0.0 0.0.0.0 192.168.52.1 ! no ip http server ip http authentication local no ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ! ! no logging trap access-list 150 permit ip 192.168.8.0 0.0.0.255 any access-list 150 deny ip any any access-list 151 permit tcp any any eq telnet access-list 151 permit tcp any any eq domain access-list 151 deny ip any any log dialer-list 1 protocol ip permit no cdp run ! ! control-plane ! banner login ^CISS Webhosting Router^C banner motd ^Cuthorized ^C ! line con 0 exec-timeout 5 0 timeout login response 300 login authentication local_auth transport output telnet line aux 0 exec-timeout 15 0 login authentication local_auth transport output telnet line vty 0 4 privilege level 15 password 7 000C4208544F0E55 login authentication local_auth transport input telnet line vty 5 15 privilege level 15 password 7 141F43055C102F78 login authentication local_auth transport input telnet ! end