06-17-2005 10:57 AM - edited 03-09-2019 11:36 AM
Hi all,
I have several questions about how CBAC really works with ACLs, I would appreciate any income on this issue.
I know, in general, CBAC works by inspecting traffic and creating a temporary opening in the ACL(s) to allow valid return traffic to pass. But even for the simplest network with only two interfaces, there are 4 possible ACLs that could be in use.
For example, one IOS firewall with 2 interfaces, e0 connected to the internal network, and s0 connected to the external one.
1. If I apply CBAC on the s0 by using "ip inspect myfirewall out", when CBAC creates temporary openings, will it do it on both inbound ACL on s0 and outbound ACL on e0? Or it just does it on one of them, and which one?
2. The same question with applying CBAC on the e0 by using ip inspect myfirewall in, which interfaces ACL will the CBAC check and modify?
3 If there are any, whats the subtle difference between the above 2 solutions? I believe they achieve the same thing.
To make things more complicated, what if there is one more external interface s1.
a) If I use ip inspect myfirewall in on e0, will CBAC modify both s0s and s1s inbound ACLs to allow return traffic?
b) If I use ip inspect myfirewall out on s0, will CBAC modify the inbound ACL on s1 in case there exists asymmetric routing in the external network and the return traffic will go through s1?
I really want to know how CBAC works with ACLs in great detail. Thanks a lot in advance.
06-20-2005 05:15 PM
Hi there,
I'll try to answer some of the questions at least..
1) Both ACL's will be opened by CBAC in your example (as long as they are extended ACL's. See the following link for more info:
2) The packet is sent all the way out to the exiting interface and 'checked out' of all ACl's on the way. When it is about to exit the router, the CBAC will record the information in it's state table and make the appropriate openings in the return-path ACL's:
3) I would guess the difference is in how your router is configured.. If you have multiple inside interfaces, it's easier to do one config on the outside interface.. And if you have multiple outgoing interfaces with few protected inside interfaces, it's easier and takes less CPU to have the inspection config on the inside..
a) Given the flow from my answer in 2), the answer is that it would only modify on the interface it really uses.
b) Same as a). You would have to set a "ip inspect myfirewall2 out" on s1.. I would think you'll need a separate inspect-ruleset (but with the same content as the other one).
On the answer in a) I am not 100% sure when it comes to equal-cost paths and load-balancing, but I would guess it's true as I answered.
06-21-2005 12:48 PM
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide