in
IEOC CCIE Forums

IEOC - INE's Online Community

Welcome to INE's Online Community - IEOC - a place for CCIE and CCENT candidates to connect, share, and learn. Our Online Community features CCIE forums and discussions for all tracks including Routing & Switching, Voice, Security, Service Provider, Wireless,, and Storage. Through these online communities you can discuss your questions with thousands of your peers, hundreds of CCIE's and INE's own team of world renowned CCIE instructors and authors, Brian Dennis - Quintuple CCIE #2210, Brian McGahan – Triple CCIE #8593, Petr Lapukhov - Quad CCIE #16379, and Mark Snow - Dual CCIE #14073.
Latest post 10-04-2016 11:49 AM by cristian.matei. 2 replies.
Page 1 of 1 (3 items)
Sort Posts: Previous Next
  • 10-02-2016 12:55 PM

    CBAC Not Working

    In the CCIE Security ATC class on CBAC, Brian tries to use the command below, but doesn't get it working.  He said it's supposed to save you needing to do a deny any any on an inbound ACL on the outside interface.  However he did not manage to get it working. I also tested it, and I couldn't get it working that way either.

     

    This is the command that never worked:  #ip inspect tcp block-non-session

     

     

    R4

    interface FastEthernet0/0

    ip address 10.0.45.4 255.255.255.0

    duplex auto

    speed auto

    !

    ip route 0.0.0.0 0.0.0.0 10.0.45.5

    r5#
    ip inspect tcp block-non-session
    ip inspect name test telnet
    !
    interface FastEthernet0/1
    ip address 10.0.56.5 255.255.255.0
    ip inspect test out
    duplex auto
    speed auto
    !
    interface FastEthernet0/0
    ip address 10.0.45.5 255.255.255.0
    duplex auto
    speed auto
    end
    R6#

    interface FastEthernet0/1

    ip address 10.0.56.6 255.255.255.0

    duplex auto

    speed auto

    !

    ip route 0.0.0.0 0.0.0.0 10.0.56.5

    !
    !
    You would expect that telnet from R4 to R6 works. Fine. However, you would expect R6 telnet to R4 should fail because of the command "ip inspect tcp block-non-session". As you can see the state table is clean:
    r5#sh ip inspect ses
    r5#

    r6#telnet 10.0.45.4

    Trying 10.0.45.4 ... Open

     

     

     

     

    User Access Verification

     

     

    Password:

    r4>en

    Password:

    r4#

     

     

    Why can R6 telnet to R4?

    • Post Points: 35
  • 10-02-2016 11:23 PM In reply to

    • HubertW
    • Top 75 Contributor
    • Joined on 09-25-2013
    • Warsaw(PL)/Bratislava(SK)
    • Expert
    • Points 3,765

    Re: CBAC Not Working

    Hi,

     

    I see you monitor OUT traffic, I can't see any IN policy. CBAC it is not ZBPF and there is no implicit deny for non-inspected protocols after the inspection, you need ACL to check incoming traffic

     

    http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c5.html#wp1000981

     

    regards

    Hubert

     

    • Post Points: 5
  • 10-04-2016 11:49 AM In reply to

    Re: CBAC Not Working

    Hi,

       A correct/valid CBAC configuration requires CBAC inspection to be applied (IN or OUT) and a ACL to be applied inbound in the reverse direction of the inspection, in your use-case, ACL should be applied inbound on R5 Fa0/1. Do this and confirm that as you telnet from R4 to R6, you that session in the CBAC firewall state table of R5; if this is NOT the case, either you have a typo somewhere or you run a very buggy code.

      Afterwards, after you've done a correct CBAC configuration, you can enable this feature of "ip inspect tcp block-non-session", and if you telnet from R6 to R4, telnet traffic should be dropped NOT by the reverse direction inbound ACL, but because of this feature being configured. I've seen this feature to be not very stable, in some codes it works good, in some not; probably it's buggy and Cisco is not aware of this because nobody uses it so nobody raises any TAC cases.

    Thanks,

    Cristian.

    Cristian Matei, CCIE #23684 (SC/R&S)
    cmatei@ine.com


    InternetworkExpert Inc.
    http://www.ine.com
    Online Community: http://www.ieoc.com
    CCIE Blog: http://blog.ine.com

     

    • Post Points: 5
Page 1 of 1 (3 items)
IEOC CCIE Forums Internetwork Expert CCIE Training
About IEOC | Terms of Use | RSS | Privacy Policy
© 2010 Internetwork Expert, Inc. All Rights Reserved