02 May 2010

CBAC Configuration Sample

The configuration command listing below shows the configuration commands for a firewall router with a simple CBAC configuration.

The desired service list for this firewall is: DNS, NTP, HTTP, FTP, Telnet, SMTP and POP3.










ro(config)# no access-list 100
ro(config)# ip access-list extended 100
ro(config-ext-nacl)# permit icmp 192.168.1.0 0.0.0.255 any
ro(config-ext-nacl)# permit udp 192.168.1.0 0.0.0.255 any eq ntp
ro(config-ext-nacl)# permit udp 192.168.1.0 0.0.0.255 any eq domain
ro(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq www
ro(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq ftp
ro(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq telnet
ro(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq smtp
ro(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq pop3
ro(config-ext-nacl)# deny ip any any log
ro(config-ext-nacl)# exit


ro(config)# ! Apply the access list to the outside interface
ro(config)# interface s0/0
ro(config-if)# ip access-group 100 out
ro(config-if)# exit
ro(config)#


ro(config)# no access-list 101
ro(config-if)# ip access-list extended 101
ro(config-ext-nacl)# deny ip 192.168.1.0 0.0.0.255 any log
! permit routing updates
ro(config-ext-nacl)# permit udp any any eq rip
! permit useful ICMP message types
ro(config-ext-nacl)# permit icmp any any echo-reply
ro(config-ext-nacl)# permit icmp any any unreachable
ro(config-ext-nacl)# permit icmp any any ttl-exceeded
ro(config-ext-nacl)# permit icmp any any packet-too-big
ro(config-ext-nacl)# deny ip any any log
ro(config-ext-nacl)# exit

ro(config)# ! apply the access list to the outside interface
ro(config)# interface s0/0
ro(config-if)# ip access-group 101 in
ro(config-if)# exit
ro(config)#


Better that the default timeout

ro(config)# ip inspect tcp synwait-time 15
ro(config)# ip inspect tcp finwait-time 1
ro(config)# ip inspect tcp idle-time 1800
ro(config)# ip inspect udp idle-time 15


To create a CBAC ruleset, use the command ip inspect name. The syntax is shown below. ip inspect name ruleset-name protocol [alert on/off] [audit-trail on/off] [timeout override-timeout] The alert option controls whether use of that protocol causes a console alert message to be generated; similarly, the audit-trail option controls whether use of that protocol causes a log message to be generated. Enable the alert and audit-trail features to get additional log messages, beyond those generated by interface access lists. (In older versions of CBAC, audit trails could only be turned on globally, using the command ip inspect audit-trail.)


ro(config)# ip inspect name pf udp audit-trail on
ro(config)# ip inspect name pf tcp audit-trail on
ro(config)# ip inspect name pf ftp audit-trail on
ro(config)# ip inspect name pf smtp audit-trail on

ro(config)# int s0/0
ro(config-if)# ip inspect pf out
ro(config-if)# end

ro# show ip inspect interface




See Also:


Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance (2nd Edition)


biOos
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)