"CBAC creates temporary openings in access lists at firewall interfaces. These openings are created when specified traffic exits your internal network through the firewall. The openings allow returning traffic (that would normally be blocked) and additional data channels to enter your internal network back through the firewall. The traffic is allowed back through the firewall only if it is part of the same session as the original traffic that triggered CBAC when exiting through the firewall. "
This is a simple example that you can build on:
For this example i'll apply the ACL and the inspection on the outside interface to allow telnet from R1 to R3 and deny all other TCP or UDP traffic, ICMP will be allowed in the ACL for connectivity testing purposes.
After the basic connectivity and routing is set up we need to set up the ACL to apply inbound on the outside interface of R2, which will look something like this:
R2(config)#ip access-list extended OUTSIDE_in
R2(config-ext-nacl)#10000 deny ip any any
R2(config-ext-nacl)#10 permit icmp any any echo-reply
R2(config-ext-nacl)#20 permit icmp any any time-exceeded
R2(config-ext-nacl)#30 permit icmp any any packet-too-big
R2(config-ext-nacl)#40 permit icmp any any unreachable
And apply it inbound on the outside interface:
R2(config)#int fa1/1
R2(config-if)#ip access-group OUTSIDE_in in
Now testing the connectivity pings from R1 to 10.0.0.3 (R3) should go through, but not from R3 to R1, and telnet from R1 to R3 should not be working. To get telnet working we need to configure our inspect rule and apply it:
R2(config)#ip inspect name OUTSIDE_inspect telnet
And apply it outbound on the outside interface:
R2(config)#int fa1/1
R2(config-if)#ip inspect OUTSIDE_inspect out
Now telnet should be working and by using the debug commands "debug ip inspect object-creation" and "debug ip inspect object-deletion" the temporary objects to permit telnet traffic should show something like this on the routers output (R2):
Jan 23 19:00:56.531: CBAC* OBJ_CREATE: Pak 65728BAC sis 65CCA99C initiator_addr (192.168.1.1:42057) responder_addr (10.0.0.3:23) initiator_alt_addr (192.168.1.1:42057) responder_alt_addr (10.0.0.3:23)
Jan 23 19:00:56.531: CBAC OBJ-CREATE: sid 660F56F4 acl OUTSIDE_in Prot: tcp
Jan 23 19:00:56.535: Src 10.0.0.3 Port [23:23]
Jan 23 19:00:56.535: Dst 192.168.1.1 Port [42057:42057]
Jan 23 19:00:56.535: CBAC OBJ_CREATE: create host entry 660E5690 addr 10.0.0.3 bucket 9 (vrf 0:0) insp_cb 0x66435074
Jan 23 19:00:56.767: CBAC OBJ_DELETE: delete host entry 660E5690 addr 10.0.0.3
R2#
Jan 23 19:01:04.959: CBAC OBJ_DELETE: delete sis 65CCA99C
Jan 23 19:01:04.959: CBAC OBJ-DELETE: sid 660F56F4 on acl OUTSIDE_in Prot: tcp
Jan 23 19:01:04.959: Src 10.0.0.3 Port [23:23]
Jan 23 19:01:04.959: Dst 192.168.1.1 Port [42057:42057]
more info @ http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cfg_content_ac_ps6441_TSD_Products_Configuration_Guide_Chapter.html
No comments:
Post a Comment