1. Home
  2. Cisco Systems
  3. Cisco CBAC Just Does not work for me, period...

Cisco CBAC Just Does not work for me, period...

Hello,

I have tried everything from the default 'wizard' config (which immediately breaks connectivity) to the most bare-bones CLI configuration for CBAC, the results are always the same: as SOON as I enable inspection, connectivity is lost.

I can find no mention in Cisco's docs to explain why, and have tried numerous example configurations and have RTFM'd and debugged trying to find 'what I missed'. Can't find it. It just doesn't work for me. Any advice would be great.

I've included one of the 'basic' configurations I tried for review / comment. If this firewall could manage letting all outbound connections happen and keep their state for return traffic, I would be impressed enough because it's more than it's done for me lately.

Please note there is no connectivity with this configuration. Fe0 is the outside interface. I have to remove the access list and stateful list on Fe0 in order for connectivity to happen. If I make an explicit permit on the inbound ACL no Fe0 (ie like the access-list is just a permit ip any any) then connectivity is fine UNTIL I enable outbound inspection on the same interface; connectivity is lost as soon as CBAC is enabled basically in all circumstances as far as I can tell. At least it's a very effective firewall, so long as complete absence of connectivity is the goal ;)

-------------- Cisco IOS Software, C1700 Software (C1700-K9O3SY7-M), Version

12.3(7)T2, RELEASE SOFTWARE (fc2) Technical Support:
formatting link
(c) 1986-2004 by Cisco Systems, Inc. Compiled Wed 02-Jun-04 14:22 by eaarmas

ROM: System Bootstrap, Version 12.2(7r)XM4, RELEASE SOFTWARE (fc1)

rrouter uptime is 36 weeks, 4 days, 9 hours, 32 minutes System returned to ROM by power-on System restarted at 07:35:17 PCTime Mon Nov 15 2004 System image file is "flash:c1700-k9o3sy7-mz.123-7.T2.bin"

------------

Interface FastEthernet0 Inbound inspection rule is not set Outgoing inspection rule is DEFAULT100 smtp max-data 20000000 alert is on audit-trail is off timeout 3600 sqlnet alert is on audit-trail is off timeout 3600 streamworks alert is on audit-trail is off timeout 30 tftp alert is on audit-trail is off timeout 30 tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30 vdolive alert is on audit-trail is off timeout 3600 icmp alert is on audit-trail is off timeout 10 http alert is on audit-trail is off timeout 3600 Inbound access list is OUTSIDE Outgoing access list is not set

-------------- Current configuration : 11267 bytes ! ! Last configuration change at 17:13:39 PCTime Fri Jul 29 2005 by newmant ! NVRAM config last updated at 17:12:21 PCTime Fri Jul 29 2005 by newmant ! version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug uptime service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname rrouter ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging count logging buffered 52000 debugging logging console critical enable secret 5 sldksdkljfsdlfjsdlfjsdlfjsldf !

clock timezone PCTime -8 clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 no aaa new-model ip subnet-zero no ip source-route ! ! ip tcp synwait-time 10 ip domain name blah.com ip name-server 10.10.1.2 ! ! no ip bootp server ip cef ip inspect name DEFAULT100 smtp ip inspect name DEFAULT100 sqlnet ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 vdolive ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 http ip inspect name EDFAULT100 http ip inspect name stateful tcp ip inspect name stateful udp ip audit po max-events 100 ip ssh time-out 60 ip ssh authentication-retries 2 no ftp-server write-enable ! ! ! ! ! no crypto isakmp enable ! ! ! interface Null0 no ip unreachables ! interface BRI0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown no cdp enable ! interface FastEthernet0 description $FW_OUTSIDE$$ETH-WAN$ ip address dhcp client-id FastEthernet0 ip access-group OUTSIDE in no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip inspect DEFAULT100 out duplex auto speed auto no cdp enable ! interface FastEthernet1 no ip address no cdp enable ! interface FastEthernet2 no ip address no cdp enable ! interface FastEthernet3 switchport access vlan 3 no ip address no cdp enable ! interface FastEthernet4 switchport access vlan 4 no ip address no cdp enable ! interface Vlan4 description $FW_INSIDE$ ip address 10.10.1.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ! interface Vlan1 description $FW_INSIDE$ ip address 192.168.1.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ! ip classless ip http server ip http authentication local no ip http secure-server ip nat pool 1 192.168.1.2 192.168.1.25 netmask 255.255.255.0 ip nat pool 2 10.10.1.2 10.10.1.25 netmask 255.255.255.0 ip nat inside source list nat interface FastEthernet0 overload ip nat inside source static tcp 10.10.1.4 20 54.180.109.92 20 extendable ip nat inside source static tcp 10.10.1.4 21 54.180.109.92 21 extendable ip nat inside source static tcp 10.10.1.5 25 54.180.109.92 25 extendable ip nat inside source static tcp 192.168.1.119 80 54.180.109.92 80 extendable ip nat inside source static tcp 10.10.1.3 110 54.180.109.92 110 extendable ip nat inside source static udp 10.10.1.2 123 54.180.109.92 123 extendable ip nat inside source static tcp 10.10.1.3 22 54.180.109.92 2234 extendable ip nat inside source static tcp 10.10.1.4 8080 54.180.109.92 8080 extendable ip nat inside source static tcp 10.10.1.3 8081 54.180.109.92 8081 extendable ip nat inside source static tcp 192.168.1.112 9080 54.180.109.92 9080 extendable ! ! !

ip access-list extended OUTSIDE permit udp any eq bootps any eq bootpc permit icmp any any echo-reply permit icmp any any traceroute deny ip any any ip access-list extended nat remark SDM_ACL Category=2 permit ip any any logging 192.168.1.100

no cdp run ! ! control-plane ! banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user! ^C ! line con 0 password 7 020D0D575C400924481B4C login line aux 0 line vty 0 4 privilege level 15 login local transport input telnet ssh ! scheduler allocate 4000 1000 scheduler interval 500 ntp clock-period 17179989 ntp server 10.10.1.2 source Vlan4 prefer ! end

----------

Reply to
flubdgub
Loading thread data ...

Try the sample config at

formatting link
And work from there.

Which version of the Wizard (SDM?) are you using? Try a newer version of SDM to get the wizard to work.

Reply to
Phillip Remaker

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.