IOS Firewall – CBAC

September 4, 2008 at 3:23 pm | Posted in Security | Leave a comment

Configuration

R4#
ip inspect name INSPECT tcp router-traffic
ip inspect name INSPECT icmp router-traffic
ip inspect name INSPECT ftp 

ip access-list extended INBOUND
 permit ospf any any
 permit tcp any any eq bgp
 deny   ip any any
!
interface Serial1/1
 ip access-group INBOUND in
 ip inspect INSPECT out

Verification

Try telneting from R6 and from R4 to R5 150.1.5.5

R4#sh ip inspect config
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
 Inspection name INSPECT
    tcp alert is on audit-trail is off timeout 3600
 inspection of router local traffic is enabled
    icmp alert is on audit-trail is off timeout 10
 inspection of router local traffic is enabled

R4#sh access-list INBOUND
Extended IP access list INBOUND
    40 permit ospf any any (143 matches)
    60 deny ip any any (126 matches)  

R4#sh ip inspect sessions
Established Sessions
 Session 64BEE6B4 (155.1.45.4:24211)=>(150.1.5.5:23) tcp SIS_OPEN
 Session 64BEE434 (10.0.0.6:39785)=>(150.1.5.5:23) tcp SIS_OPEN
 Session 64BEE934 (150.1.4.4:15035)=>(150.1.5.5:179) tcp SIS_OPEN

Doc CD Navigation

  • Cisco IOS Security Configuration Guide, Release 12.4
  • Traffic Filtering, Firewalls, and Virus Detection
  • Context-Based Access Control
  • Configuring Context-based Access Control
  • CBAC Configuration Examples
  • Ethernet Interface Configuration Example
Advertisements

Leave a Comment »

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: