04-23-2007 12:47 PM - edited 03-11-2019 03:03 AM
I am aware how CBAC does work , please look at the figure below (step 2) :
http://img484.imageshack.us/img484/7679/cabcib1.jpg
In step 2, he says: " CBAC creates a dynamic ACL allowing return traffic back through the firewall "
Does he mean by: " CBAC creates a dynamic ACL,,,,etc ", the command line underneath it ? :
Access-list 102 permit TCP host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447
04-23-2007 10:50 PM
Hi
What he means is this.
the host 10.0.0.3 creates a telnet session (port 23) to the server 172.30.1.50. This is allowed out through the router.
On the router interface that connects to the 172.30.1.50 network there is an access-list that looks like
access-list 102 deny ip any any
and this access-list is applied in an inbound direction.
This will stop all inbound connections from outside.
What happens when the inside host telnets out is that a line is dynamically added to access-list 102. So now your access-list looks like this
access-list 102 permit tcp host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447
access-list 102 deny ip any any
When the telnet session is finished the dynamically added line will disappear and your access-list will be
access-list 102 deny ip any any
HTH
Jon
04-24-2007 12:01 AM
Thanks Jon for this insight
That means we are going to do like this :
Assume interface fastethernet0/1 (right hand side of the picture)is connected to the server
Router(config)#interface fastethernet0/1
Router(config-if)#ip access-group 102 in
Router(config-if)#ip inspect FWRULE out
Router(config-if)#no shutdown
Router(config-if)#exit
>>What happens when the inside host telnets out is that a line is dynamically added to access-list 102. So now your access-list looks like this
access-list 102 permit tcp host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447
access-list 102 deny ip any any
<<
How can I make sure that the dynamic ACL will be added to the begging of the ACEs ? because if it came like this:
access-list 102 deny ip any any
access-list 102 permit tcp host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447
it will be useless
Regards
04-24-2007 12:06 AM
Hi
You don't need to worry about it being added in the right order. CBAC will automatically add it before any statically configured lines that you have put in yourself so the dynamic lines will always be at the top of the access-list.
HTH
Jon
04-24-2007 12:16 AM
Great job Jon
Warm regards
>>eq 23 host 10.0.0.3 eq 2447 <<
It is obvious that port 23 will be always in the access list that is created by BCAC , but port 2447 is changeable.
04-24-2007 12:28 AM
Hi
Thanks for rating - helps others solve issues quickly.
As for the last point. Remember that CBAC creates dynamic entries per connection. So the entry created for the host (2447) to the server (23) will be just for that session. The port 2447 will not change for that session (true for telnet but not all protocols). So if another session is created from that host or another host connects to the server the random port will change yes and the destination port will still be 23 but that's okay for that session.
Hope that makes sense.
Jon
04-24-2007 12:31 AM
Why does "TCP" word in the command line come in the upper case (as we know cisco convention with keyword is lower case not upper case,,,,,,upper case for naming) ? Is it typo ?
04-24-2007 12:34 AM
Hi
Yes it think it's a typo. CBAC uses normal IOS access-lists so you certainly don't need it in upper case.
Jon
04-24-2007 12:36 AM
Thanks again and well done Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: