CABC and creates a dynamic ACL with this scenario (curriculum)

Unanswered Question
Apr 23rd, 2007
User Badges:

I am aware how CBAC does work , please look at the figure below (step 2) :


http://img484.imageshack.us/img484/7679/cabcib1.jpg


In step 2, he says: " CBAC creates a dynamic ACL allowing return traffic back through the firewall "


Does he mean by: " CBAC creates a dynamic ACL,,,,etc ", the command line underneath it ? :

Access-list 102 permit TCP host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Mon, 04/23/2007 - 22:50
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


What he means is this.


the host 10.0.0.3 creates a telnet session (port 23) to the server 172.30.1.50. This is allowed out through the router.


On the router interface that connects to the 172.30.1.50 network there is an access-list that looks like


access-list 102 deny ip any any


and this access-list is applied in an inbound direction.


This will stop all inbound connections from outside.


What happens when the inside host telnets out is that a line is dynamically added to access-list 102. So now your access-list looks like this


access-list 102 permit tcp host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447

access-list 102 deny ip any any


When the telnet session is finished the dynamically added line will disappear and your access-list will be


access-list 102 deny ip any any


HTH


Jon

zillah2004 Tue, 04/24/2007 - 00:01
User Badges:

Thanks Jon for this insight


That means we are going to do like this :

Assume interface fastethernet0/1 (right hand side of the picture)is connected to the server


Router(config)#interface fastethernet0/1

Router(config-if)#ip access-group 102 in

Router(config-if)#ip inspect FWRULE out

Router(config-if)#no shutdown

Router(config-if)#exit


>>What happens when the inside host telnets out is that a line is dynamically added to access-list 102. So now your access-list looks like this


access-list 102 permit tcp host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447

access-list 102 deny ip any any

<<

How can I make sure that the dynamic ACL will be added to the begging of the ACEs ? because if it came like this:

access-list 102 deny ip any any

access-list 102 permit tcp host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447


it will be useless


Regards

Jon Marshall Tue, 04/24/2007 - 00:06
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


You don't need to worry about it being added in the right order. CBAC will automatically add it before any statically configured lines that you have put in yourself so the dynamic lines will always be at the top of the access-list.


HTH


Jon

zillah2004 Tue, 04/24/2007 - 00:16
User Badges:

Great job Jon


Warm regards


>>eq 23 host 10.0.0.3 eq 2447 <<

It is obvious that port 23 will be always in the access list that is created by BCAC , but port 2447 is changeable.

Jon Marshall Tue, 04/24/2007 - 00:28
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Thanks for rating - helps others solve issues quickly.


As for the last point. Remember that CBAC creates dynamic entries per connection. So the entry created for the host (2447) to the server (23) will be just for that session. The port 2447 will not change for that session (true for telnet but not all protocols). So if another session is created from that host or another host connects to the server the random port will change yes and the destination port will still be 23 but that's okay for that session.


Hope that makes sense.


Jon

zillah2004 Tue, 04/24/2007 - 00:31
User Badges:

Why does "TCP" word in the command line come in the upper case (as we know cisco convention with keyword is lower case not upper case,,,,,,upper case for naming) ? Is it typo ?

Jon Marshall Tue, 04/24/2007 - 00:34
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Yes it think it's a typo. CBAC uses normal IOS access-lists so you certainly don't need it in upper case.


Jon

Actions

This Discussion