topic CBAC: creating temporary entries in another interface? in Network Security

CBAC: creating temporary entries in another interface?

freemant2000 — Mon, 11 Mar 2019 22:24:04 GMT

Hi,

I am trying to understand the example at http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cfg_content_ac.html#wp1002224 in which the "ip inspect" command is applied to Ethernet 1/0 but the document says that the dynamic temporary entries will be created in the ACL 100 which is applied to another interface (Etherent 1/1). Is this true? I am under the impression that "ip inspect ... in" will add entries to the outbound ACL for the same interface, while

"ip inspect ... out" will add entries to the inbound ACL for the same interface.

Thanks in advance!

CBAC: creating temporary entries in another interface?

Julio Carvajal — Mon, 06 Feb 2012 06:28:23 GMT

Hello,

Inside-----ROUTER------Outside

So lets say you have an ACL on the outside interface denying all the inbound traffic.

So if you add a CBAC inspection policy on the inside interface to inspect some traffic, that particular traffic being inspected will override the ACL ( that is why CISCO said it will create temporary entris on the inbound ACL on the outside interface because even thoug you are denying all the traffic, that traffic will be accepted because of the IP inspect)

Hope I could help,

Julio

Regards,!!

CBAC: creating temporary entries in another interface?

freemant2000 — Mon, 06 Feb 2012 06:35:47 GMT

Thanks for the reply! If the router has multiple interfaces, how can it determine which is the outside interface to add the temporary entries to?

CBAC: creating temporary entries in another interface?

Maykol Rojas — Mon, 06 Feb 2012 16:26:26 GMT

Ka,

It really depends on where you actually applied the Inspection to. Lets assume you have 3 interfaces, and you put the ip inspect in on the "inside interface" Cbac will assume that all of them are outside and if they all have acls applied inbound, no matter if it has a deny IP any any on all of them, the traffic will be allowed to come in. But if the IP inspect is applied outbound on one interface, the traffic coming in is only going to be allowed on that specific interface, from whenever the traffic started from.

I hope this makes sense.

Mike

CBAC: creating temporary entries in another interface?

freemant2000 — Tue, 07 Feb 2012 04:17:04 GMT

I see. Thanks! Is there any documentation on this behavior? For the case where inspection is applied to an inside interface, the doc seems to say that we can have either an outbound ACL on that inside inferface or inbound ACL on the outside interface(s) for CBAC to add the temporary entries to. if both are present, I guess both will be added to?

CBAC: creating temporary entries in another interface?

Julio Carvajal — Tue, 07 Feb 2012 05:30:05 GMT

Hello Ka,

You do not need it, as soon as you have the inspection the returning traffic that matches the connections being inspected by CBAC will be allowed and will overwrite any ACL denying that traffic.

I think its a way to see things because as an example:

Inside------Router----Outside

Lets say you have an ACL denying all traffic on the outside interface inbound direction, with CBAC configure on the inside for outbound TCP connections, all the TCP traffic returning for a connection that matches the traffic being inspected will be allowed ( so yes a temporary entry will be added to the inbound ACL on the outside interface.

That is the whole purpose of CBAC ( A stateful firewall)

Regards,

Julio

CBAC: creating temporary entries in another interface?

Maykol Rojas — Tue, 07 Feb 2012 14:34:12 GMT

Pretty much yes, the only thing you need to make sure is that there is an allow in order for the traffic to be inspected. The return traffic should not be blocked as the session is already up.

Here is a good doc:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

Mike.