04-02-2009 06:00 AM
Hi all,
I put the follow access-list in my router:
router(config)#access-list 101 permit tcp host 192.168.0.1 host 172.16.0.10 eq www
And I've aplyed it on the f0/0 interface, this way:
router(confg-if)ip access-group 101 in
Whit this, I can WWW the host 172.16.0.10. Right.
But, I would like put an access-list on the f0/1(outside) interface to permit host 172.16.0.10 to answer the request.
But, to do that, I must put an access-list permiting 172.16.0.10 to connect to all higher ports 1024....65536...
I mean, I just wanna permit the traffic back, only if the first traffic is permited, like a firewall does.
Is this possible?
Or, is there another way to do that?
Thank you
Tauer
Solved! Go to Solution.
04-02-2009 09:37 AM
The example in the link is a bit confusing. With CBAC, you have any ACL on the "trusted" side. You create inspection rules, then apply it to the "untrusted" interface with a direction of out. What this does is track connections outbound and dynamically allows the connection back in. CBAC is basically a stateful inpsection engine, just like an ASA firewall.
The confusing part is let's say for example you also host a public website in your network. CBAC has nothing to do with this, so we need to create an ACL for the outside interface to allow web traffic to our webserver. The outside ACL has nothing to do with return traffic when source from the trusted side (when CBAC is used). If you lookat the example, they are only allowing certain types of ICMP from the outside. CBAC allows dynamic "holes" to be opened for return traffic. Any traffic source from the public interface needs to be specifically allowed with an ACL.
Does that help?
04-02-2009 06:15 AM
You bet there is!
https://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml
Hope this helps.
04-02-2009 06:46 AM
Hi Collin,
In this example, I got to configure the access-list returns.
I mean, If a inbound access-list is permiting WWW, the traffic returns must be permited too, without an access-list configuration.
Did I mistake something?
04-02-2009 09:37 AM
The example in the link is a bit confusing. With CBAC, you have any ACL on the "trusted" side. You create inspection rules, then apply it to the "untrusted" interface with a direction of out. What this does is track connections outbound and dynamically allows the connection back in. CBAC is basically a stateful inpsection engine, just like an ASA firewall.
The confusing part is let's say for example you also host a public website in your network. CBAC has nothing to do with this, so we need to create an ACL for the outside interface to allow web traffic to our webserver. The outside ACL has nothing to do with return traffic when source from the trusted side (when CBAC is used). If you lookat the example, they are only allowing certain types of ICMP from the outside. CBAC allows dynamic "holes" to be opened for return traffic. Any traffic source from the public interface needs to be specifically allowed with an ACL.
Does that help?
04-02-2009 09:51 AM
Yes it does,
just to clarify...
On my first example, lets consider F0/0 the inside interface (trusted network - 192.168.0.0/24) and F0/1 outside interface (untrusted network - 172.16.0.0/24).
If I create an ACL like this:
"access-list 101 permit tcp host 192.168.0.1 host 172.16.0.10 eq www"
and apply it on F0/0: ip access-group 101 in.
And create an ACL like this:
"access-list 102 deny any any" and apply it on F0/1: ip access-group 102 in
Then, I create inspection rules, then apply it to the "untrusted" interface with a direction of out.
So... If the host 192.168.0.1 generate a connection to the 172.16.0.10 on port 80, will be this connection allowed? Even if on the F0/1 there's a ACL deny any any..... ?
Thank you
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: