CBAC

From DocWiki

(Difference between revisions)
Jump to: navigation, search
(Related Information)
(Improve syntax of example code a bit; my first commit here so go easy on me. ~BAS)
 
(4 intermediate revisions not shown)
Line 53: Line 53:
<!--Provide any steps, tips, or suggestions to setting up this configuration successfully-->
<!--Provide any steps, tips, or suggestions to setting up this configuration successfully-->
-
 
+
<pre>
ip inspect name IOSFW icmp router-traffic
ip inspect name IOSFW icmp router-traffic
ip inspect name IOSFW tcp router-traffic
ip inspect name IOSFW tcp router-traffic
ip inspect name IOSFW udp router-traffic
ip inspect name IOSFW udp router-traffic
-
 
+
access-list 151 deny ip any any
access-list 151 deny ip any any
-
 
+
interface FastEthernet0/0
interface FastEthernet0/0
description **WAN**
description **WAN**
Line 66: Line 66:
ip nat outside
ip nat outside
no shut
no shut
-
 
+
interface FastEthernet0/1
interface FastEthernet0/1
description **LAN**
description **LAN**
Line 73: Line 73:
ip inspect IOSFW in
ip inspect IOSFW in
no shut
no shut
-
 
+
CBAC(config)#ip inspect audit-trail
CBAC(config)#ip inspect audit-trail
CBAC(config)#logging buffered debugging
CBAC(config)#logging buffered debugging
Line 82: Line 82:
CBAC#sh ip inspect sessions
CBAC#sh ip inspect sessions
Established Sessions
Established Sessions
-
  Session 669F632C (192.168.10.2:56162)=>(2.2.2.2:23) tcp SIS_OPEN
+
Session 669F632C (192.168.10.2:56162)=>(2.2.2.2:23) tcp SIS_OPEN
-
  CBAC#sh ip inspect sessions detailEstablished Sessions
+
 
 +
   
 +
CBAC#sh ip inspect sessions detailEstablished Sessions
  Session 669F632C (192.168.10.2:56162)=>(2.2.2.2:23) tcp SIS_OPEN
  Session 669F632C (192.168.10.2:56162)=>(2.2.2.2:23) tcp SIS_OPEN
   Created 00:00:11, Last heard 00:00:05
   Created 00:00:11, Last heard 00:00:05
   Bytes sent (initiator:responder) [42:90]
   Bytes sent (initiator:responder) [42:90]
   In  SID 2.2.2.2[23:23]=>1.1.1.4[56162:56162] on ACL INBOUND  (18 matches)
   In  SID 2.2.2.2[23:23]=>1.1.1.4[56162:56162] on ACL INBOUND  (18 matches)
-
  Note:-
+
   
 +
</pre>
-
>>Turn off inspect for unused protocols(Only use what you require).
+
Note:
-
>>By using the command router-traffic along with the desired protocol,Enables inspection of sessions to/from the router.
+
 
 +
* Turn off inspect for unused protocols(Only use what you require).
 +
* By using the command ''router-traffic'' along with the desired protocol, inspection is enabled of sessions to/from the router (in addition to session through the router)
==Related show Commands==
==Related show Commands==
Line 99: Line 104:
show ip inspect config
show ip inspect config
 +
show ip inspect interfaces
show ip inspect interfaces
 +
show ip inspect stat
show ip inspect stat
 +
 +
Debug Commands
Debug Commands
debug ip inspect detail
debug ip inspect detail
 +
debug ip inspect tcp
debug ip inspect tcp
 +
debug ip inspect object-cre
debug ip inspect object-cre
 +
debug ip inspect object-del
debug ip inspect object-del
 +
debug ip inspect event  
debug ip inspect event  
Line 115: Line 128:
-
==Show running-config==
 
-
 
-
<pre>Add show running config of your device</pre>
 
==Related Information==
==Related Information==
-
[http://www.cisco.com/web/psa/products/index.html Technical Support & Documentation - Cisco Systems]
+
[http://www.cisco.com/cisco/web/support/index.html Technical Support & Documentation - Cisco Systems]
<!--List links to related information-->
<!--List links to related information-->

Latest revision as of 01:19, 1 November 2010

Contents

Introduction

CBAC (Context-Based Access Conrol)

CBAC provides statefull application layer filtering, including support for unorthodox protocols and multimedia applications. It can examine supported connections for embedded NAT and PAT information and perform the necessary translations. In addition, it can open additional statefull connections for supported applications, such as FTP and H.323.

