Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
513
Views
4
Helpful
2
Replies

IOS Firewall (CBAC) and ACLs

techanony
Level 1
Level 1

‎06-17-2005 10:57 AM - edited ‎03-09-2019 11:36 AM

Hi all,

I have several questions about how CBAC really works with ACLs, I would appreciate any income on this issue.

I know, in general, CBAC works by inspecting traffic and creating a temporary opening in the ACL(s) to allow valid return traffic to pass. But even for the simplest network with only two interfaces, there are 4 possible ACLs that could be in use.

For example, one IOS firewall with 2 interfaces, e0 connected to the internal network, and s0 connected to the external one.

1. If I apply CBAC on the s0 by using "ip inspect myfirewall out", when CBAC creates temporary openings, will it do it on both inbound ACL on s0 and outbound ACL on e0? Or it just does it on one of them, and which one?

2. The same question with applying CBAC on the e0 by using “ip inspect myfirewall in”, which interface’s ACL will the CBAC check and modify?

3 If there are any, what’s the subtle difference between the above 2 solutions? I believe they achieve the same thing.

To make things more complicated, what if there is one more external interface s1.

a) If I use “ip inspect myfirewall in” on e0, will CBAC modify both s0’s and s1’s inbound ACLs to allow return traffic?

b) If I use “ip inspect myfirewall out” on s0, will CBAC modify the inbound ACL on s1 in case there exists asymmetric routing in the external network and the return traffic will go through s1?

I really want to know how CBAC works with ACLs in great detail. Thanks a lot in advance.

Labels:
0 Helpful
2 Replies 2

johansens
Level 4
Level 4

‎06-20-2005 05:15 PM

Hi there,

I'll try to answer some of the questions at least..

1) Both ACL's will be opened by CBAC in your example (as long as they are extended ACL's. See the following link for more info:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c5.html#wp1001336

2) The packet is sent all the way out to the exiting interface and 'checked out' of all ACl's on the way. When it is about to exit the router, the CBAC will record the information in it's state table and make the appropriate openings in the return-path ACL's:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c5.html#wp1001336

3) I would guess the difference is in how your router is configured.. If you have multiple inside interfaces, it's easier to do one config on the outside interface.. And if you have multiple outgoing interfaces with few protected inside interfaces, it's easier and takes less CPU to have the inspection config on the inside..

a) Given the flow from my answer in 2), the answer is that it would only modify on the interface it really uses.

b) Same as a). You would have to set a "ip inspect myfirewall2 out" on s1.. I would think you'll need a separate inspect-ruleset (but with the same content as the other one).

On the answer in a) I am not 100% sure when it comes to equal-cost paths and load-balancing, but I would guess it's true as I answered.

techanony
Level 1
Level 1
In response to johansens

‎06-21-2005 12:48 PM

Thanks!

0 Helpful
Customers Also Viewed These Support Documents