cbac confusion
Im having a bit of a problem understanding CBAC.
I can understand it pretty well when the inspect rule is applied in the inbound direction (on the secured interface). Its gonna permit traffic from external networks to get back in the secured network going through the external extended accesslist on the unsecured interface.
Can someone give me an example of CBAC used in the outbound direction of applied on the unsecured interface?
I just cant see how it could be used!!
Thanks alot!!
I can understand it pretty well when the inspect rule is applied in the inbound direction (on the secured interface). Its gonna permit traffic from external networks to get back in the secured network going through the external extended accesslist on the unsecured interface.
Can someone give me an example of CBAC used in the outbound direction of applied on the unsecured interface?
I just cant see how it could be used!!
Thanks alot!!
Comments
-
kryolla
Member Posts: 785
It is the same thing if you apply it to the inbound on the inside interface or outbound on the outside interface.
Inbound inside interface permits temp holes in the interface acl where the traffic is switched to i.e inside is e0/0 and outside is s0/0 and e1/0 (DMZ) so there is an acl on s0/0 inbound with deny ip any any and whatever traffic originated on e0/0 and destined out s0/0 will open a temp hole in the deny ip any any acl for return traffic.
If you apply it to the outside interface s0/0 outbound it will work the same and open holes in the acl applied inbound to the outside interface. So if you only have 2 interfaces on your router you would want to put on the outside interface outbound inspect and inbound deny ip any any. If you put the inspect in the inside interface inbound it will work but the router will monitor all traffic coming into that interface including traffic destined for the router. If you have 3 interfaces including DMZ you would want to put the inspect rule in the inside interface to permit return traffic from the DMZ or the internet. You DMZ inbound interface should have a deny ip any any. HTH
cisco ios firewall config guideStudying for CCIE and drinking Home Brew -
adassus
Member Posts: 13 ■□□□□□□□□□
kryolla wrote:It is the same thing if you apply it to the inbound on the inside interface or outbound on the outside interface.
Inbound inside interface permits temp holes in the interface acl where the traffic is switched to i.e inside is e0/0 and outside is s0/0 and e1/0 (DMZ) so there is an acl on s0/0 inbound with deny ip any any and whatever traffic originated on e0/0 and destined out s0/0 will open a temp hole in the deny ip any any acl for return traffic.
If you apply it to the outside interface s0/0 outbound it will work the same and open holes in the acl applied inbound to the outside interface. So if you only have 2 interfaces on your router you would want to put on the outside interface outbound inspect and inbound deny ip any any. If you put the inspect in the inside interface inbound it will work but the router will monitor all traffic coming into that interface including traffic destined for the router. If you have 3 interfaces including DMZ you would want to put the inspect rule in the inside interface to permit return traffic from the DMZ or the internet. You DMZ inbound interface should have a deny ip any any. HTH
cisco ios firewall config guide
Hey thanks alot! I ran the a sim with dynamips, and it works fine.