I put the follow access-list in my router:
router(config)#access-list 101 permit tcp host 192.168.0.1 host 172.16.0.10 eq www
And I've aplyed it on the f0/0 interface, this way:
router(confg-if)ip access-group 101 in
Whit this, I can WWW the host 172.16.0.10. Right.
But, I would like put an access-list on the f0/1(outside) interface to permit host 172.16.0.10 to answer the request.
But, to do that, I must put an access-list permiting 172.16.0.10 to connect to all higher ports 1024....65536...
I mean, I just wanna permit the traffic back, only if the first traffic is permited, like a firewall does.
Is this possible?
Or, is there another way to do that?
The example in the link is a bit confusing. With CBAC, you have any ACL on the "trusted" side. You create inspection rules, then apply it to the "untrusted" interface with a direction of out. What this does is track connections outbound and dynamically allows the connection back in. CBAC is basically a stateful inpsection engine, just like an ASA firewall.
The confusing part is let's say for example you also host a public website in your network. CBAC has nothing to do with this, so we need to create an ACL for the outside interface to allow web traffic to our webserver. The outside ACL has nothing to do with return traffic when source from the trusted side (when CBAC is used). If you lookat the example, they are only allowing certain types of ICMP from the outside. CBAC allows dynamic "holes" to be opened for return traffic. Any traffic source from the public interface needs to be specifically allowed with an ACL.
Does that help?