Cisco Systems 520 series Configuring a CBAC Firewall

11-3

Cisco Secure Router 520 Series Software Configuration Guide

OL-14210-01

Chapter 11 Configuring Security Features

Configuring a CBAC Firewall

A sequence of access list definitions bound together with a common name or number is called an access

group. An access group is enabled for an interface during interface configuration with the following

command:

ip access-group {access-list-number | access-list-name}{in | out}

where in | out refers to the direction of travel of the packets being filtered.

Use the following guidelines when creating access groups.

• The order of access list definitions is significant. A packet is compared against the first access list

in the sequence. If there is no match (that is, if neither a permit nor a deny occurs), the packet is

compared with the next access list, and so on.

• All parameters must match the access list before the packet is permitted or denied.

• There is an implicit “deny all” at the end of all sequences.

For more complete information on creating access lists, see the “Access Control Lists: Overview and

Guidelines” section of the Cisco IOS Release 12.3 Security Configuration Guide.

Configuring a CBAC Firewall

Context-Based Access Control (CBAC) lets you configure a stateful firewall where packets are inspected

internally and the state of network connections is monitored. This is superior to static access lists,

because access lists can only permit or deny traffic based on individual packets, not streams of packets.

Also, because CBAC inspects the packets, decisions to permit or deny traffic can be made by examining

application layer data, something static access lists cannot do.

To configure a CBAC firewall, specify which protocols to examine by using the following command in

interface configuration mode:

ip inspect name inspection-name protocol timeout seconds

When inspection detects that the specified protocol is passing through the firewall, a dynamic access list

is created to allow the passage of return traffic. The timeout parameter specifies the length of time the

dynamic access list remains active without return traffic passing through the router. When the timeout

value is reached, the dynamic access list is removed, and subsequent packets (possibly valid ones) are

not permitted.

Use the same inspection name in multiple statements to group them into one set of rules. This set of rules

can be activated elsewhere in the configuration by using the ip inspect inspection-name in | out

command when you configure an interface at the firewall.

See Chapter 8, “Configuring a Simple Firewall,” for a sample configuration. For additional information

about configuring a CBAC firewall, see the “Configuring Context-Based Access Control” section of the

Cisco IOS Release 12.3 Security Configuration Guide.