RE: CBAC interfaces

From: sam s (samarth_04@hotmail.com)
Date: Wed Jul 11 2007 - 07:45:23 ART

• Next message: Salau, Yemi: "RE: How is default-information command under router eigrp used?"
• Previous message: George Roman: "Re: do not send Eigrp Hello on interfaces"
• Maybe in reply to: M S: "CBAC interfaces"
• Next in thread: sam s: "RE: CBAC interfaces"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Also the reflexive-acl cannot reflect dynamic ports as it does not perform a
deep packet inspection like CBAC.

CBAC has many more feaures.....
http://www.cisco.com/en/US/products/sw/iosswrel/ps1830/products_feature_guide
_chapter09186a00800881be.html

Best Wishes,
SAMARTH

> Subject: RE: CBAC interfaces> Date: Wed, 11 Jul 2007 11:25:49 +0100> From:
yemi.salau@siemens.com> To: samarth_04@hotmail.com; michaelgstout@hotmail.com;
ccielab@groupstudy.com> > Just want to add(support) few things to sam's
comment, > > From my own personal experience, the major difference between
CBAC and> Reflexive Access list will be the auditing capabaility, in
technical> principle they work alike. In this case You're trying to protect
your> lan by allowing only traffic generated from the LAN to come in via your>
WAN cloud. So you don't want a new connection from someone on the WAN> side
initiated into your LAN.> > For CBAC, all you need is 3 things to configure:->
1. Access-list to control what kind of traffic should come in or go out> of
your LAN> 2. Define an inspection policy> 3. Apply your inpection policy to
required/desired interface, this can> be on the WIC card or the Ethernet
port.> > I'm going to refer to sam's examples:-> > 1)> ip inspect name CBAC
tcp> int s0/0> ip access-group ACL in (your deny ext acl)> int f0/0> ip
inspect CBAC in> > This will normally prevent any traffic coming into your
s0/0.> It will allow all traffic from your LAN, but will inspect them as they>
come in on fa0/0 (this is where the inspection is taking place) and> create
temporary entry into the ACL applied on s0/0 to permit only> return
connections that originated from your LAN in the first place to> come into the
s0/0.> This is a classic deja-vu technic common with other traffic filtering>
method except that your can't view the dynamic entry here.> > 2)> ip inspect
name CBAC tcp> int s0/0> ip inspect CBAC out> ip access-group ACL in (your
deny ext acl)> > This will normally prevent any traffic coming into your
s0/0.> It will allow all traffic from your LAN, but will inspect them as they>
go out from s0/0 (this is where the inspection is taking place) and> create
temporary entry into the ACL applied on s0/0 to permit only> return
connections that originated from your LAN in the first place to> come into the
s0/0.> This is a classic deja-vu technic common with other traffic filtering>
method except that your can't view the dynamic entry here.> > Hope this helps
.... :-)> > REFERENCE: Samarth's email below> > Many Thanks> > Yemi Salau> >
-----Original Message-----> From: nobody@groupstudy.com
[mailto:nobody@groupstudy.com] On Behalf Of> sam s> Sent: Wednesday, July 11,
2007 6:23 AM> To: M S; ccielab@groupstudy.com> Subject: RE: CBAC interfaces> >
Oops sorry....another method.....> > 4)> > int f0/0> ip inspect CBAC in> ip
access-group ACL out (deny acl)> > Best Wishes,> SAMATH> > From:
michaelgstout@hotmail.com> To: samarth_04@hotmail.com;>
ccielab@groupstudy.com> Subject: RE: CBAC interfaces> Date: Tue, 10 Jul> 2007>
21:47:21 -0700> > Didn't think of that> Thank You.!> >>
--------------------------------------------------------------------> >>
From:> sam s <samarth_04@hotmail.com>> To: M S <michaelgstout@hotmail.com>,>
<ccielab@groupstudy.com>> Subject: RE: CBAC interfaces> Date: Wed, 11> Jul
2007> 10:02:57 +0530> > I would do any of these methods.....> > 1)> int s0/0>>
ip> access-group ACL in (your deny ext acl)> > int f0/0> ip inspect CBAC in>>
> 2)>> > int s0/0> ip inspect CBAC out> ip access-group ACL in (your deny ext>
acl)> >> Best Wishes,> SAMARTH> > > From: michaelgstout@hotmail.com> > To:>
ccielab@groupstudy.com> > Subject: CBAC interfaces> > Date: Tue, 10 Jul> 2007>
21:05:29 -0700> >> > Hello:> > I am working on my weak security areas.>> > I>
have a router with two interfaces Ethernet Lan and a serial> connection>> >
to> the cloud.> > I want to protect the users on my LAN.> > I thnk the list>
will> go something like this.> > Please correct me if i am wrong> > interface>
fast0/0> > ip access-group ACL in> > ip inspect CBAC out> >> > ip>
access-list> ext ACLdeny ip any> >> > ip inspect name CBAC tcp> >> > Thank you
for> the> help.> >> >>>
------------------------------------------------------------------------> > >>
>> Need a brain boost? Recharge with a stimulating game. Play now!> >> >>

• Next message: Salau, Yemi: "RE: How is default-information command under router eigrp used?"
• Previous message: George Roman: "Re: do not send Eigrp Hello on interfaces"
• Maybe in reply to: M S: "CBAC interfaces"
• Next in thread: sam s: "RE: CBAC interfaces"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:40 ART