Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

CBAC: Context Based Access Control Configuration Example

[toc:faq]

Introduction

This document describes a Configuration Example of CBAC.

Topology

Prerequisites

  • IOS based Router
  • IOS V 12.4

Configuration Example 

What is CBAC?

This feature can be defined as user is empowered with the power of active inspection which will be carried out by IOS based Firewall. 
 
CBAC access lists consists of:
  • ip inspect statements which allow inspection of protocol 
  • In turn inspection ensures that  integrity of the packet is maintained before entring the firewall.
Let's assume we have 3 routers named R1,R2,R3
User from R1 wants to telnet R3. Tradionally as in the absence of reverse route, the reply traffic hits the ACL "Deny IP Any Any". Traffic gets droped

To enable the traffic flow between R1 and R3, we need to configure CBAC on R2. After enabling CBAC:
A state table is generated inturn which genrates a dynamic ACL placed over "Deny ip any any"
 

IP range:
192.168.0.0/24 (Between R1 and R2)
172.16.1.0/24    (Between R2 & R3) 

 

 

 

 

Static Route between R1 and R3:

Our idea is to protect LAN from the iligimitate crackers present in the Internet.
 
 

This access-list applied will drop everything coming from the Internet. By adding the “deny ip any any log” we can see dropped packets on the console. The problem with this ACL is that when user tries to ping R1 from R3 there is no reachability.

To irradicate the above mentioned issue we will use CBAC. As it will inspect the traffic and automatically allows the return traffic through. 

Example for HTTP traffic:

Enable HTTP server on R1

 

Verification

User is able to telnet R1 on port number 80.
Version history
Revision #:
1 of 1
Last update:
‎07-06-2014 09:32 AM
Updated by:
 
Labels (1)
Comments
New Member

your intention was good to post this doc for all the candidates here, but be careful as you wrote the problem with telnet and lastly you solve the problem with http.

 

"

Let's assume we have 3 routers named R1,R2,R3

User from R1 wants to telnet R3. Tradionally as in the absence of reverse route, the reply traffic hits the ACL "Deny IP Any Any". Traffic gets droped"

 
telnet is a one way communication problem. please correct above mentioned statements so users wont get confused.
 
 
Silver

Hi Upendra,

HTTP and Telnet are 2 scenarios where TCP works. That's why i used HTTP as example. If we dont have reverse route whatever it may be Telnet or HTTP. User at R1 will never receive reply from R3.

 

That's why we implement CBAC as it creates a state table at R2 inturn creating dynamic ACL placed over "Deny IP any any"

 

Regards,

Anim Saxena

Technical Community Manager (Security)