288 Chapter 8: Advanced Security Services, Part II: IOS Firewall Feature Set
Figure 8-2 CBAC Creates Temporary Access List Rules
As shown in Figure 8-2, externally sourced packets not associated with the user's session (or
other users' sessions also managed by CBAC) are blocked by the access list—this prevents
anyone from initiating a session to the internal network from the outside.
As a security precaution, CBAC removes the temporary rules from access lists after the user's
session ends, thereby sealing the tiny holes that were needed for the user's session.
These are the basic steps for conﬁguring CBAC:
1 Conﬁgure and apply extended access lists to block external trafﬁc from entering the
2 Deﬁne a CBAC inspection rule that tells the router which applications require CBAC to
3 Apply the inspection rule to an interface.
The following sections cover these steps in more detail, starting with a simple two-port ﬁrewall
CBAC Example: A Basic Two-Port Firewall
Consider the scenario depicted in Figure 8-3 with a basic two-port ﬁrewall router.
External traffic normally is blocked.
Return traffic for session is allowed
through a tiny, temporary hole.
Internal traffic is permitted to go out.
Conﬁguring CBAC 289
Figure 8-3 A Two-Port Firewall Example
The network in Figure 8-3 is a straightforward application of CBAC. Router A is conﬁgured
with CBAC and inspects application sessions that originate from the inside and are destined to
the Internet. An inbound access list is applied to Router A's Serial1 interface that faces the
public Internet; the access list guards against unauthorized entry from the Internet to the internal
network. Finally, CBAC allows return trafﬁc for internal user applications (Web, Telnet, FTP,
and so on) through the access list—the return trafﬁc must be permitted for the applications to
This two-port conﬁguration is good for explaining basic CBAC conﬁguration. This scenario
might be appropriate for a home ofﬁce or an organization that does not directly offer Web, FTP,
DNS, or SMTP servers to the public. Such organizations might make their public servers
available through an ISP that hosts the servers at an off-site location. See "CBAC with a
Demilitarized Zone" later in this chapter for a CBAC example that makes servers available from
The following is the conﬁguration for the ﬁrewall router, Router A (for brevity, only the lines
relevant to security and CBAC are shown):
no service tcp-small-servers
no service udp-small-servers
enable secret <my-password>
no ip source-route
no cdp run
Access list 120 blocks external traffic.
CBAC inspects user applications
going to the Internet. Access list
101 prevents spoofing.