CBAC performs a similar function to refelexive acls. With CBAC however there’s much more granular control on the type of sessions monitored, along with the allowed session thresholds and timers (see ip inspect ? For types of control allowed).
R1 (trusted) --------- FA0/0 R2 S1/0 ---------- R3 (untrusted)
In this example no inbound tcp sessions are allowed into the protected network however R1 is allowed tcp access out to the untrusted network (R3). A standard blocking acl is applied to the outside interface on R2
access-list 100 deny tcp any any
access-list 100 deny udp any any
access-list 100 permit icmp any any echo-reply
access-list 100 permit eigrp any any
access-list 100 deny ip any any
interface S1/0
ip access-group 100 in
With this config R1 can ping R3 but cannot telnet to it.
I create an inpsection rule to examine all tcp traffic. I apply the inspection rule to interface Ethernet0/0 to inspect traffic from users on the protected network. When CBAC detects tcp traffic from the protected network, CBAC will create a dynamic entry in access list 100 to allow return traffic.
Router_2(config)#ip inspect name RICH tcp
Router_2(config)#int fa0/0
Router_2(config-if)#ip inspect RICH in
Unlike reflexive acls there is no explicit reference required in the acl on the untrusted interface - initially a source of some confusion for me!!! CBAC will add dynamic entries and open up access without it.
With the above config R1 can now initiate a telnet connection to R3
Verification commands on R2
#show ip inspect all
#show access-list 100
Alternatively the inpsect rule can be applied on the untrusted interface in the out direction achieving the same net result.
Router_2(config)#int s1/0
Router_2(config-if)#ip inspect RICH out
Weekly Update 397
11 hours ago
No comments:
Post a Comment