Cisco CBAC Configuration Example

CBAC (Context-Based Access Control) is a firewall for Cisco IOS routers that offers some more features than a simple access-list. CBAC is able to inspect up to layer 7 of the OSI model and can dynamically create rules to allow return traffic. It is similar to the reflexive access-list, but one of the key differences is that the reflexive ACL only inspects up to layer 4.

In this lesson, I’ll give you an example of CBAC, and you’ll see why this firewall feature is very useful. I’ll be using three routers for this:

Cisco CBAC Internet LAN

In the example above, we have three routers. Imagine the router on the left side (R1) is some device on the internet while R3 is a host on our LAN. R2 will be the router that is protecting us from traffic on the Internet, this is where we configure CBAC. Let’s start with the basic configuration…setting up IP addresses and some static routes for connectivity:

R1(config)#interface fastethernet 0/0
R1(config-if)#no shutdown
R1(config-if)#ip address 192.168.12.1 255.255.255.0
R2(config)#interface fastethernet 0/0
R2(config-if)#no shutdown
R2(config-if)#ip address 192.168.12.2 255.255.255.0
R2(config-if)#interface fastethernet 0/1
R2(config-if)#no shutdown
R2(config-if)#ip address 192.168.23.2 255.255.255.0
R3(config)#interface fastethernet 0/0
R3(config-if)#no shutdown
R3(config-if)#ip address 192.168.23.3 255.255.255.0

And two static routes so R1 and R3 can reach each other:

R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.12.2
R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.23.2

Our idea is to protect our LAN from all the evil stuff on the Internet. In order to do so, we’ll create an access-list that drops everything from the Internet. The access-list looks like this:

R2(config)#ip access-list extended DENY_ALL_FROM_INTERNET
R2(config-ext-nacl)#deny ip any any log

R2(config)#interface fastEthernet 0/0
R2(config-if)#ip access-group DENY_ALL_FROM_INTERNET in

This access-list is very effective…it will drop everything from the Internet! I added the deny ip any any log so you can see dropped packets on the console. You don’t have to add it because everything is dropped by default, but it helps to show dropped packets. There’s one problem with this ACL; however, let’s see what happens when I send a ping from R3 to R1:

R3#ping 192.168.12.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

These pings are failing, and this is what you see on the console of R2:

R2#
%SEC-6-IPACCESSLOGDP: list DENY_ALL_FROM_INTERNET denied icmp 192.168.12.1 -> 192.168.23.3 (0/0), 1 packet

These packets are dropped by the inbound ACL on R2, as illustrated below:

ICMP Echo Request Reply Dropped

If we want to solve this problem, we would have to add a permit statement in the access-list so the ping makes it through. That’s not a scalable solution since we don’t know what kind of traffic we have on our LAN, and we don’t want a big access-list with hundreds of permit statements.

What we are going to do is configure CBAC so it will inspect the traffic and automatically allows the return traffic through. I’ll give you an example of how you can do this for HTTP traffic:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now!

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 806 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)
380 Sign Ups in the last 30 days
satisfaction-guaranteed

  • 100% Satisfaction Guaranteed!
  • You may cancel your monthly membership at any time.
  • No Questions Asked!

Tags:


Forum Replies

  1. Great post , very informative

  2. Great post RENE!! CBAC is kind of obsolte but it’s a key in order to understand zone-based FW or as I named It ZOMBIES FIREWAL, thanks for all your help!!

  3. Hi Rene,
    I tried simple ACL in packet tracer and I found at least one explicit ACE entry is needed in acces-list to make implicit " deny ip any any" effective, otherwise it allows all the traffic if
    it is an empty access-list.

    Thanks,
    Srini

  4. Hi Srini,

    That’s right, it’s strange that they programmed it like this but that’s the way it works :slight_smile:

    Rene

14 more replies! Ask a question or join the discussion by visiting our Community Forum