Features offered by CBAC

Port mapping:- Allows the mapping of ports so that CBAC can perform its application inspection correctly, such as assigning FTP to port 1024 if your FTP server is processing traffic on this port.

Filtering of Java applets:- Filters embedded Java applets on HTTP connections, allowing you to block known malicious sites.

DoS protection:- Detects and prevents Denial of Service (DoS) attacks by limiting the number of connections that a device can set up.

CBAC also provides real time alerts and audit trails.

NOTE:- All the inspection features are applied globally while using CBAC, we don’t have flexibility to do inspection for certain network or interested traffic flow with respect to ip addressing scheme.In order to accomplish the same we can use advance level of IOSFW feature set known as ZBFW(Zone Based Firewall).

Here are the steps to configure CBAC

Step 1. Identify the interfaces as internal and external on your router.

Step 2. Configure the IP ACL rules to filter traffic based on your requiremnet.

Step 3. Now we can change the global timeout values for connections as per requirement.

Step 4. In case if the application is using a nonstandard port number, such as FTP with 1024.Configure Port Application Mapping (PAM).

Step 5. As a next step Configure inspection rules. These rules define what entries are added to the state table and CBAC will open up pin holes for the returning traffic in the ACL rules applied in the opposite direction with respect to inspection rules.

Step 6. Now apply the inspection rules to the respective interface of the router.

Step 7. Final step would be to test the CBAC configuration by passing some interested traffic through the router running CBAC in order to validate the configuration is fine.

Design

Scenario below shows how we can enable IOSFW(CBAC) on a Router.

Internet———(WAN)Router/CBAC(LAN)———Inside host

Router outside interface 1.1.1.1 Router inside interface 192.168.10.1 Inside Host 192.168.10.2 Natted ip address for Inside Host 1.1.1.4

Configuration

ip inspect name IOSFW icmp router-traffic
ip inspect name IOSFW tcp router-traffic
ip inspect name IOSFW udp router-traffic
 
access-list 151 deny ip any any
 
interface FastEthernet0/0
description **WAN**
ip address 1.1.1.1 255.255.255.0
ip access-group 151 in
ip nat outside
no shut
 
interface FastEthernet0/1
description **LAN**
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip inspect IOSFW in
no shut
 
CBAC(config)#ip inspect audit-trail
CBAC(config)#logging buffered debugging
CBAC(config)#logging on
CBAC#
*Mar  1 00:38:30.851: %FW-6-SESS_AUDIT_TRAIL_START: Start tcp session: initiator (192.168.10.2:56162) -- responder (2.2.2.2:23)
 
CBAC#sh ip inspect sessions
Established Sessions
Session 669F632C (192.168.10.2:56162)=>(2.2.2.2:23) tcp SIS_OPEN
  
 
CBAC#sh ip inspect sessions detailEstablished Sessions
 Session 669F632C (192.168.10.2:56162)=>(2.2.2.2:23) tcp SIS_OPEN
  Created 00:00:11, Last heard 00:00:05
  Bytes sent (initiator:responder) [42:90]
  In  SID 2.2.2.2[23:23]=>1.1.1.4[56162:56162] on ACL INBOUND  (18 matches)
 

Note:

  • Turn off inspect for unused protocols(Only use what you require).
  • By using the command router-traffic along with the desired protocol, inspection is enabled of sessions to/from the router (in addition to session through the router)

Related show Commands

This section provides information you can use to confirm your configuration is working properly.

Other Show Commands

show ip inspect config

show ip inspect interfaces

show ip inspect stat


Debug Commands

debug ip inspect detail

debug ip inspect tcp

debug ip inspect object-cre

debug ip inspect object-del

debug ip inspect event

Certain show commands are supported by the Output Interpreter Tool (registered customers only), which allows you to view an analysis of show command output.



Related Information

Technical Support & Documentation - Cisco Systems

Rating: 2.5/5 (4 votes cast)

Personal tools