Dynamic ACL Entries
As discussed earlier, CBAC uses the affiliation advice from the affair table to accessible activating holes in the
firewall admission account for the abiding cartage (that would commonly be blocked). CBAC dynamically adds and
removes admission account entries at the firewall interfaces. These acting openings are created in accordance with
the accompaniment table for all inspected cartage that originates from an centralized (protected) arrangement outbound against the
unprotected area through the firewall. The purpose of these admission account entries is to appraise cartage abounding back
into the centralized network. These entries actualize acting openings in the firewall to admittance alone cartage that is
part of a permissible session. Example 5-2 shows a activating ACL admission (corresponding to Example 5-1) that
permits abiding Telnet cartage accomplished by a host from the centralized network.
Example 5-2. Activating ACL Admission Agnate to the Accompaniment Table
Router# appearance ip access-lists
Extended IP admission account 101
permit tcp host 20.1.1.1 eq telnet host 10.1.1.1 eq 11006 (16 matches)
permit tcp any host WebServer eq http
deny ip any any (12 matches)
Note
The dynamically created admission account entries that acquiesce abiding cartage are acting and are not saved
to the nonvolatile random-access anamnesis (NVRAM).