Re: CABC and creates a dynamic ACL with this scenario (curriculu

zillah2004 · ‎04-23-2007

I am aware how CBAC does work , please look at the figure below (step 2) :

http://img484.imageshack.us/img484/7679/cabcib1.jpg

In step 2, he says: " CBAC creates a dynamic ACL allowing return traffic back through the firewall "

Does he mean by: " CBAC creates a dynamic ACL,,,,etc ", the command line underneath it ? :

Access-list 102 permit TCP host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447

Jon Marshall · ‎04-23-2007

Hi

What he means is this.

the host 10.0.0.3 creates a telnet session (port 23) to the server 172.30.1.50. This is allowed out through the router.

On the router interface that connects to the 172.30.1.50 network there is an access-list that looks like

access-list 102 deny ip any any

and this access-list is applied in an inbound direction.

This will stop all inbound connections from outside.

What happens when the inside host telnets out is that a line is dynamically added to access-list 102. So now your access-list looks like this

access-list 102 permit tcp host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447

access-list 102 deny ip any any

When the telnet session is finished the dynamically added line will disappear and your access-list will be

access-list 102 deny ip any any

HTH

Jon

zillah2004 · ‎04-24-2007

Thanks Jon for this insight

That means we are going to do like this :

Assume interface fastethernet0/1 (right hand side of the picture)is connected to the server

Router(config)#interface fastethernet0/1

Router(config-if)#ip access-group 102 in

Router(config-if)#ip inspect FWRULE out

Router(config-if)#no shutdown

Router(config-if)#exit

>>What happens when the inside host telnets out is that a line is dynamically added to access-list 102. So now your access-list looks like this

access-list 102 permit tcp host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447

access-list 102 deny ip any any

<<

How can I make sure that the dynamic ACL will be added to the begging of the ACEs ? because if it came like this:

access-list 102 deny ip any any

access-list 102 permit tcp host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447

it will be useless

Regards

Jon Marshall · ‎04-24-2007

Hi

You don't need to worry about it being added in the right order. CBAC will automatically add it before any statically configured lines that you have put in yourself so the dynamic lines will always be at the top of the access-list.

HTH

Jon

zillah2004 · ‎04-24-2007

Great job Jon

Warm regards

>>eq 23 host 10.0.0.3 eq 2447 <<

It is obvious that port 23 will be always in the access list that is created by BCAC , but port 2447 is changeable.

Jon Marshall · ‎04-24-2007

Hi

Thanks for rating - helps others solve issues quickly.

As for the last point. Remember that CBAC creates dynamic entries per connection. So the entry created for the host (2447) to the server (23) will be just for that session. The port 2447 will not change for that session (true for telnet but not all protocols). So if another session is created from that host or another host connects to the server the random port will change yes and the destination port will still be 23 but that's okay for that session.

Hope that makes sense.

Jon

zillah2004 · ‎04-24-2007

Why does "TCP" word in the command line come in the upper case (as we know cisco convention with keyword is lower case not upper case,,,,,,upper case for naming) ? Is it typo ?

Jon Marshall · ‎04-24-2007

Hi

Yes it think it's a typo. CBAC uses normal IOS access-lists so you certainly don't need it in upper case.

Jon

zillah2004 · ‎04-24-2007

Thanks again and well done Jon

CABC and creates a dynamic ACL with this scenario (curriculum)