Solved: CBAC on Router

ksarin123_2 · ‎02-18-2011

I have a remote site router on which I will be running CBAC. This remote site is connected to HQ through MPLS. All IP outbound traffic from remote site should be permitted. Incoming traffic coming into the site from HQ will be firewalled.

The remote site subnet is 10.218.4.0/24.

Assuming E0 is the router interface facing the internal LAN on the remote site, I am planning to apply the following ACL on E0.

acess-l 101 permit ip 10.218.4.0 0.0.0.255 any

Since everything is permitted out, I don't think I need to use "ip inspect command" on E0. Is this correct?

On S0 interface (WAN) of the router, another access list in the "inbound" direction will be applied. This access-l will look something like this.

access-l 102 permit tcp host 172.16.10.5 10.218.4.0 0.0.0.255 eq snmp

access-l 102 permit tcp host 172.16.10.6 10.218.4.0 0.0.0.255 eq ssh

access-l 102 permit any any eq EIGRP (since the remote router will be running EIGRP over a DMVPN tunnel).

Again, my understanding is that I don't have to do anything beyond applying the access-l on both the interfaces in order for CBAC to work.

Can anyone confirm this?

Thanks for your help.

Federico Coto Fajardo · ‎02-18-2011

Sorry I did not made myself clear.

I meant that there's no need for inspection for outbound traffic (inside-to-outside) if that traffic is permitted by the outside ACL.

What you said is correct.

If there's an ACL applied inbound to the outside interface, you require inspection in order for the replies to the outbound traffic to be permitted.

Without inspection you are required to permit the traffic explicitly in the ACL applied to the WAN.

Federico.

View solution in original post

Federico Coto Fajardo · ‎02-18-2011

Hi,

If you want to allow outbound traffic, then if there's no ACL or if the traffic is permitted by the ACL you don't need an inspection command.

The inspection is used to permit the replies from the outbound traffic (without being checked by the ACL applied to the WAN interface).

So, even if you have a deny any any ACL applied in the inbound direction on the WAN interface, the replies to the outbound traffic are going to be permitted by the inspection.

The inspection can be applied in to the LAN interface or out to the WAN interface.

The inspection causes the router to behave statefully much as a PIX or ASA.

CBAC is replaced now by ZBF (Zone Base Firewall) which allow greater control if you're interested.

Hope it helps.

Federico.

ksarin123_2 · ‎02-18-2011

I did some more reading on CBAC's. Contrary to what I mentioned in my original post, there is no need for an ACL on the inside interface if all the traffic is being permitted. However, we still DO NEED inspect command either on the inside interface or on the WAN interface of the router. Because if that's missing, the return traffic from the inside will not be permitted by the ACL applied to the WAN interface.

So I am confused with your comment about not needing inspect command for traffic going from inside-> outside. How will the return traffic be allowed back without inspection? Can you explain.

Thanks!

Federico Coto Fajardo · ‎02-18-2011

Sorry I did not made myself clear.

I meant that there's no need for inspection for outbound traffic (inside-to-outside) if that traffic is permitted by the outside ACL.

What you said is correct.

If there's an ACL applied inbound to the outside interface, you require inspection in order for the replies to the outbound traffic to be permitted.

Without inspection you are required to permit the traffic explicitly in the ACL applied to the WAN.

Federico.