RE: CBAC interfaces

From: M S (michaelgstout@hotmail.com)
Date: Thu Jul 12 2007 - 14:28:45 ART

• Next message: M S: "quad core xeon OS requiremnt"
• Previous message: M S: "Re: BGP Doubt"
• Maybe in reply to: M S: "CBAC interfaces"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thank You Samarth and Yemi.
There are many possible configurations for CBAC if it is configured to
provide full functionallity.

Very scarry possibility for ccie lab complications.

  --------------------------------------------------------------------

  From: sam s <samarth_04@hotmail.com>
  To: "Salau, Yemi" <yemi.salau@siemens.com>
  CC: <michaelgstout@hotmail.com>, <ccielab@groupstudy.com>
  Subject: RE: CBAC interfaces
  Date: Wed, 11 Jul 2007 16:55:45 +0530

Also the reflexive-acl cannot reflect dynamic ports as it does
not perform a deep packet inspection like CBAC.

CBAC has many more feaures.....
http://www.cisco.com/en/US/products/sw/iosswrel/ps1830/products_feature_guide_chapter09186a00800881be.html

Best Wishes,
SAMARTH

> Subject: RE: CBAC interfaces
> Date: Wed, 11 Jul 2007 11:25:49 +0100
> From: yemi.salau@siemens.com
> To: samarth_04@hotmail.com; michaelgstout@hotmail.com;
ccielab@groupstudy.com
>
> Just want to add(support) few things to sam's comment,
>
> From my own personal experience, the major difference between CBAC and
> Reflexive Access list will be the auditing capabaility, in technical
> principle they work alike. In this case You're trying to protect your
> lan by allowing only traffic generated from the LAN to come in via your
> WAN cloud. So you don't want a new connection from someone on the WAN
> side initiated into your LAN.
>
> For CBAC, all you need is 3 things to configure:-
> 1. Access-list to control what kind of traffic should come in or go out
> of your LAN
> 2. Define an inspection policy
> 3. Apply your inpection policy to required/desired interface, this can
> be on the WIC card or the Ethernet port.
>
> I'm going to refer to sam's examples:-
>
> 1)
> ip inspect name CBAC tcp
> int s0/0
> ip access-group ACL in (your deny ext acl)
> int f0/0
> ip inspect CBAC in
>
> This will normally prevent any traffic coming into your s0/0.
> It will allow all traffic from your LAN, but will inspect them as they
> come in on fa0/0 (this is where the inspection is taking place) and
> create temporary entry into the ACL applied on s0/0 to permit only
> return connections that originated from your LAN in the first place to
> come into the s0/0.
> This is a classic deja-vu technic common with other traffic filtering
> method except that your can't view the dynamic entry here.
>
> 2)
> ip inspect name CBAC tcp
> int s0/0
> ip inspect CBAC out
> ip access-group ACL in (your deny ext acl)
>
> This will normally prevent any traffic coming into your s0/0.
> It will allow all traffic from your LAN, but will inspect them as they
> go out from s0/0 (this is where the inspection is taking place) and
> create temporary entry into the ACL applied on s0/0 to permit only
> return connections that originated from your LAN in the first place to
> come into the s0/0.
> This is a classic deja-vu technic common with other traffic filtering
> method except that your can't view the dynamic entry here.
>
> Hope this helps .... :-)
>
> REFERENCE: Samarth's email below
>
> Many Thanks
>
> Yemi Salau
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> sam s
> Sent: Wednesday, July 11, 2007 6:23 AM
> To: M S; ccielab@groupstudy.com
> Subject: RE: CBAC interfaces
>
> Oops sorry....another method.....
>
> 4)
>
> int f0/0
> ip inspect CBAC in
> ip access-group ACL out (deny acl)
>
> Best Wishes,
> SAMATH
> > From: michaelgstout@hotmail.com> To: samarth_04@hotmail.com;
> ccielab@groupstudy.com> Subject: RE: CBAC interfaces> Date: Tue, 10 Jul
> 2007
> 21:47:21 -0700> > Didn't think of that> Thank You.!> >
> --------------------------------------------------------------------> >
> From:
> sam s <samarth_04@hotmail.com>> To: M S <michaelgstout@hotmail.com>,
> <ccielab@groupstudy.com>> Subject: RE: CBAC interfaces> Date: Wed, 11
> Jul 2007
> 10:02:57 +0530> > I would do any of these methods.....> > 1)> int s0/0>
> ip
> access-group ACL in (your deny ext acl)> > int f0/0> ip inspect CBAC
in>
> > 2)>
> > int s0/0> ip inspect CBAC out> ip access-group ACL in (your deny ext
> acl)> >
> Best Wishes,> SAMARTH> > > From: michaelgstout@hotmail.com> > To:
> ccielab@groupstudy.com> > Subject: CBAC interfaces> > Date: Tue, 10 Jul
> 2007
> 21:05:29 -0700> >> > Hello:> > I am working on my weak security areas.>
> > I
> have a router with two interfaces Ethernet Lan and a serial>
connection>
> > to
> the cloud.> > I want to protect the users on my LAN.> > I thnk the list
> will
> go something like this.> > Please correct me if i am wrong> > interface
> fast0/0> > ip access-group ACL in> > ip inspect CBAC out> >> > ip
> access-list
> ext ACLdeny ip any> >> > ip inspect name CBAC tcp> >> > Thank you for
> the
> help.> >> >>
>
------------------------------------------------------------------------
> > >> >
> Need a brain boost? Recharge with a stimulating game. Play now!> >> >
>

• Next message: M S: "quad core xeon OS requiremnt"
• Previous message: M S: "Re: BGP Doubt"
• Maybe in reply to: M S: "CBAC interfaces"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:40 ART