Question about CBAC

Unanswered Question
Aug 2nd, 2007
User Badges:

I'd like some help understanding an aspect of firewalling. I have CBAC configured on an ISR. The WAN (outside) interface is configured with an ACL that will not allow traffic to come in. CBAC's job is to allow temporary openings in this ACL for connections initiated on the LAN (inside) interface and close them when the transmission ends. So, in this case I would be configuring inspection ("ip inspect X in") on the inside interface so that traffic leaving the LAN is checked, correct?

My question is, what exactly is being inspected? I know that the inspection is happening at the application layer, but beyond that I'm not sure what the firewall is looking for. So, let's assume a telnet session is initiated inside the network to a host outside. A temporary port is opened on the external interface's ACL to allow the transmission. Now the inspection is looking at the telnet session's traffic as it enters the inside interface. What is it looking for exactly?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sundar.palaniappan Thu, 08/02/2007 - 14:14
User Badges:
  • Green, 3000 points or more


Your understanding of how CBAC works is correct.

As far as your question on how CBAC tracks the telnet session initiated from the inside to outside and creates a temporary ACL for the return traffic the function is the same as the stateful firewall. For the telnet session the router keeps tracks of source IP, destination IP, source port and destination port and creates a temporary ACL entry to permit the return traffic on the outside interface.

Here's a small example that I hope helps.

Inside --> Outside



source port:17850

destination port:23

Outside --> Inside (temporary ACL entry created for this)



source port: 23

destinatin port:17850



shikamarunara Thu, 08/02/2007 - 14:19
User Badges:


Thanks for writing. I understand all of this, but the part that trumps me is that I have the impression that CBAC is doing something else with the packets before passing them on, not just layer 3 and 4 stuff but layer 7 inspecting. An earlier post in this thread suggested reading the CBAC documentation, which I already had before posting. I'm just not sure I understand what happens besides trying to detect syn-flood attacks.


Jon Marshall Thu, 08/02/2007 - 21:05
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


In addtion to Sundar's very good explanantion.

CBAC is a stateful firewall in the same way the pix/ASA is a stateful firewall. This means that for most TCP applications it looks at the following inormation in the packets

source IP , destination IP, source port, destination port, TCP FLAGS.

The TCP flags eg SYN, ACK, FIN, WAIT etc. are important because this is what makes a firewall stateful eg it knows if it receives a packet with the syn/ack flags but it has no corresponding syn packet to drop that packet.

So all TCP traffic going through a stateful firewall is treated as above and the same information is extracted.

In addtion to this stateful tracking CBAC, in common with many stateful firewalls, has some more application specific code to deal with some of the more commonly used aapplications that don't behave the standard way. Sundar's example of FTP is one of them. With these applications CBAC does a bit more work and examines more than just the standard IP, port and flags. How much more work is dependant on the application ie. for FTP the extra work involved is to look into the packets to find the dynamic port that has been negotiated.




This Discussion