An Example of CBAC Implementation for FTP
Just as before, the ACL 101 is on the outside interface (serial 0), and CBAC is configured on the inside interface (Ethernet 0). An inside host initiates the connection for the control channel by sending a SYN, and CBAC creates a dynamic hole for the return traffic, which allows the reply SYN-ACK packet through the hole. After the client sends the ACK, the connection completes as before.
Now, the inside host negotiates the address and port information for the second channel (data channel) by sending the PORT A: 5560 command. This means that the inside host listens on the source address A and on source port 5560. Hence, the FTP server should try to connect to the client to create the data channel. Note that the FTP client can use the port command to offer an address other than A to create a data connection from the FTP server, which is on the outside.
Even though the data channel is initiated from the FTP server sitting on the outside, the CBAC should allow this connection. Otherwise FTP application functionality will fail. CBAC does this by extracting the PORT A:5560 data from the packet (note that this information lies in the packet's Layer 7 payload and not in the Layer 4 header). After extracting this information, CBAC creates another dynamic ACL entry. The destination address/port in the ACL entry are set to A:5560, whereas the source address/port are set to "any" because CBAC does not know what address/port the outside host will use to initiate the data connection.
This creates another hole in the ACL, which is sometimes known as a wide hole because the src address/port are set to "any". When the outside host actually sends the SYN packet to initiate the connection, CBAC extracts the src information from this packet as B:20. It then uses this information to update the second dynamic ACL and changes the src address/port info from "any" to B:20, thus narrowing the hole to match only this connection. Now the rest of the three-way handshake completes successfully, and the second connection also succeeds. The first connection from A:5550 to B:21 is known as the control connection, and the second connection from B:20 to A:5560 is known as the data connection. Without CBAC, if you configure reflexive or static ACL, you must permit everything from outside to inside for the data connection. In summary, CBAC understands more than Layer 3 and Layer 4 of the OSI model; CBAC understands up to Layer 7. And because of its intelligence of application, CBAC can dynamically open and close the ports needed by the applications using dynamic ACLs.
The discussion in the preceding paragraph focuses primarily on how CBAC handles Active FTP connection, where data connection is initiated by the FTP server sitting on the outside. In passive FTP mode, both the control and data connections are initiated from inside to outside if the FTP clients are located on the inside. More details on Active and Passive FTP can be found in the following location: http://www.cisco.com/en/US/about/ac123/ac147/ac174/ac199/about_cisco_ipj_archive_article09186a00800c85a7.html
Details on how CBAC handles Passive FTP can be found in the following location: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_qanda_item09186a008009464d.shtml#qa5
Being a stateful firewall, CBAC provides several security services to your network. The most important are discussed in the sections that follow.