Configuring CBAC
To configure CBAC, accomplish the afterward steps:
Step 1. Select an interface: centralized or external.
Step 2. Configure an IP admission list.
Step 3. Define an analysis rule.
Step 4. Configure all-around timeouts and thresholds (optional).
Step 5. Administer the admission account and the analysis aphorism to an interface.
Step 6. Verify and adviser CBAC.
Step 1—Select an Interface: Centralized or External
CBAC can be configured either on an centralized or alien interface of the firewall.
Internal refers to the trusted/protected ancillary area sessions charge arise for cartage to be permitted
through the firewall.
External refers to the untrusted/unprotected ancillary area sessions cannot originate. Sessions originating
from the alien ancillary will be blocked.
Figure 5-2. Centralized Versus Alien Interface
Although CBAC is recommended to be configured in one administration per interface, it can be configured in two
directions (also accepted as bidirectional CBAC) at one or added interfaces back the networks on both abandon of the
firewall crave protection, such as with extranet or intranet configurations, and for aegis adjoin DoS
attacks.
Step 2—Configure an IP Admission List
For CBAC to work, an IP admission account is configured to actualize acting openings through the firewall to allow
return traffic. It is important to bethink that the admission account charge be an continued admission list.
There is no basal arrangement for configuring the admission list. Agreement depends on the aegis action of an
organization. The admission account should be kept simple, starting with a basal antecedent configuration. Authoritative the access
list circuitous and chaotic could accidentally acquaint aegis risks by acceptance exceptionable cartage through the
firewall, thereby putting the adequate arrangement at risk. It is capital to accept and verify the admission list
before applying it in a assembly environment.
Follow these accepted guidelines to actualize an admission list:
Explicitly block all arrangement cartage that originates from the caught area and moves to the protected
zone, unless required. For example, back hosting a web server in the adequate zone, it is explicitly
required to admittance HTTP (TCP anchorage 80) that originates from the caught zone.
Step 3—Define an Analysis Rule
CBAC requires defining an analysis aphorism to specify which IP cartage (application-layer protocols) will be
inspected by the firewall engine.
An analysis aphorism should specify anniversary adapted application-layer agreement as able-bodied as the all-encompassing TCP or UDP if
required. The analysis aphorism consists of a alternation of statements, anniversary advertisement a agreement that specifies the same
inspection aphorism name, as apparent in Archetype 5-5. Analysis aphorism statements can accommodate added options, such as
controlling active and analysis aisle letters and blockage IP packet fragmentation.
Use the ip audit name all-around agreement command to actualize a CBAC analysis aphorism set for the required
application-layer protocol. Archetype 5-5 shows how to accredit analysis for HTTP, FTP, SMTP, and all-encompassing TCP
and UDP protocols. Added appliance protocols (not authentic here) can be enabled as required.
Example 5-5. Define CBAC Analysis Rules
Router(config)# ip audit name myfw http
Router(config)# ip audit name myfw ftp
Router(config)# ip audit name myfw smtp
Router(config)# ip audit name myfw tcp
Router(config)# ip audit name myfw udp
Step 4—Configure All-around Timeouts and Thresholds
CBAC uses several abeyance and beginning ethics to actuate the accompaniment of the affair and the continuance for
which it is maintained. At times, admission are always maintained for abruptly concluded sessions that
occupy accidental resources. Incomplete sessions, abandoned (unused) sessions, or abruptly concluded sessions can
be austere application the abeyance and beginning values.
The abeyance and beginning ethics can be acclimated either with absence ethics or can be acquainted to clothing the network
requirement. Table 5-1 shows the accessible CBAC abeyance and beginning commands and their absence values.
Use the commands listed in the table to adapt all-around abeyance or beginning ethics as required.
Step 5—Apply the Admission Account and the Analysis Aphorism to an Interface
For CBAC to booty effect, the admission account and the analysis rules configured beforehand charge to be activated to the
interface.
Deciding area CBAC should be configured (internal or alien interface) is subjective. As apparent in Figure 5-3,
CBAC analysis can be configured on either centralized or alien interfaces—a accommodation that depends absolutely on
the aegis policy. Back authoritative that decision, accede which articulation is appropriate to be protected:
Apply CBAC analysis to the alien (outbound) interface back configuring CBAC for outbound traffic.
Apply CBAC analysis to the centralized (inbound) interface back configuring CBAC for entering traffic.
Figure 5-3. Applying ACL and CBAC Inspection
[View abounding admeasurement image]
To administer an analysis aphorism to an interface, use the ip audit inspection-name {in | out} command in
interface agreement mode.
Step 6—Verifying and Monitoring CBAC
Use the appearance ip audit [config | interface] command or the appearance ip audit all command to verify CBAC
configuration settings. To appearance the statistics and affair advice table with all the accustomed and half-open
connections for all affair breeze through the firewall, use the appearance ip audit affair [detail] command. In
addition, use the appearance ip admission lists command to verify the activating admission account entries busy in the
firewall admission list, as apparent in Archetype 5-1 and Archetype 5-2.