Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
3676
Views
5
Helpful
2
Comments

CBAC: Context Based Access Control Configuration Example

Anim Saxena
Level 1
Level 1

‎07-06-2014 09:32 AM - edited ‎03-08-2019 06:55 PM

 

Introduction

This document describes a Configuration Example of CBAC.

Topology

Prerequisites

  • IOS based Router
  • IOS V 12.4

Configuration Example 

What is CBAC?

This feature can be defined as user is empowered with the power of active inspection which will be carried out by IOS based Firewall. 
 
CBAC access lists consists of:
  • ip inspect statements which allow inspection of protocol 
  • In turn inspection ensures that  integrity of the packet is maintained before entring the firewall.
Let's assume we have 3 routers named R1,R2,R3
User from R1 wants to telnet R3. Tradionally as in the absence of reverse route, the reply traffic hits the ACL "Deny IP Any Any". Traffic gets droped

To enable the traffic flow between R1 and R3, we need to configure CBAC on R2. After enabling CBAC:
A state table is generated inturn which genrates a dynamic ACL placed over "Deny ip any any"
 

IP range:
192.168.0.0/24 (Between R1 and R2)
172.16.1.0/24    (Between R2 & R3) 

 

 

 

 

Static Route between R1 and R3:

Our idea is to protect LAN from the iligimitate crackers present in the Internet.
 
 

This access-list applied will drop everything coming from the Internet. By adding the “deny ip any any log” we can see dropped packets on the console. The problem with this ACL is that when user tries to ping R1 from R3 there is no reachability.

To irradicate the above mentioned issue we will use CBAC. As it will inspect the traffic and automatically allows the return traffic through. 

Example for HTTP traffic:

Enable HTTP server on R1

 

Verification

User is able to telnet R1 on port number 80.
Labels:
Comments
upendra.cisco
Level 1
Level 1
‎07-06-2014 08:09 PM

your intention was good to post this doc for all the candidates here, but be careful as you wrote the problem with telnet and lastly you solve the problem with http.

 

"

Let's assume we have 3 routers named R1,R2,R3

User from R1 wants to telnet R3. Tradionally as in the absence of reverse route, the reply traffic hits the ACL "Deny IP Any Any". Traffic gets droped"

 
telnet is a one way communication problem. please correct above mentioned statements so users wont get confused.
 
 
Anim Saxena
Level 1
Level 1
‎07-06-2014 10:44 PM

Hi Upendra,

HTTP and Telnet are 2 scenarios where TCP works. That's why i used HTTP as example. If we dont have reverse route whatever it may be Telnet or HTTP. User at R1 will never receive reply from R3.

 

That's why we implement CBAC as it creates a state table at R2 inturn creating dynamic ACL placed over "Deny IP any any"

 

Regards,

Anim Saxena

Technical Community Manager (Security)

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents