CBAC (Context Based Access Control) is a firewall for Cisco IOS routers that offers some more features than a simple access-list. CBAC is able to inspect up to layer 7 of the OSI model and can dynamically create rules to allow return traffic. It is similar to the reflexive access-list but one of the key differences is that the reflexive ACL only inspects up to layer 4.
In this tutorial I’ll give you an example of CBAC and you’ll see why this firewall feature is very useful. I’ll be using 3 routers for this:
In the example above we have 3 routers. Imagine the router on the left side (R1) is some device on the internet while R3 is a host on our LAN. R2 will be the router that is protecting us from traffic on the Internet, this is where we configure CBAC. Let’s start with the basic configuration…setting up IP addresses and some static routes for connectivity:
R1(config)#interface fastethernet 0/0
R1(config-if)#no shutdown
R1(config-if)#ip address 192.168.12.1 255.255.255.0R2(config)#interface fastethernet 0/0
R2(config-if)#no shutdown
R2(config-if)#ip address 192.168.12.2 255.255.255.0
R2(config-if)#interface fastethernet 0/1
R2(config-if)#no shutdown
R2(config-if)#ip address 192.168.23.2 255.255.255.0R3(config)#interface fastethernet 0/0
R3(config-if)#no shutdown
R3(config-if)#ip address 192.168.23.3 255.255.255.0
And two static routes so R1 and R3 can reach each other:
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.12.2R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.23.2
Our idea is to protect our LAN from all the evil stuff on the Internet, in order to do so we’ll create an access-list that drops everything from the Internet. The access-list looks like this:
R2(config)#ip access-list extended DENY_ALL_FROM_INTERNET
R2(config-ext-nacl)#deny ip any any log
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip access-group DENY_ALL_FROM_INTERNET in
This access-list is very effective…it will drop everything from the Internet! I added the “deny ip any any log” so you can see dropped packets on the console. You don’t have to add it because everything is dropped by default, but it helps to show dropped packets. There’s one problem with this ACL however, let’s see what happens when I send a ping from R3 to R1:
R3#ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
These pings are failing, and this is what you see on the console of R2:
R2#
%SEC-6-IPACCESSLOGDP: list DENY_ALL_FROM_INTERNET denied icmp 192.168.12.1 -> 192.168.23.3 (0/0), 1 packet
These packets are dropped by the inbound ACL on R2 as illustrated below:
If we want to solve this problem we would have to add a permit statement in the access-list so the ping makes it through. That’s not a scalable solution since we don’t know what kind of traffic we have on our LAN and we don’t want a big access-list with hundreds of permit statements.
What we are going to do is configure CBAC so it will inspect the traffic and automatically allows the return traffic through. I’ll give you an example how you can do this for HTTP traffic:
R2(config)#ip inspect name FIREWALL http
Our inspect rule is called “FIREWALL” and we tell CBAC to inspect HTTP traffic. We need to apply this inspect rule to an interface:
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip inspect FIREWALL out
In my example I’m applying it outbound on R2 towards R1. Let’s enable HTTP server on R1 so we have something to connect to:
R1(config)#ip http server
Let’s connect from R3 to R1:
R3#telnet 192.168.12.1 80
Trying 192.168.12.1, 80 ... Open
It says open which means that R3 was able to connect to R1. Let’s see what CBAC thinks about this:
R2#show ip inspect sessions
Established Sessions
Session 6702F3E0 (192.168.23.3:36456)=>(192.168.12.1:80) http SIS_OPEN
You can see that CBAC inspected our HTTP traffic and is permitting it through the access-list. If you want you can take a detailed look at the inspection rules:
R2#show ip inspect all
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name FIREWALL
http alert is on audit-trail is off timeout 3600
Interface Configuration
Interface FastEthernet0/0
Inbound inspection rule is not set
Outgoing inspection rule is FIREWALL
http alert is on audit-trail is off timeout 3600
Inbound access list is DENY_ALL_FROM_INTERNET
Outgoing access list is not set
Established Sessions
Session 6702F3E0 (192.168.23.3:36456)=>(192.168.12.1:80) http SIS_OPEN
Right now we are only allowing HTTP traffic through the access-list. If you want a less restrictive firewall you can also permit entire protocols like TCP or UDP. A good example would be something like this:
R2(config)#ip inspect name FIREWALL tcp
R2(config)#ip inspect name FIREWALL udp
R2(config)#ip inspect name FIREWALL icmp
This tells CBAC to inspect TCP, UDP and ICMP traffic. This ensures that 90% of your traffic from the LAN will be able to reach hosts on the Internet and make it back through your access-list.
Last but not least, the examples above only apply to traffic that is flowing through your router. It doesn’t apply to locally generated traffic from the router itself. Let me show you what I mean by sending a ping from R2 to R1:
R2#ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
These pings are not making it through the access-list…you’ll see this on the console of R2:
%SEC-6-IPACCESSLOGDP: list DENY_ALL_FROM_INTERNET denied icmp 192.168.12.1 -> 192.168.12.2 (0/0), 1 packet
The problem is that when R2 sends a ping, it is locally generated and not flowing through the router. In order to fix this you’ll need to add some additional inspect rules:
R2(config)#ip inspect name FIREWALL tcp router-traffic
R2(config)#ip inspect name FIREWALL udp router-traffic
R2(config)#ip inspect name FIREWALL icmp router-traffic
Let’s try that ping again!
R2#ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
Now it’s working…great! You now know what CBAC is about and how to configure it. Don’t forget that if you still want to connect to your CBAC-enabled router from the Internet using telnet, SSH, IPSEC or anything else then you need to add some permit statements. Here’s an example for SSH:
R2(config)#ip access-list extended DENY_ALL_FROM_INTERNET
R2(config-ext-nacl)#1 permit tcp any any eq 22
That’s all we have for now.
hostname R1
!
ip cef
!
ip inspect name FIREWALL http
ip inspect name FIREWALL tcp router-traffic
ip inspect name FIREWALL udp router-traffic
ip inspect name FIREWALL icmp router-traffic
!
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.12.2
!
ip http server
!
endhostname R2
!
ip cef
!
ip inspect name FIREWALL http
ip inspect name FIREWALL tcp router-traffic
ip inspect name FIREWALL udp router-traffic
ip inspect name FIREWALL icmp router-traffic
!
interface FastEthernet0/0
ip address 192.168.12.2 255.255.255.0
ip access-group DENY_ALL_FROM_INTERNET in
ip inspect FIREWALL out
!
interface FastEthernet0/1
ip address 192.168.23.2 255.255.255.0
!
ip access-list extended DENY_ALL_FROM_INTERNET
permit tcp any any eq 22
deny ip any any log
!
endhostname R3
!
ip cef
!
ip inspect name FIREWALL http
ip inspect name FIREWALL tcp router-traffic
ip inspect name FIREWALL udp router-traffic
ip inspect name FIREWALL icmp router-traffic
!
interface FastEthernet0/0
ip address 192.168.23.3 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.23.2
!
end
No comments:
Post a Comment