288 Chapter 8: Advanced Security Services, Part II: IOS Firewall Feature Set
Figure 8-2 CBAC Creates Temporary Access List Rules
As shown in Figure 8-2, externally sourced packets not associated with the user's session (or
other users' sessions also managed by CBAC) are blocked by the access list—this prevents
anyone from initiating a session to the internal network from the outside.
As a security precaution, CBAC removes the temporary rules from access lists after the user's
session ends, thereby sealing the tiny holes that were needed for the user's session.
Configuring CBAC
These are the basic steps for configuring CBAC:
1 Configure and apply extended access lists to block external traffic from entering the
internal network.
2 Define a CBAC inspection rule that tells the router which applications require CBAC to
function properly.
3 Apply the inspection rule to an interface.
The following sections cover these steps in more detail, starting with a simple two-port firewall
CBAC Example: A Basic Two-Port Firewall
Consider the scenario depicted in Figure 8-3 with a basic two-port firewall router.
External traffic normally is blocked.
External users
Return traffic for session is allowed
through a tiny, temporary hole.
Internal traffic is permitted to go out.
Configuring CBAC 289
Figure 8-3 A Two-Port Firewall Example
The network in Figure 8-3 is a straightforward application of CBAC. Router A is configured
with CBAC and inspects application sessions that originate from the inside and are destined to
the Internet. An inbound access list is applied to Router A's Serial1 interface that faces the
public Internet; the access list guards against unauthorized entry from the Internet to the internal
network. Finally, CBAC allows return traffic for internal user applications (Web, Telnet, FTP,
and so on) through the access list—the return traffic must be permitted for the applications to
function properly.
This two-port configuration is good for explaining basic CBAC configuration. This scenario
might be appropriate for a home office or an organization that does not directly offer Web, FTP,
DNS, or SMTP servers to the public. Such organizations might make their public servers
available through an ISP that hosts the servers at an off-site location. See "CBAC with a
Demilitarized Zone" later in this chapter for a CBAC example that makes servers available from
the outside.
The following is the configuration for the firewall router, Router A (for brevity, only the lines
relevant to security and CBAC are shown):
no service tcp-small-servers
no service udp-small-servers
service password-encryption
enable secret <my-password>
no ip source-route
no cdp run
Access list 120 blocks external traffic.
Router A
CBAC inspects user applications
going to the Internet. Access list
101 prevents spoofing.

Get Enhanced IP Services for Cisco Networks now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.