For a low budget firewall functionality, a Cisco router with the proper IOS version can work as a network firewall providing stateful protocol inspection using the Context-Based Access Control (CBAC) feature. Many people use normal Access Control Lists on Cisco routers for traffic filtering and protection. However, a normal ACL is just a static packet filtering mechanism and nothing else. With a CBAC configuration, the router acts like a firewall. That is, it inspects protocols and sessions and keeps a state of the connection in memory. This means that an outbound packet (from inside the network to the outside) is inspected and a connection state of the session is kept in memory. The reply packet which belongs to the original outbound connection is allowed to pass through the router/firewall and reach the internal system which originated the connection. This stateful functionality is achieved by the IOS Firewall CBAC mechanism by opening temporary holes on an Access List in order to allow the reply packets.
A normal ACL checks traffic up to the transport layer. CBAC on the other hand inspects traffic up to the application layer to learn about the state of the session and to apply firewall filtering on the specific application. The protocols supported by CBAC for inspection are the following:
CUSeeMe Protocol, ftp, h323, http, rcmd, realaudio, rpc, smtp, sqlnet, streamworks, tcp, tftp, udp, vdolive. CBAC helps to protect also against DoS attacks such as SYN-floods or fragmentation attacks.
CBAC is applied either inbound or outbound on a specific router interface. CBAC applied “Inbound” on an interface inspects traffic entering the interface and CBAC applied “Outbound” on an interface inspects traffic exiting the interface. CBAC cooperates with an ACL applied on the same interface in order to provide the firewall stateful functionality that we described above. Lets see a simple example below.
In the figure above, assume that there is an inbound ACL applied on S0 on the router. The ACL is configured to block Telnet traffic initiated from the outside. Assume also that there is a CBAC rule applied “outbound” on S0. An internal user (User1) initiates a Telnet session from inside to outside. When the connection request for User1′s Telnet session passes through the firewall, CBAC inspects the Telnet traffic when exits interface S0 and creates a temporary opening in the inbound access list at S0 to permit returning Telnet traffic for User1′s Telnet session. (If the same access list is applied to both S0 and S1, the same opening would appear at both interfaces.)
Important Note: CBAC which inspects outbound traffic from an interface, will create temporary openings on the Access List which is applied Inbound on the interface. This is required to allow the return packets to pass through the ACL.
Let us see a configuration example below to get a better picture.
Configuration Example:
Refer to the diagram below for our configuration example:
We have a border Cisco router connecting the internal LAN 192.168.1.0/24 to the Internet. We have a static public IP address 50.50.50.1 on interface Serial0/0. Also, we have a DMZ segment (interface FE0/0) hosting a DMZ Web Server 10.1.1.1. We want to allow access from Internet towards the Web Server only. We use static NAT to hide the Web server private address behind our public address. Also, we use PAT on interface S0/0 for all outbound communication from the internal LAN towards the internet.
Lets see a snapshot of the configuration below:
! Create the outbound CBAC inspection rules
ip inspect name CBAC-IN-OUT tcp
ip inspect name CBAC-IN-OUT ftp
ip inspect name CBAC-IN-OUT h323
ip inspect name CBAC-IN-OUT rcmd
ip inspect name CBAC-IN-OUT http
ip inspect name CBAC-IN-OUT netshow
ip inspect name CBAC-IN-OUT realaudio
ip inspect name CBAC-IN-OUT rtsp
ip inspect name CBAC-IN-OUT sqlnet
ip inspect name CBAC-IN-OUT streamworks
ip inspect name CBAC-IN-OUT tftp
ip inspect name CBAC-IN-OUT udp
ip inspect name CBAC-IN-OUT vdolive
! Create the inbound CBAC to inspect inbound HTTP
ip inspect name CBAC-OUT-IN http
! DMZ interface
interface FastEthernet0/0
ip address 10.1.1.254 255.255.255.0
ip nat inside
full-duplex
no cdp enable
!
! Internal LAN interface
interface FastEthernet0/1
ip address 192.168.1.254 255.255.255.0
ip nat inside
full-duplex
no cdp enable
!
