This document describes a Configuration Example of CBAC.
IOS based Router
IOS V 12.4
What is CBAC?
This feature can be defined as user is empowered with the power of active inspection which will be carried out by IOS based Firewall.
CBAC access lists consists of:
ip inspect statements which allow inspection of protocol
In turn inspection ensures that integrity of the packet is maintained before entring the firewall.
Let's assume we have 3 routers named R1,R2,R3
User from R1 wants to telnet R3. Tradionally as in the absence of reverse route, the reply traffic hits the ACL "Deny IP Any Any". Traffic gets droped
To enable the traffic flow between R1 and R3, we need to configure CBAC on R2. After enabling CBAC: A state table is generated inturn which genrates a dynamic ACL placed over "Deny ip any any"
IP range: 192.168.0.0/24 (Between R1 and R2) 172.16.1.0/24 (Between R2 & R3)
Static Route between R1 and R3:
Our idea is to protect LAN from the iligimitate crackers present in the Internet.
This access-list applied will drop everything coming from the Internet. By adding the “deny ip any any log” we can see dropped packets on the console. The problem with this ACL is that when user tries to ping R1 from R3 there is no reachability.
To irradicate the above mentioned issue we will use CBAC. As it will inspect the traffic and automatically allows the return traffic through.