Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Question regarding CBAC Firewall IOS

Reply
Thread Tools

Question regarding CBAC Firewall IOS

 
 
Vandegraff
Guest
Posts: n/a
 
      07-13-2004
I am trying to use CBAC Firewall IOS as an alternative to a PIX
firewall to provide some protection for some Internet facing servers.
I believe the router being used has plenty of "horsepower" for the
job. My scenario is this:

The router has two ethernet ports: For illustration, Ethernet 0 faces
the Internet and Ethernet 1 faces the DMZ segment. We are performing
CBAC inspection inbound on Ethernet 1. My understanding is that this
is inspecting the TCP / UDP sessions created from the DMZ and building
ACLs for the return traffic if needed. My concern is this: Will CBAC
applied like this deny inbound connections to TCP ports 80 and 443 for
example on our DMZ web servers?
If the answer to the question above is "no". My second concern is
that when a connection is opened inbound from outside ETH0 to a DMZ
Server, both ACLs to-DMZ and DMZ-out will have to allow the traffic in
question. In other words, CBAC inspection would not be useful in this
direction and ACL rules would have to be built in both ACLs for the
communication to occur successfully.

I have pasted the ACLs and CBAC Lists. I have changed the IPs to
protect the innocent, but it is logically the same as the list we are
planning to apply.

Any suggestions and comments are welcome.


ip inspect name dmz sqlnet timeout 3600
ip inspect name dmz ftp timeout 3600
ip inspect name dmz http timeout 3600
ip inspect name dmz realaudio timeout 3600
ip inspect name dmz smtp timeout 3600
ip inspect name dmz tcp timeout 3600
ip inspect name dmz udp timeout 15
ip inspect name dmz tftp timeout 30
ip audit notify log
ip audit po max-events 100



ip access-list extended to-dmz
!Common section
permit tcp any 10.10.107.0 0.0.0.255 eq 80
permit tcp any 10.10.107.0 0.0.0.255 eq 443
permit ip 172.16.0.0 0.0.255.255 10.10.107.0 0.0.0.255
permit ip 172.20.0.0 0.0.255.255 10.10.107.0 0.0.0.255
permit ip 172.30.0.0 0.0.255.255 10.10.107.0 0.0.0.255
permit ip 172.22.102.0 0.0.0.255 10.10.107.0 0.0.0.255
permit ip 172.22.100.0 0.0.0.255 10.10.107.0 0.0.0.255
permit ip 172.22.92.0 0.0.0.255 10.10.107.0 0.0.0.255
permit ip 172.22.18.0 0.0.1.255 10.10.107.0 0.0.0.255
permit ip 172.22.20.0 0.0.1.255 10.10.107.0 0.0.0.255
!
!
!
!
permit tcp any host 10.10.107.20 eq 20
permit tcp any host 10.10.107.20 eq 21
permit tcp any host 10.10.107.29 eq 1494
!
!
permit tcp any host 10.10.107.39 eq 20
permit tcp any host 10.10.107.39 eq 21
permit tcp any host 10.10.107.10 eq 4000
permit ip host 172.22.101.218 host 10.10.107.33
permit tcp host 172.22.105.28 host 10.10.107.39 eq 1433
permit tcp any host 172.22.107.38 eq 1494
!
deny ip any any log




ip access-list extended dmz-out
!
!Common section
permit tcp 10.10.107.0 0.0.0.255 any eq 80
permit tcp 10.10.107.0 0.0.0.255 any eq 53
permit udp 10.10.107.0 0.0.0.255 any eq 53
!
!
permit tcp host 10.10.107.12 host 172.16.1.66 eq 6008
permit tcp host 10.10.107.12 host 172.16.1.66 eq 8471
permit tcp host 10.10.107.12 host 172.16.1.47 eq 2705
permit tcp host 10.10.107.29 host 172.16.1.29 eq 23
permit tcp host 10.10.107.13 host 172.16.1.63 eq 8471
!
!
permit tcp host 10.10.107.10 host 172.22.102.13 eq 1433
permit tcp host 10.10.107.10 host 172.31.82.67 eq 1521
!
deny ip any any log


interface Ethernet0(outside)
ip access-group to-dmz in

interface Ethernet1 (inside)
ip inspect dmz in
ip access-group dmz-out in
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
instructions on how to perform an IOS upgrade on a Catalyst 6500 switch (IOS to IOS) Mike Rahl Cisco 1 05-30-2007 05:22 PM
cbac-question-ios-12.3 cconnell_1@lycos.com Cisco 2 06-27-2005 01:03 PM
CBAC conflicts with server publishing Urza Cisco 0 02-18-2004 12:59 PM
IOS Firewall/IDS/CBAC etc. - Securing a router the best Paul Stewart Cisco 7 01-22-2004 01:44 PM
Issue with Cisco router CBAC + VPN + IOS 12.3 Frank Cisco 2 12-07-2003 09:29 AM



Advertisments