Cisco CBAC Configuration Example

CBAC (Context Based Access Control) is a firewall for Cisco IOS routers that offers some more features than a simple access-list. CBAC is able to inspect up to layer 7 of the OSI model and can dynamically create rules to allow return traffic. It is similar to the reflexive access-list but one of the key differences is that the reflexive ACL only inspects up to layer 4.

In this lesson, I’ll give you an example of CBAC and you’ll see why this firewall feature is very useful. I’ll be using 3 routers for this:

Cisco CBAC Internet LAN

In the example above we have 3 routers. Imagine the router on the left side (R1) is some device on the internet while R3 is a host on our LAN. R2 will be the router that is protecting us from traffic on the Internet, this is where we configure CBAC. Let’s start with the basic configuration…setting up IP addresses and some static routes for connectivity:

R1(config)#interface fastethernet 0/0
R1(config-if)#no shutdown
R1(config-if)#ip address 192.168.12.1 255.255.255.0
R2(config)#interface fastethernet 0/0
R2(config-if)#no shutdown
R2(config-if)#ip address 192.168.12.2 255.255.255.0
R2(config-if)#interface fastethernet 0/1
R2(config-if)#no shutdown
R2(config-if)#ip address 192.168.23.2 255.255.255.0
R3(config)#interface fastethernet 0/0
R3(config-if)#no shutdown
R3(config-if)#ip address 192.168.23.3 255.255.255.0

And two static routes so R1 and R3 can reach each other:

R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.12.2
R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.23.2

Our idea is to protect our LAN from all the evil stuff on the Internet, in order to do so we’ll create an access-list that drops everything from the Internet. The access-list looks like this:

R2(config)#ip access-list extended DENY_ALL_FROM_INTERNET
R2(config-ext-nacl)#deny ip any any log

R2(config)#interface fastEthernet 0/0
R2(config-if)#ip access-group DENY_ALL_FROM_INTERNET in

This access-list is very effective…it will drop everything from the Internet! I added the “deny ip any any log” so you can see dropped packets on the console. You don’t have to add it because everything is dropped by default, but it helps to show dropped packets. There’s one problem with this ACL however, let’s see what happens when I send a ping from R3 to R1:

R3#ping 192.168.12.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

These pings are failing, and this is what you see on the console of R2:

R2#
%SEC-6-IPACCESSLOGDP: list DENY_ALL_FROM_INTERNET denied icmp 192.168.12.1 -> 192.168.23.3 (0/0), 1 packet

These packets are dropped by the inbound ACL on R2 as illustrated below:

ICMP Echo Request Reply Dropped

If we want to solve this problem we would have to add a permit statement in the access-list so the ping makes it through. That’s not a scalable solution since we don’t know what kind of traffic we have on our LAN and we don’t want a big access-list with hundreds of permit statements.

What we are going to do is configure CBAC so it will inspect the traffic and automatically allows the return traffic through. I’ll give you an example how you can do this for HTTP traffic:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 739 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

545 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags:


Forum Replies

  1. Great post , very informative

  2. Great post RENE!! CBAC is kind of obsolte but it’s a key in order to understand zone-based FW or as I named It ZOMBIES FIREWAL, thanks for all your help!!

  3. I’m still a bit confused about how the ACL taking care of traffic from the outside ( the DENY_ALL_INTERNET) refers back to the inspect function? Is it just because we have inspect out and Access-group IN on the same interface that both will be associated ?
    If that’s not clear, I’m referring to the output of the “show ip inspect all” , how the inspect function know which ACL the inspect results will be applied to ? Cheers !

  4. Hi Rene and staff,

    just for fun i do this lab using “realistic” client and “realistic” server and IOSv for router

    https://cdn-forum.networklessons.com/uploads/default/original/2X/7/7d94b80549a15266b1b57e55014cd869f39f8d97.png

    I do also NAT to be realistic

    IOSv(config)#ip nat inside source static 192.168.0.1 80.0.0.1

    All works fine, except when router initiates the ping
    When i set

    IOSv(config)#ip inspect name TEST icmp router-traffic

    (in my lab, i use TEST instead of FIREWALL)
    and to be specific, IOSv do not add a rule in the run config, but IOSv replace the rul

    ... Continue reading in our forum

12 more replies! Ask a question or join the discussion by visiting our Community Forum