Translate the following policy into a working CBAC configuration on R5 (assuming this router's FastEth0/1 is connected to another ISP):
■ Allow all TCP and UDP traffic initiated on the inside from network 184.108.40.206 to access the Internet. ICMP traffic will also be allowed from the same network. Other networks (inside) must be denied. For traffic initiated on the outside, allow everyone to access only HTTP to host 220.127.116.11.
■ All other traffic must be denied.
CBAC intelligently filters TCP and UDP packets based on application layer protocol session information. You can configure CBAC to permit specified TCP and UDP traffic through a firewall only when the connection is initiated from within the network you want to protect. CBAC can inspect traffic for sessions that originate from either side of the firewall, and CBAC can be used for intranet, extranet, and Internet perimeters of your network.
To configure CBAC, perform the following tasks:
■ Pick an interface: internal or external (required).
■ Configure IP access lists at the interface (required).
■ Configure global timeouts and thresholds (required).
■ Define an inspection rule (required).
■ Apply the inspection rule to an interface (required).
■ Configure logging and audit trail (required).
■ Follow other guidelines for configuring a firewall (required).
Example 8-85 configures R5 for CBAC outbound connections.
Example 8-85 R5 Outbound Connections
R5(config)#ip inspect name OUTBOUND tcp R5(config)#ip inspect name OUTBOUND udp
R5(config)#access-list 101 permit ip 18.104.22.168 0.0.0.0.31 any R5(config)#interface FastEthernet0/0 R5(config-if)#ip inspect OUTBOUND in R5(config-if)#ip access-group 101 in
Example 8-86 configures R5 for inbound connections.
R5(config)#access-list 102 permit icmp any host 22.214.171.124 R5(config)#access-list 102 permit tcp any host 126.96.36.199 eq www R5(config)#interface FastEthernet0/1
R5(config-if)#ip access-group 102 in
To assist CBAC debugging, you can turn on audit trail messages that will be displayed on the console after each CBAC session closes. The IOS command ip inspect audit-trail turns on CBAC audit trail messages.
Many other debug commands are available, including the following:
■ Generic debug commands
■ Transport-level debug commands
■ Application protocol debug commands For more details on CBAC, visit:
Was this article helpful?