1, Get a config where CBAC is enabled and access-list are applied on the interfaces
If the configuration of the CBAC and ACL is wrong then the following steps will show wrong results.
Check the configuration of the router before you suggest the followings.
2, Check the “show commands” output
2.1 Check the inspection states
I would check the output of those commands:
| IOSFirewall(config)# show ip inspect config –> This shows the full inspection config (default values are also shown). IOSFirewall(config)# show ip inspect statistics –> This shows the current session count. IOSFirewall(config)# show ip inspect sessions detail –> This shows the current sessions info (Dynamic ACE counter are also here). |
Link for “show ip inspect” commands
2.2 Check the processes (we should see the process that handles CBAC)
| IOSFirewall(config)# show processes cpu IOSFirewall(config)# show processes memory |
Link for “show processes” commands
3, Check the logging output
3.0 Install a syslog server on a PC, that has access to the router
1. Link for a Windows based free syslog server (Kiwi)
2. Link for a Windows based free syslog server (tftpd)
3.1 Configure the logging on the router
| IOSFirewall(config)# logging syslog-server-ip-address IOSFirewall(config)# service timestamps log datetime IOSFirewall(config)# logging trap debugging IOSFirewall(config)# logging on IOSFirewall(config)# ip inspect audit-trail |
Link for “ip inspect audit-trail” command
Link for “logging” command
3.2 Test the Internet access
Download a very large file, we need long time session for troubleshooting.
3.3 Send the logs to the Cisco TAC Support
3.4 After the test change back the severity level for logging
| IOSFirewall(config)# logging trap previous-severity-level |
4, Debugging the CBAC
Most important debugs are usually:
| IOSFirewall(config)# debug ip inspect detailed IOSFirewall(config)# debug ip inspect object-creation IOSFirewall(config)# debug ip inspect object-deletion IOSFirewall(config)# debug ip inspect tcp IOSFirewall(config)# debug ip inspect http —> if the http is the issue or is used. |
Link for the “debug ip inspect” commands
5, Contact the TAC
If you reached the step 4 without even an idea what the problem can be, than send the debugs to the TAC.
Comments:
Link for Configuring Cisco IOS Firewall with IOS 12.4
Link for CBAC
Check the commands (mainly the debug commands) if they can affect the performance of the router, before you suggest it to the customer.
Go to lab start a download through a router with CBAC config and test the commands suggested above.
itsecworks 
Posted on November 23, 2010
0