From: Colm O'Leary (co.oleary@gmail.com)
Date: Wed Feb 28 2007 - 10:45:41 ART
If you apply the inspect rule outbound on the same interface the inbound acl
is applied it will facor in the locally generated traffic provided it is
configured correctly under the inspect rule
On 2/26/07, Rocco R21 <roccor21@hotmail.com> wrote:
>
> permitting on the inbound and denying on the outbound. I'm setting this up
> to have CBAC inspect inbound and audit telnet from the inside. A deny for
> the outbound is to make CBAC inspect the return traffic destined for the
> inside however I think since the outside interface is a loopback on the
> router the outbound ACL will not be recognized unless I use a local policy
> route-map and set the interface loopback. When I try doing that it
> doesn't
> work so I'm thinking its not possible w/CBAC using a loopback as an
> external
> destination address. I will probably have to do this on the hop prior
> router.
>
>
> >From: "Serdar Kut" <kutserdar@gmail.com>
> >To: "Rocco R21" <roccor21@hotmail.com>
> >CC: ccielab@groupstudy.com
> >Subject: Re: local policy route-map w/CBAC
> >Date: Mon, 26 Feb 2007 09:04:28 +0200
> >MIME-Version: 1.0
> >Received: from an-out-0708.google.com ([209.85.132.250]) by
> >bay0-mc12-f6.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Sun,
> >25 Feb 2007 23:04:29 -0800
> >Received: by an-out-0708.google.com with SMTP id c2so722557anc for
> ><roccor21@hotmail.com>; Sun, 25 Feb 2007 23:04:29 -0800 (PST)
> >Received: by 10.114.151.13 with SMTP id y13mr1995203wad.1172473468652;
> > Sun, 25 Feb 2007 23:04:28 -0800 (PST)
> >Received: by 10.114.14.17 with HTTP; Sun, 25 Feb 2007 23:04:28 -0800
> (PST)
> >X-Message-Info: LsUYwwHHNt07nv3MYTV3Nze46fi3X5GNSXHXi6lbiv4=
> >DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com;
> s=beta;
> >
>
> >h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references;
> >
>
> >b=IlNmTZfdDDRZQGy42yf6Lh1G3qlbf8sX+mmNwLODfAgvHUOJmw8D7yZ15RNDemqAtOutYZrFfqx5lUofkXqIDUADa3qn7euOIDmGGr7LZwvM3dR3JX1pdS3QLRKUT9bGzNzUU/ckey67b+Jehah+kiaTZ0b95zoUpLAI5aNz5Ts=
> >DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta;
> >
>
> >h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references;
> >
>
> >b=HJvJh8L2eR7eqp5pdr4vel92DWVxurP2ld8tMmPLhIrhESRTUP0CdkQknlb/OMyzvzNY4Xf51SIREhi1zPUk8yLAPlDfVYhXL14HhqdIdGY1htGQn/huhmlBOO33akSiPr9wDOhLpprUDDORQFt8BTaIaKJAUO7WZbD//tT7P90=
> >References: <BAY115-F37CF45B5D671C08888DF1ACC8C0@phx.gbl>
> >Return-Path: kutserdar@gmail.com
> >X-OriginalArrivalTime: 26 Feb 2007 07:04:29.0627 (UTC)
> >FILETIME=[5BE6A8B0:01C75974]
> >
> >hi,
> >did you check the inbound acl? maybe your return traffic is not
> >permitted?hence it is not checked by cbac, you should manually permit the
> >return traffic inbound.
> >
> >
> >On 2/25/07, Rocco R21 <roccor21@hotmail.com> wrote:
> >>
> >>Hi all,
> >>
> >>Anybody ever use a local policy route-map when configuring CBAC? I've
> been
> >>playing around in my lab and I 'm setting it up as internal on an
> ethernet
> >>interface but by default the router will not block outbound on the ACL
> >>with
> >>orginated traffic. I'm trying a local policy route-map and setting the
> >>interface to my loopback but no luck. I was wondering if anybody ever
> came
> >>across this scenerio?
> >>
> >>rr
> >>
> >>_______________________________________________________________________
> >>Subscription information may be found at:
> >>http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Mar 01 2007 - 07:38:48 ART