cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4776
Views
5
Helpful
0
Comments
TCC_2
Level 10
Level 10

Core Issue

Context-based Access Control (CBAC) is a Cisco IOS  Firewall feature that allows filtering of traffic using Access Control Lists (ACLs). CBAC allows closer inspection of protocols before permitting traffic through, which provides higher perimeter security compared to Cisco IOS ACLs. Configuring Network Address Translation (NAT) on routers configured for CBAC is desirable for these reasons: 

  • To hide the actual addresses of the inside hosts.
  • To strictly control access to the outside world.
  • To strictly control access to inside hosts from the outside world.

Resolution

While configuring CBAC and NAT on a router, the NAT order of operation plays an important role.

For inside-to-outside traffic, perform these steps:

  1. Check input ACL.
  2. Perform NAT inside to outside.
  3. Check output ACL.

For outside-to-inside traffic, perform these steps:

  1. Check input ACL.
  2. Perform NAT outside to inside.
  3. Check output ACL.

For filtering inside-to-outside traffic on the inside interface, the inside hosts should be specified by their actual IP addresses.

Similarly, for filtering outside-to-inside traffic on the outside interface, the inside hosts should be specified by their translated addresses (inside global).

For additional information on configuring NAT and CBAC on a router, refer to Two-Interface Router with NAT CBAC Configuration.

For additional information on the order in which transactions are processed on a router configured  for NAT, refer to NAT Order of Operation.

For information on configuring CBAC, refer to Context-Based Access Control: Introduction and Configuration.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: