We have completed the upgrade of IEOC! All posts, comments and user profiles have been migrated. For security reasons, we have reset all passwords. To set a new password please Click Here. Further updates soon to follow.

CBAC Not Working

In the CCIE Security ATC class on CBAC, Brian tries to use the command below, but doesn't get it working.  He said it's supposed to save you needing to do a deny any any on an inbound ACL on the outside interface.  However he did not manage to get it working. I also tested it, and I couldn't get it working that way either.

 

This is the command that never worked:  #ip inspect tcp block-non-session

 

image

 

R4

interface FastEthernet0/0

ip address 10.0.45.4 255.255.255.0

duplex auto

speed auto

!

ip route 0.0.0.0 0.0.0.0 10.0.45.5



r5#



ip inspect tcp block-non-session

ip inspect name test telnet

!


interface FastEthernet0/1

ip address 10.0.56.5 255.255.255.0

ip inspect test out

duplex auto

speed auto

!



interface FastEthernet0/0

ip address 10.0.45.5 255.255.255.0

duplex auto

speed auto

end



R6#

interface FastEthernet0/1

ip address 10.0.56.6 255.255.255.0

duplex auto

speed auto

!

ip route 0.0.0.0 0.0.0.0 10.0.56.5



!

!


You
would expect that telnet from R4 to R6 works. Fine. However, you would
expect R6 telnet to R4 should fail because of the command "ip inspect
tcp block-non-session". As you can see the state table is clean:




r5#sh ip inspect ses


r5#




r6#telnet 10.0.45.4

Trying 10.0.45.4 ... Open

 

 

 

 

User Access Verification

 

 

Password:

r4>en

Password:

r4#

 

 

Why can R6 telnet to R4?

Comments

  • Hi,

     

    I see you monitor OUT traffic, I can't see any IN policy. CBAC it is not ZBPF and there is no implicit deny for non-inspected protocols after the inspection, you need ACL to check incoming traffic

     

    http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c5.html#wp1000981

     

    regards

    Hubert

     

  • Hi,

       A correct/valid CBAC configuration requires CBAC inspection to be applied (IN or OUT) and a ACL to be applied inbound in the reverse direction of the inspection, in your use-case, ACL should be applied inbound on R5 Fa0/1. Do this and confirm that as you telnet from R4 to R6, you that session in the CBAC firewall state table of R5; if this is NOT the case, either you have a typo somewhere or you run a very buggy code.

      Afterwards, after you've done a correct CBAC configuration, you can enable this feature of "ip inspect tcp block-non-session", and if you telnet from R6 to R4, telnet traffic should be dropped NOT by the reverse direction inbound ACL, but because of this feature being configured. I've seen this feature to be not very stable, in some codes it works good, in some not; probably it's buggy and Cisco is not aware of this because nobody uses it so nobody raises any TAC cases.

    Thanks,

    Cristian.

Sign In or Register to comment.