Lab 6.2 Configuring CBAC
Lab 6.2 Configuring CBAC
Lab 6.2 Configuring CBAC
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Step 4: Create IP Inspect Rules<br />
<strong>CBAC</strong> operates by statefully inspecting some protocols and tracking TCP<br />
connections and UDP flows. <strong>CBAC</strong> examines the protocols to determine if<br />
incoming, untrusted (outside) traffic is return traffic for an inside-initiated<br />
connection, or the result of arbitrarily spoofed packets. For some well-known<br />
protocols, <strong>CBAC</strong> can also examine particular application-layer fields to make<br />
sure that the packets are following the protocols of those specific applications<br />
correctly. Any traffic that is not accepted by <strong>CBAC</strong> is treated appropriately<br />
according to the rules indicated by the access list on the interface. This is done<br />
by explicitly blocking untrusted traffic (which we will configure later) except<br />
when allowed by <strong>CBAC</strong>.<br />
Why is it important to keep track of connection states, especially with TCP<br />
connections<br />
The critical part of configuring <strong>CBAC</strong> involves creating rules to track<br />
connections and flows. Create rules to track TCP and UDP flows using the ip<br />
inspect name name protocol command. Use the name “myrules” and apply the<br />
<strong>CBAC</strong> rule to the to Serial0/0/0 interface in the inbound direction. To see the<br />
protocols available (most of the protocols listed will be application layer<br />
protocols), enter the ip inspect name name command followed by the <br />
character. Newer IOS versions will have more protocols listed.<br />
FW(config)# ip inspect name myrules <br />
802-11-iapp IEEE 802.11 WLANs WG IAPP<br />
ace-svr<br />
ACE Server/Propagation<br />
aol<br />
America-Online<br />
appfw<br />
Application Firewall<br />
appleqtc<br />
Apple QuickTime<br />
bgp<br />
Border Gateway Protocol<br />
<br />
FW(config)# ip inspect name myrules tcp<br />
FW(config)# ip inspect name myrules udp<br />
You can also set <strong>CBAC</strong> timeouts for various protocols. To change the amount<br />
of time that should pass before a UDP flow times out, use the ip inspect udp<br />
idle-time timeout command in global configuration mode. The default UDP idle<br />
timeout is 30 seconds. Change the UDP timeout to 60 seconds.<br />
FW(config)# ip inspect udp idle-time 60<br />
3 - 8 CCNP: Implementing Secure Converged Wide-area Networks v5.0 - <strong>Lab</strong> 6-2 Copyright © 2007, Cisco Systems, Inc