I have been reading through the documentation on implimenting CABC. I want to confirm what I think I know. A simple example - SMTP. Email server on the inside needs to talk to external email servers and vice versa. SMTP needs two way port 25. If I implement CBAC on the border router inspecting SMTP from the inside heading out, no external email servers would be able to initiate and make contact with the internal email server as CBAC would not see a session initiated from the inside and block the attempt.
Yes. Basically with CBAC dynamic acl entries are made and removed for each connection. If you wanted to allow incoming connections to your mail server your acl would look something like
access-list CBAC permit tcp any host eq 25
access-list CBAC deny ip any any