Context Based Access Control
- Performs protocol specific inspection using port-numbers or port-map table.
- Only performs inspection for the protocols that are specified in the inspection rule. This enables the IOS firewall to temporarily open dynamic entries to allow the return traffic and bypass the interface ACL configured on the opposite direction (where the return traffic is expected).
- Supports TCP/UDP/ICMP and many other application level protocols.
- If you do not specify a protcol for inspection, the existing interface ACLs will determine how that protocol is filtered.
- For traffic to be inspected, it first has to per permitted by the interfaces ACLs. If packet is denied by an interface ACL, CBAC does not inspect the traffic.
- Threshold against DoS attack;
- Total number of half-open TCP/UDP session
- Total number of half-open sessions based upon time.
- Total number of half-open TCP session per host.
- (Originating traffic) Internal interface Inbound ACL and External interface Outbound ACL can either be extended/standard ACL.
- (Return traffic) External interface Inbound ACL and Internal interface Outbound ACL should be extended ACL only.
- Application layer protocol that is inspected will take precedence over the TCP/UDP packet inspection. Example, FTP inspection will be preferred over TCP if both the inspections are configured.
- no ip inspect removes all CBAC configuration and resets all CBAC global timeout and threshold to default value.
Cisco Doc Link:
- Threshold is configured for half-open connections globally and per host basis.
ip inspect max-incomplete low 200
ip inspect max-incomplete high 175
ip inspect tcp max-incomplete host 80 block-time 0
- Inside to DMZ/Outside TCP UDP and ICMP are inspected.
ip inspect name in_in tcp timeout 60
ip inspect name in_in udp timeout 60
ip inspect name in_in icmp timeout 60
- Outside to DMZ HTTP and ICMP is inspected.
ip inspect name out_in http alert on audit-trail on timeout 5
ip inspect name out_in icmp
- ACLs are in place to make sure the originating traffic is being allowed at the interface level and the return traffic is allowed to come back in irrespective of the ACLs blocking the return traffic on the DMZ/Outside interface.
ip access-list extended dmz_in
deny ip any any log
ip access-list extended out_in
permit eigrp any any
permit icmp any host 10.0.0.100
permit tcp any host 10.0.0.100 eq www
deny ip any any log
- ACLs and Inspection rules are applied to the interfaces
ip inspect in_in in
ip access-group out_in in
ip inspect out_in in
ip access-group dmz_in in