Remember this rule: For CBAC to work (let something back in), it has to have an access-list bocking it.
Let me explain. CBAC is a tool the monitors communications over an interface and protects against session hijacking, and other hacking exploits. It's also a tool thet lets something pass through only if it started on the other side. So if you have a client inside that initiates a web page download, (port 80), CBAC will only let the page back in if it flow was initiated from iside the network first. It's a glorified access-list with the "established" keyword. You put CBAC on in interface in THE DIRECTON YOU WISH TO START THE COMMUNICATION. This starts the monitoring session of that flow. Then in order for the packet to come back in via CBAC, it needs an access list to first stop it. Here's a correct implementation of CBAC. Notice that access-list 100 blocks everything in the world but ping replies from comming back in. Without CBAC, nothing would come back in, but with CBAC on, if the communication started on the inside, the comminication will come back in. This is why you need an extended access-list for the external interface, because what if you just wanted to monitor POP3 mail sessions, you would need an extended list that can block 110. A standard list will not block 110. Current configuration : 1555 bytes ! version 12.2 no parser cache no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Router ! logging rate-limit console 10 except errors no logging console enable secret 5 $1$VwiM$FoLwO/1A5zmRHzs5VzzNs/ ! memory-size iomem 15 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ! ! no ip domain-lookup ! ip inspect name stop tcp ip inspect name stop udp ip inspect name stop ftp ip audit notify log ip audit po max-events 100 ip ssh time-out 120 ip ssh authentication-retries 3 no ip dhcp-client network-discovery ! crypto mib ipsec flowmib history tunnel size 200 crypto mib ipsec flowmib history failure size 200 ! ! ! interface Ethernet0 ip address 192.168.42.254 255.255.255.0 ip access-group 100 in ip access-group 2 out ip nat outside ip inspect stop out half-duplex ! interface FastEthernet0 bandwidth 100000 ip address 10.0.0.1 255.255.255.0 ip nat inside speed auto full-duplex ! ip default-gateway 192.168.42.1 ip nat pool test 192.168.42.254 192.168.42.254 netmask 255.255.255.0 ip nat inside source list 1 pool test overload ip classless ip route 0.0.0.0 0.0.0.0 192.168.42.1 no ip http server ! access-list 1 permit 10.0.0.0 0.0.0.255 access-list 2 permit 192.168.42.0 0.0.0.255 access-list 100 permit icmp any any echo-reply ! ! ! line con 0 password 16050 login line aux 0 password 16050 login line vty 0 4 password 16050 login line vty 5 15 password 16050 login ! no scheduler allocate end ""Matthew Crane"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Its all about what you want CBAC to do for you. CXBAC is there to prevent > access from outside to your network, so from inside to outside so keep as > loose a possible, hence standard access lists. > > For inbound access, then if you want CBAC to look at it, the inspection must > be more granular. > > For the purposes of CBAC you trust whats going out so access can be a vague > as you want, but inbound you do not trust at all, BUT it just might be > valid, but you wnat to inspect and know as much about the inbound tarffic as > possible before you make a decision on letting it in. > > > Hunt Lee wrote: > > > > I have read the MCNS (Cisco Press) book several times, > > expecially on Chapter > > 8, however, I'm still very confused about the following > > question: > > > > The book states that when configuring CBAC on an external > > interface, > > > > 1) The Outbound Access-List can be standard or extended > > 2) The Inbound Access-List MUST be extended > > > > And when configuring CBAC on an external interface, > > > > 1) The Inbound Access-List at the internal interface or > > Outbound > > Access-List can be either standard or extended > > 2) The Outbound Access-List at internal interface or Inbound > > Access-List > > at external interface MUST be extended. > > > > It also states that for CBAC to create a temporary opening in an > > access-list, the access-list Must be extended? > > > > > > Any help is greatly appreciated. > > > > Best Regards, > > Hunt Lee Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27985&t=27751 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
