Friday, July 4, 2008

CBAC Example

Context-Based access control is another way to dynamically modify access-lists on the fly to allow return traffic. Here we configure a simple example that allows FTP traffic as well as PING from inside to outside. First let's apply an ACL inbound on R4 serial 1/0 and see what happens we ping from R1 to R5:

R1 --INSIDE--> R4 s1/0 --OUTSIDE--> R5

On R4:

ip access-list extended INBOUND
permit ospf any any
deny ip any any log
interface Serial1/0
ip access-group INBOUND in

Now from R1:

R1#ping 155.1.5.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.1.5.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#

Now on R4 we add the following CBAC configuration:

ip inspect name CBAC ftp
ip inspect name CBAC tcp router-traffic
ip inspect name CBAC icmp router-traffic

interface Serial1/0
ip inspect CBAC out

Now back to R1:

R1#ping 155.1.5.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.1.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/115/268 ms
R1#

Verify on R4 (Do this quick or the session will be gone)

R4#show ip inspect sessions
Established Sessions
Session 659A79DC (10.0.0.1:8)=>(155.1.5.5:0) icmp SIS_OPEN
R4#

I tried testing ftp but for some reason the "ftp-server enable" doesn't seem to exist in my IOS with is 12.4 ADVENT. Anyways, that should give you a quick idead of how CBAC is used to punch holes in ACLs for return traffic.

Also remember that we DENY traffic INBOUND on the OUTSIDE interface if we want to inspect it in the OUTBOUND direction.

2 comments:

  1. Just do not want to miss the opportunity to put a link showing difference between using CBAC and Reflexive ACL..

    Written By Scott Morris,

    http://tcpmag.com/qanda/article.asp?EditorialsID=379

    ReplyDelete

Note: Only a member of this blog may post a comment.