CBAC is a simple way to turn a Cisco-router from being a stupid packet-filter into an stateful firewall with protocol inspection.
The following example explains how to configure CBAC to allow return-traffic back when an inside web-client http to an external web-server.
First I have my inside acl specifying what outbound traffic to allow (http and dns).
ip access-list extended acl_inside_in
permit tcp any any eq www
permit udp any any eq domain
deny ip any any log ACL_INSIDE_IN_DENYING
Then an acl on outside defining inbound traffic. Look, not allowing any http here…
ip access-list extended acl_outside_in
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any traceroute
permit icmp any any time-exceeded
deny ip any any log ACL_OUTSIDE_IN_DENYING
This is the heart of the CBAC-config. If I wanna inspect multiple protocols I just add more lines with the same inspect name…
ip inspect name INSP_OUTBOUND http alert on audit-trail on
So, this is my outside interface, fronting internet
I have my inspect applied here in an outbound direction. This kinda confused me first but I guess you could think about is as where to make the exceptions to allow return traffic.
ip address 10.0.11.2 255.255.255.0
ip access-group acl_outside_in in
ip inspect INSP_OUTBOUND out
This is my inside
ip address 10.0.12.1 255.255.255.0
ip access-group acl_inside_in in
And this is what is being logged (because of the “alert on audit-trail on”):
Jan 18 20:14:07.910: %FW-6-SESS_AUDIT_TRAIL_START: Start http session: initiator (10.0.20.100:2350) -- responder (192.168.1.50:80)
Jan 18 20:14:24.423: %FW-6-SESS_AUDIT_TRAIL: Stop http session: initiator (10.0.20.100:2350) sent 224 bytes -- responder (192.168.1.50:80) sent 283 bytes