CBAC – Make the Cisco router stateful

CBAC is a simple way to turn a Cisco-router from being a stupid packet-filter into an stateful firewall with protocol inspection.

The following example explains how to configure CBAC to allow return-traffic back when an inside web-client http to an external web-server.


First I have my inside acl specifying what outbound traffic to allow (http and dns).

ip access-list extended acl_inside_in
permit tcp any any eq www
permit udp any any eq domain
deny ip any any log ACL_INSIDE_IN_DENYING

Then an acl on outside defining inbound traffic. Look, not allowing any http here…

ip access-list extended acl_outside_in
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any traceroute
permit icmp any any time-exceeded
deny ip any any log ACL_OUTSIDE_IN_DENYING

This is the heart of the CBAC-config. If I wanna inspect multiple protocols I just add more lines with the same inspect name…

ip inspect name INSP_OUTBOUND http alert on audit-trail on

So, this is my outside interface, fronting internet
I have my inspect applied here in an outbound direction. This kinda confused me first but I guess you could think about is as where to make the exceptions to allow return traffic.

interface FastEthernet0
description Outside
ip address
ip access-group acl_outside_in in
ip inspect INSP_OUTBOUND out
duplex auto
speed auto

This is my inside

interface FastEthernet1
description Inside
ip address
ip access-group acl_inside_in in
duplex auto
speed auto

And this is what is being logged (because of the “alert on audit-trail on”):

Jan 18 20:14:07.910: %FW-6-SESS_AUDIT_TRAIL_START: Start http session: initiator ( -- responder (
Jan 18 20:14:24.423: %FW-6-SESS_AUDIT_TRAIL: Stop http session: initiator ( sent 224 bytes -- responder ( sent 283 bytes

Tagged with: , , ,
Posted in Cisco Security


[mc4wp_form id="2457"]
Website Security Test