From: gladston@br.ibm.com
Date: Mon Aug 02 2004 - 07:03:57 GMT-3
CBAC
ethernet0 is the internal network
serial 0.1 is the external network
The goal is to protect from Java of specific sites. In this Cisco example, CBAC is applyed inbound on the secure interface (ethernet0); it will create dynamic holes on the access-list applyed inbound on the insecure interface (serial0)
int e0
interface Ethernet0
description ExampleCorp Ethernet chez user1
ip address 172.19.139.1 255.255.255.248
ip inspect myfw in
ip access-group 101 in
!
interface Serial0.1 point-to-point
ip unnumbered Ethernet0
ip access-group 111 in
!
access-list 101 permit tcp 172.19.139.0 0.0.0.7 any
access-list 101 permit udp 172.19.139.0 0.0.0.7 any
!
access-list 111 deny ip any any
!
access-list 51 deny 172.19.1.203
access-list 51 deny 172.19.2.147
It would be the same if we do the same modification on the way it is implemented?
int e0
interface Ethernet0
description ExampleCorp Ethernet chez user1
ip address 172.19.139.1 255.255.255.248
ip access-group 101 in
!
interface Serial0.1 point-to-point
ip unnumbered Ethernet0
ip inspect myfw in
ip access-group 111 in
!
access-list 101 permit tcp 172.19.139.0 0.0.0.7 any
access-list 101 permit udp 172.19.139.0 0.0.0.7 any
!
access-list 111 deny ip any any
!
access-list 51 deny 172.19.1.203
access-list 51 deny 172.19.2.147
Now the inspect is applyed outbound on the insecure interface. CBAC will create dynamic holes on the access-list applyed inbound on the insecure interface, as in the previous email.
This archive was generated by hypermail 2.1.4 : Fri Sep 03 2004 - 07:02:31 GMT-3