cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
558
Views
5
Helpful
4
Replies

CBAC questions

Hi all

(See attachment file…)

I want to know where (what interfaces) and how (in or out) can I put my CBAC configuration. All incoming packet that pass through the Lan interface of R1 and R2 are permitted, no matter where they go

I already defined rules and a static extended ACL on both routers. I have also NAT configured

R1 Wan interface  ACL_IN (that deny any traffic except ESP for IPSec tunnel, and some other stuffs)

R2 Wan interface  ACL_IN (that deny any traffic except ESP for IPSec tunnel, and some other stuffs)

R1 Wan interface  CBAC_OUT (The traffic is analyzed when it get out this interface and then allowed back through the router only if it is part of the same session as the original traffic that triggered CBAC when exiting through the router)

R2 Wan interface  CBAC_OUT (The traffic is analyzed when it get out this interface and then allowed back through the router only if it is part of the same session as the original traffic that triggered CBAC when exiting through the router)

Those configuration secured me from the Internet world.

But If I want to analyze and secure (not block) the traffic which comes from the customer's Lan to my HQ services (passing through my tunnel interface only), where should I put my CBAC configuration (out on the R1's lan interface ?)

Note: I have many customer's routers that connect to the same R1 router.

Thank you very much

4 Replies 4

Marwan ALshawi
VIP Alumni
VIP Alumni

if u wanna make packet filtering and use application inspection as well with vpn

use the outside physical interface

and use the Private lans IPs as source and distination IPs so that after the packet get decrypted on the interface will be inspected

by the way

i hvae tunnel interface u mean u have use gre with ipsec?

by the way

CBAC help u with VPN for automatic port negocition like h323

but for management

i would suggest u to use normal ACL and permit what traffic u want explicitly

more secure and better for ur case

Thank you very much for your reply.

When you say that I must use the Private lans IPs as source and distination IPs. Do you mean to use an "in" and "out" CBAC rule on the Lan interface of R1 to secure my HQ from the customers ?

For us it's not necessary to secure the customers from my HQ.

Yes I use GRE with IPSec. It's a DMVPN phase 2 network. Single clouds with dual hub.

Thanks !

what kind off traffic u wanna pass through ur tunnel i mean what ports or applications?

Essentially FTP and HTTP.

I have other traffic but it doesn't matter if I don't analyze it because it's terminated at the customers end point not on the Lan subnet. (like CiscoCSM)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: