Cisco CBAC Configuration Example

This topic is to discuss the following lesson:

https://networklessons.com/cisco/ccie-routing-switching/cisco-cbac-configuration-example/

Great post , very informative

Great post RENE!! CBAC is kind of obsolte but it’s a key in order to understand zone-based FW or as I named It ZOMBIES FIREWAL, thanks for all your help!!

Thanks Miguel!

Hi Rene,
I tried simple ACL in packet tracer and I found at least one explicit ACE entry is needed in acces-list to make implicit " deny ip any any" effective, otherwise it allows all the traffic if
it is an empty access-list.

Thanks,
Srini

Hi Srini,

That’s right, it’s strange that they programmed it like this but that’s the way it works :slight_smile:

Rene

Hi Rene,
Command “ip inspect name FIREWALL ftp” takes care of active and passive ftp ?

Thanks,
Srini

Hi Srini,

Yes both should work. CBAC has more intelligence than the reflexive access-list. It will look into the payload to see what temporary rules are required.

Rene

Thanks Rene. Very Simple to Configure from operators perspective.

Hlw Rene,

CBAC will apply Dynamic ACL for returen traffic like Reflexive ACL by inspecting Protocol ??

br/
zaman

Hi Zaman,

Hello, that’s right. Inspect will keep track of outgoing connections and allows the return traffic.

Rene

Hi, Rene

How cisco CDA would work with CBAC? I wonder how CBAC is different then Idetity ACL? would you be able to provide article on it?

Thanks
Shraddha

I’m still a bit confused about how the ACL taking care of traffic from the outside ( the DENY_ALL_INTERNET) refers back to the inspect function? Is it just because we have inspect out and Access-group IN on the same interface that both will be associated ?
If that’s not clear, I’m referring to the output of the “show ip inspect all” , how the inspect function know which ACL the inspect results will be applied to ? Cheers !

Hello Clement

Essentially you are correct. Because the inspect command and the access group are configured on the same interface, they automatically work together. However, don’t think of the access list being associated in some way with the inspect command. The inspect command can be thought of as a modifier of any access list functionality that has been applied to the interface. You can add the same inspect command to other interfaces as well, and it will modify the behaviour of the access lists configured there.

I hope this has been helpful!

Laz

hi here iam unable to do the command ip inspect

Hello John

For this specific command, Cisco states that:

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

In order to determine if your IOS supports this feature, you can use the Cisco Feature Navigator.

I hope this has been helpful!

Laz