Configuring IP ACLs at the Interface

Configuring your ACL correctly is critical for CBAC to work properly. Follow these two general rules when evaluating your IP ACLs at the Cisco IOS Firewall:

• Permit CBAC traffic leaving the network through the Cisco IOS Firewall.

• Use extended ACLs to deny traffic entering the network (from the external interface) through the Cisco IOS Firewall.

All ACLs that evaluate traffic leaving the protected network should permit traffic that will be inspected by CBAC. If Telnet will be inspected by CBAC, for example, Telnet traffic should be permitted on all ACLs that apply to traffic leaving the network.

0 0

Post a comment