> AaronComp#sh
ip
inspec
sis
det
> Established
Sessions
> Session
8334C194
(192.168.10.57:1036)=>(24.158.63.45:80)
http
SIS_OPEN
>
Created
00:58:42,
Last
heard
00:50:20
>
Bytes
sent
(initiator:responder)
[117:1741]
>
Initiator->Responder
Window
size
65535
Scale
factor
0
>
Responder->Initiator
Window
size
5840
Scale
factor
0
> In
SID
24.158.63.45[80:80]=>x.y.132.210[1036:1036]
on
ACL
From_WAN (7
matches)
This would certainly suggest that traffic is making it past CBAC properly
(session
has gone SIS_OPEN, rather than stuck in SIS_OPENING), and there's both in and
out
counters updated.
> But
I
never
see
those
dynamic
entries
added
to
the
ACL,
and
the
return
> traffic
gets
dropped.
I've
done
it
before,
worked
as
designed.
Is
> there
something
I'm
just
not
getting
here?
Note that since 12.3T ("IOS Firewall ACL Bybass"), CBAC doesn't prepend to
ACL's.
Prior to that, a 'sh ip access-li' would show all of the active sessions, now
those
are only reflected in 'sh ip inpsec sess'.
Since you have generic TCP inspection enabled, there's no value in using legacy
CBAC
HTTP inspection -- try dropping 'ip inspect name To_WAN http' and see how it
looks
(if you want to scrutinize HTTP, use appfw). Alternatively, try re-enabling 'ip
virtual-reassembly' on Fas0/0.100. Lastly, add 'ip inspect log drop-pkt' and
see if
anything interesting it logged when the connections fail.
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
