Cisco IOS CBAC Configuration Example
CBAC(Context-Based Access Control) is an IOS firewall feature which inspects the data traffic statefully.It lets or denies the data traffic according to the state tables.
We will do basic CBAC tests on this topology:
Configuration on R2
ip inspect name inspect-test tcp
ip inspect name inspect-test udp
interface FastEthernet0/1
ip address 10.10.23.2 255.255.255.0
ip access-group in-acl in
ip inspect inspect-test out
ip access-list extended in-acl
permit ospf any any
deny ip any any
Lets make session between R1 and R3 and see the results on R2.
we will test both tcp 23 and 80 traffic:
R1#telnet 10.10.10.3 /source-interface loopback 0
Trying 10.10.10.3 ... Open
User Access Verification
Password:
R3>en
Password:
R3#
R1#telnet 10.10.10.3 80 /source-interface loopback 0
Trying 10.10.10.3, 80 ... Open
on R2:
R2#show ip inspect all
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name inspect-test
tcp alert is on audit-trail is off timeout 3600
udp alert is on audit-trail is off timeout 30
Interface Configuration
Interface FastEthernet0/1
Inbound inspection rule is not set
Outgoing inspection rule is inspect-test
tcp alert is on audit-trail is off timeout 3600
udp alert is on audit-trail is off timeout 30
Inbound access list is in-acl
Outgoing access list is not set
Established Sessions
Session 66F3BF24 (10.10.10.1:54854)=>(10.10.10.3:80) tcp SIS_OPEN
Session 66F3C1EC (10.10.10.1:62759)=>(10.10.10.3:23) tcp SIS_OPEN
CBAC(Context-Based Access Control) is an IOS firewall feature which inspects the data traffic statefully.It lets or denies the data traffic according to the state tables.
We will do basic CBAC tests on this topology:
ip inspect name inspect-test tcp
ip inspect name inspect-test udp
interface FastEthernet0/1
ip address 10.10.23.2 255.255.255.0
ip access-group in-acl in
ip inspect inspect-test out
ip access-list extended in-acl
permit ospf any any
deny ip any any
Lets make session between R1 and R3 and see the results on R2.
we will test both tcp 23 and 80 traffic:
R1#telnet 10.10.10.3 /source-interface loopback 0
Trying 10.10.10.3 ... Open
User Access Verification
Password:
R3>en
Password:
R3#
R1#telnet 10.10.10.3 80 /source-interface loopback 0
Trying 10.10.10.3, 80 ... Open
on R2:
R2#show ip inspect all
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name inspect-test
tcp alert is on audit-trail is off timeout 3600
udp alert is on audit-trail is off timeout 30
Interface Configuration
Interface FastEthernet0/1
Inbound inspection rule is not set
Outgoing inspection rule is inspect-test
tcp alert is on audit-trail is off timeout 3600
udp alert is on audit-trail is off timeout 30
Inbound access list is in-acl
Outgoing access list is not set
Established Sessions
Session 66F3BF24 (10.10.10.1:54854)=>(10.10.10.3:80) tcp SIS_OPEN
Session 66F3C1EC (10.10.10.1:62759)=>(10.10.10.3:23) tcp SIS_OPEN
No comments:
Post a Comment