From: Salau, Yemi (yemi.salau@siemens.com)
Date: Wed Jul 11 2007 - 07:25:49 ART
Just want to add(support) few things to sam's comment,
From my own personal experience, the major difference between CBAC and
Reflexive Access list will be the auditing capabaility, in technical
principle they work alike. In this case You're trying to protect your
lan by allowing only traffic generated from the LAN to come in via your
WAN cloud. So you don't want a new connection from someone on the WAN
side initiated into your LAN.
For CBAC, all you need is 3 things to configure:-
1. Access-list to control what kind of traffic should come in or go out
of your LAN
2. Define an inspection policy
3. Apply your inpection policy to required/desired interface, this can
be on the WIC card or the Ethernet port.
I'm going to refer to sam's examples:-
1)
ip inspect name CBAC tcp
int s0/0
ip access-group ACL in (your deny ext acl)
int f0/0
ip inspect CBAC in
This will normally prevent any traffic coming into your s0/0.
It will allow all traffic from your LAN, but will inspect them as they
come in on fa0/0 (this is where the inspection is taking place) and
create temporary entry into the ACL applied on s0/0 to permit only
return connections that originated from your LAN in the first place to
come into the s0/0.
This is a classic deja-vu technic common with other traffic filtering
method except that your can't view the dynamic entry here.
2)
ip inspect name CBAC tcp
int s0/0
ip inspect CBAC out
ip access-group ACL in (your deny ext acl)
This will normally prevent any traffic coming into your s0/0.
It will allow all traffic from your LAN, but will inspect them as they
go out from s0/0 (this is where the inspection is taking place) and
create temporary entry into the ACL applied on s0/0 to permit only
return connections that originated from your LAN in the first place to
come into the s0/0.
This is a classic deja-vu technic common with other traffic filtering
method except that your can't view the dynamic entry here.
Hope this helps .... :-)
REFERENCE: Samarth's email below
Many Thanks
Yemi Salau
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
sam s
Sent: Wednesday, July 11, 2007 6:23 AM
To: M S; ccielab@groupstudy.com
Subject: RE: CBAC interfaces
Oops sorry....another method.....
4)
int f0/0
ip inspect CBAC in
ip access-group ACL out (deny acl)
Best Wishes,
SAMATH
> From: michaelgstout@hotmail.com> To: samarth_04@hotmail.com;
ccielab@groupstudy.com> Subject: RE: CBAC interfaces> Date: Tue, 10 Jul
2007
21:47:21 -0700> > Didn't think of that> Thank You.!> >
--------------------------------------------------------------------> >
From:
sam s <samarth_04@hotmail.com>> To: M S <michaelgstout@hotmail.com>,
<ccielab@groupstudy.com>> Subject: RE: CBAC interfaces> Date: Wed, 11
Jul 2007
10:02:57 +0530> > I would do any of these methods.....> > 1)> int s0/0>
ip
access-group ACL in (your deny ext acl)> > int f0/0> ip inspect CBAC in>
> 2)>
> int s0/0> ip inspect CBAC out> ip access-group ACL in (your deny ext
acl)> >
Best Wishes,> SAMARTH> > > From: michaelgstout@hotmail.com> > To:
ccielab@groupstudy.com> > Subject: CBAC interfaces> > Date: Tue, 10 Jul
2007
21:05:29 -0700> >> > Hello:> > I am working on my weak security areas.>
> I
have a router with two interfaces Ethernet Lan and a serial> connection>
> to
the cloud.> > I want to protect the users on my LAN.> > I thnk the list
will
go something like this.> > Please correct me if i am wrong> > interface
fast0/0> > ip access-group ACL in> > ip inspect CBAC out> >> > ip
access-list
ext ACLdeny ip any> >> > ip inspect name CBAC tcp> >> > Thank you for
the
help.> >> >>
------------------------------------------------------------------------
> >> >
Need a brain boost? Recharge with a stimulating game. Play now!> >> >
This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:40 ART