Question regarding CBAC Firewall IOS

Discussion in 'Cisco' started by Vandegraff, Jul 13, 2004.

  1. Vandegraff

    Vandegraff Guest

    I am trying to use CBAC Firewall IOS as an alternative to a PIX
    firewall to provide some protection for some Internet facing servers.
    I believe the router being used has plenty of "horsepower" for the
    job. My scenario is this:

    The router has two ethernet ports: For illustration, Ethernet 0 faces
    the Internet and Ethernet 1 faces the DMZ segment. We are performing
    CBAC inspection inbound on Ethernet 1. My understanding is that this
    is inspecting the TCP / UDP sessions created from the DMZ and building
    ACLs for the return traffic if needed. My concern is this: Will CBAC
    applied like this deny inbound connections to TCP ports 80 and 443 for
    example on our DMZ web servers?
    If the answer to the question above is "no". My second concern is
    that when a connection is opened inbound from outside ETH0 to a DMZ
    Server, both ACLs to-DMZ and DMZ-out will have to allow the traffic in
    question. In other words, CBAC inspection would not be useful in this
    direction and ACL rules would have to be built in both ACLs for the
    communication to occur successfully.

    I have pasted the ACLs and CBAC Lists. I have changed the IPs to
    protect the innocent, but it is logically the same as the list we are
    planning to apply.

    Any suggestions and comments are welcome.


    ip inspect name dmz sqlnet timeout 3600
    ip inspect name dmz ftp timeout 3600
    ip inspect name dmz http timeout 3600
    ip inspect name dmz realaudio timeout 3600
    ip inspect name dmz smtp timeout 3600
    ip inspect name dmz tcp timeout 3600
    ip inspect name dmz udp timeout 15
    ip inspect name dmz tftp timeout 30
    ip audit notify log
    ip audit po max-events 100



    ip access-list extended to-dmz
    !Common section
    permit tcp any 10.10.107.0 0.0.0.255 eq 80
    permit tcp any 10.10.107.0 0.0.0.255 eq 443
    permit ip 172.16.0.0 0.0.255.255 10.10.107.0 0.0.0.255
    permit ip 172.20.0.0 0.0.255.255 10.10.107.0 0.0.0.255
    permit ip 172.30.0.0 0.0.255.255 10.10.107.0 0.0.0.255
    permit ip 172.22.102.0 0.0.0.255 10.10.107.0 0.0.0.255
    permit ip 172.22.100.0 0.0.0.255 10.10.107.0 0.0.0.255
    permit ip 172.22.92.0 0.0.0.255 10.10.107.0 0.0.0.255
    permit ip 172.22.18.0 0.0.1.255 10.10.107.0 0.0.0.255
    permit ip 172.22.20.0 0.0.1.255 10.10.107.0 0.0.0.255
    !
    !
    !
    !
    permit tcp any host 10.10.107.20 eq 20
    permit tcp any host 10.10.107.20 eq 21
    permit tcp any host 10.10.107.29 eq 1494
    !
    !
    permit tcp any host 10.10.107.39 eq 20
    permit tcp any host 10.10.107.39 eq 21
    permit tcp any host 10.10.107.10 eq 4000
    permit ip host 172.22.101.218 host 10.10.107.33
    permit tcp host 172.22.105.28 host 10.10.107.39 eq 1433
    permit tcp any host 172.22.107.38 eq 1494
    !
    deny ip any any log




    ip access-list extended dmz-out
    !
    !Common section
    permit tcp 10.10.107.0 0.0.0.255 any eq 80
    permit tcp 10.10.107.0 0.0.0.255 any eq 53
    permit udp 10.10.107.0 0.0.0.255 any eq 53
    !
    !
    permit tcp host 10.10.107.12 host 172.16.1.66 eq 6008
    permit tcp host 10.10.107.12 host 172.16.1.66 eq 8471
    permit tcp host 10.10.107.12 host 172.16.1.47 eq 2705
    permit tcp host 10.10.107.29 host 172.16.1.29 eq 23
    permit tcp host 10.10.107.13 host 172.16.1.63 eq 8471
    !
    !
    permit tcp host 10.10.107.10 host 172.22.102.13 eq 1433
    permit tcp host 10.10.107.10 host 172.31.82.67 eq 1521
    !
    deny ip any any log


    interface Ethernet0(outside)
    ip access-group to-dmz in

    interface Ethernet1 (inside)
    ip inspect dmz in
    ip access-group dmz-out in
     
    Vandegraff, Jul 13, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Frank
    Replies:
    2
    Views:
    822
  2. Paul Stewart
    Replies:
    7
    Views:
    779
    Paul Stewart
    Jan 22, 2004
  3. Replies:
    2
    Views:
    1,484
  4. Mike Rahl
    Replies:
    1
    Views:
    1,348
    Trendkill
    May 30, 2007
  5. Rick F
    Replies:
    9
    Views:
    614
    Sam Wilson
    Apr 27, 2009
Loading...

Share This Page