! External Internet Interface
! Notice that we apply an inbound ACL and CBAC rules for both in and out inspection
interface Serial0/0
description CONNECTED TO INTERNET
bandwidth 1024
ip address 50.50.50.1 255.255.255.252
ip access-group FIREWALL in
ip nat outside
ip inspect CBAC-OUT-IN in
ip inspect CBAC-IN-OUT out
ip nat inside source list 122 interface Serial0/0 overload
ip nat inside source static tcp 10.1.1.1 80 50.50.50.1 80 extendable no-alias
ip classless
ip route 0.0.0.0 0.0.0.0 50.50.50.2
! This ACL will be used by the CBAC out rule to open temporary holes for return traffic
ip access-list extended FIREWALL
permit icmp any any echo-reply
permit tcp any host 50.50.50.1 eq 80
deny ip any any log
access-list 122 permit ip 192.168.1.0 0.0.0.255 any
A normal ACL checks traffic up to the transport layer. CBAC on the other hand inspects traffic up to the application layer to learn about the state of the session and to apply firewall filtering on the specific application. The protocols supported by CBAC for inspection are the following:
CUSeeMe Protocol, ftp, h323, http, rcmd, realaudio, rpc, smtp, sqlnet, streamworks, tcp, tftp, udp, vdolive. CBAC helps to protect also against DoS attacks such as SYN-floods or fragmentation attacks.
CBAC is applied either inbound or outbound on a specific router interface. CBAC applied “Inbound” on an interface inspects traffic entering the interface and CBAC applied “Outbound” on an interface inspects traffic exiting the interface. CBAC cooperates with an ACL applied on the same interface in order to provide the firewall stateful functionality that we described above. Lets see a simple example below.
In the figure above, assume that there is an inbound ACL applied on S0 on the router. The ACL is configured to block Telnet traffic initiated from the outside. Assume also that there is a CBAC rule applied “outbound” on S0. An internal user (User1) initiates a Telnet session from inside to outside. When the connection request for User1′s Telnet session passes through the firewall, CBAC inspects the Telnet traffic when exits interface S0 and creates a temporary opening in the inbound access list at S0 to permit returning Telnet traffic for User1′s Telnet session. (If the same access list is applied to both S0 and S1, the same opening would appear at both interfaces.)
Important Note: CBAC which inspects outbound traffic from an interface, will create temporary openings on the Access List which is applied Inbound on the interface. This is required to allow the return packets to pass through the ACL.
Let us see a configuration example below to get a better picture.
Configuration Example:
Refer to the diagram below for our configuration example:
We have a border Cisco router connecting the internal LAN 192.168.1.0/24 to the Internet. We have a static public IP address 50.50.50.1 on interface Serial0/0. Also, we have a DMZ segment (interface FE0/0) hosting a DMZ Web Server 10.1.1.1. We want to allow access from Internet towards the Web Server only. We use static NAT to hide the Web server private address behind our public address. Also, we use PAT on interface S0/0 for all outbound communication from the internal LAN towards the internet.
Lets see a snapshot of the configuration below:
! Create the outbound CBAC inspection rules
ip inspect name CBAC-IN-OUT tcp
ip inspect name CBAC-IN-OUT ftp
ip inspect name CBAC-IN-OUT h323
ip inspect name CBAC-IN-OUT rcmd
ip inspect name CBAC-IN-OUT http
ip inspect name CBAC-IN-OUT netshow
ip inspect name CBAC-IN-OUT realaudio
ip inspect name CBAC-IN-OUT rtsp
ip inspect name CBAC-IN-OUT sqlnet
ip inspect name CBAC-IN-OUT streamworks
ip inspect name CBAC-IN-OUT tftp
ip inspect name CBAC-IN-OUT udp
ip inspect name CBAC-IN-OUT vdolive
! Create the inbound CBAC to inspect inbound HTTP
ip inspect name CBAC-OUT-IN http
! DMZ interface
interface FastEthernet0/0
ip address 10.1.1.254 255.255.255.0
ip nat inside
full-duplex
no cdp enable
!
! Internal LAN interface
interface FastEthernet0/1
ip address 192.168.1.254 255.255.255.0
ip nat inside
full-duplex
no cdp enable
!
! External Internet Interface
! Notice that we apply an inbound ACL and CBAC rules for both in and out inspection
interface Serial0/0
description CONNECTED TO INTERNET
bandwidth 1024
ip address 50.50.50.1 255.255.255.252
ip access-group FIREWALL in
ip nat outside
ip inspect CBAC-OUT-IN in
ip inspect CBAC-IN-OUT out
ip nat inside source list 122 interface Serial0/0 overload
ip nat inside source static tcp 10.1.1.1 80 50.50.50.1 80 extendable no-alias
ip classless
ip route 0.0.0.0 0.0.0.0 50.50.50.2
! This ACL will be used by the CBAC out rule to open temporary holes for return traffic
ip access-list extended FIREWALL
permit icmp any any echo-reply
permit tcp any host 50.50.50.1 eq 80
deny ip any any log
access-list 122 permit ip 192.168.1.0 0.0.0.255 any
