1 - 8

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 6-2

Copyright

© 2007, Cisco Systems, Inc

Lab 6.2 Configuring CBAC

Learning Objectives

• Configure CBAC rules on a router

• Apply CBAC rules on a router

Topology Diagram

Scenario

Context-based access control (CBAC) is a powerful tool in the Cisco IOS
Firewall feature set. It allows stateful packet inspection of certain types of
attacks. In this lab, INSIDE represents an inside corporate router, OUTSIDE
represents an outside Internet or ISP router, and FW represents the corporate
firewall. CBAC alone is not enough to make a router into a secure Internet
firewall, but in addition to other security features it can be a very powerful
defense.

Step 1: Configure the Physical Interfaces

Configure the loopback interfaces with the addresses shown in the topology
diagram. Also configure the serial interfaces shown in the diagram. Set the
clock rate on the appropriate interface and issue the no shutdown command
on all serial connections. Verify that you have connectivity across the local
subnet using the ping command.

INSIDE(config)# interface serial0/0/0
INSIDE(config-if)# ip address 172.16.12.1 255.255.255.0
INSIDE(config-if)# clockrate 64000

INSIDE(config-if)# no shutdown

FW(config)# interface serial0/0/0
FW(config-if)# ip address 172.16.12.2 255.255.255.0
FW(config-if)# no shutdown
FW(config-if)# interface serial0/0/1
FW(config-if)# ip address 192.168.23.2 255.255.255.0
FW(config-if)# clockrate 64000
FW(config-if)# no shutdown

OUTSIDE(config)# interface serial0/0/1
OUTSIDE(config-if)# ip address 192.168.23.3 255.255.255.0
OUTSIDE(config-if)# no shutdown

Step 2: Configure Static Default Routes

On the INSIDE and OUTSIDE routers, configure static default routes directing
traffic to unknown destinations to be forwarded to the FW router. FW will not
need any routes because it has interfaces directly connected to both networks
(as shown in the topology diagram.)

INSIDE(config)# ip route 0.0.0.0 0.0.0.0 172.16.12.2

OUTSIDE(config)# ip route 0.0.0.0 0.0.0.0 192.168.23.2

Your network should have full IP connectivity at this point. If it does not have full
connectivity, troubleshoot.

Normally, a single-homed company might use Network Address Translation
(NAT) at its corporate edge to protect its network and allow private addressing
within the bounds of its network. In that case, the OUTSIDE router, normally a
provider edge router would have a static route directing traffic to the address
owned by the customer out one of its interfaces. In this scenario you will not
configure NAT, and you will use a default route for simplicity.

Step 3: Enable Telnet Access

You will be using the Telnet protocol to test connectivity in this lab scenario. In
order to enable Telnet access on a router beginning with its default
configuration, simply apply the password string command on the virtual
terminal lines.

Apply this configuration change on the INSIDE and OUTSIDE routers. Use
“cisco” as the line password. This will be used later for verification purposes.

INSIDE(config)# line vty 0 4
INSIDE(config-line)# password cisco
INSIDE(config-line)# login

OUTSIDE(config)# line vty 0 4
OUTSIDE(config-line)# password cisco
OUTSIDE(config-line)# login

2 - 8

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 6-2

Copyright

© 2007, Cisco Systems, Inc

Step 4: Create IP Inspect Rules

CBAC operates by statefully inspecting some protocols and tracking TCP
connections and UDP flows. CBAC examines the protocols to determine if
incoming, untrusted (outside) traffic is return traffic for an inside-initiated
connection, or the result of arbitrarily spoofed packets. For some well-known
protocols, CBAC can also examine particular application-layer fields to make
sure that the packets are following the protocols of those specific applications
correctly. Any traffic that is not accepted by CBAC is treated appropriately
according to the rules indicated by the access list on the interface. This is done
by explicitly blocking untrusted traffic (which we will configure later) except
when allowed by CBAC.

Why is it important to keep track of connection states, especially with TCP
connections?

The critical part of configuring CBAC involves creating rules to track
connections and flows. Create rules to track TCP and UDP flows using the ip
inspect name name protocol command. Use the name “myrules” and apply the
CBAC rule to the to Serial0/0/0 interface in the inbound direction. To see the
protocols available (most of the protocols listed will be application layer
protocols), enter the ip inspect name name command followed by the ?
character. Newer IOS versions will have more protocols listed.

FW(config)# ip inspect name myrules ?
802-11-iapp IEEE 802.11 WLANs WG IAPP
ace-svr ACE Server/Propagation
aol America-Online
appfw Application Firewall
appleqtc Apple QuickTime
bgp Border Gateway Protocol
<OUTPUT OMITTED>

FW(config)# ip inspect name myrules tcp
FW(config)# ip inspect name myrules udp

You can also set CBAC timeouts for various protocols. To change the amount
of time that should pass before a UDP flow times out, use the ip inspect udp
idle-time timeout command in global configuration mode. The default UDP idle
timeout is 30 seconds. Change the UDP timeout to 60 seconds.

FW(config)# ip inspect udp idle-time 60

3 - 8

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 6-2

Copyright

© 2007, Cisco Systems, Inc

Why is this particularly important for UDP protocols?

On a per-protocol basis, there are other adjustable settings. For instance, you
can manipulate CBAC to trigger logging messages based on the matched
protocol. This is important for security accounting as well as for debugging
purposes. View the options available on a per-protocol basis, using the ?
character.

FW(config)# ip inspect name myrules tcp ?
alert Turn on/off alert
audit-trail Turn on/off audit trail
router-traffic Enable inspection of sessions to/from the router
timeout Specify the inactivity timeout time
<cr>

In a secure network, you would likely set up a Syslog server to monitor security
information including communication to external networks. Alert and audit trail
messages allow holes in the firewall created by CBAC to be monitored and
logged for later use. By default, CBAC logs alert messages to the console
which can be configured on a per-protocol basis to override the global settings
for the alert messages (as shown above). To change the global setting for
alerts, use the command ip inspect alert-off. By default, alerts are on. To
enable audit-trail messages, use the global command ip inspect audit-trail. By
default, audit-trail messages are off. The timeout argument specifies a per-
protocol connection timeout period. Add in Internet Control Message Protocol
(ICMP) with a timeout time of 5 seconds, HTTP inspection without alerting, and
FTP inspection with an audit-trail. ICMP inspection may not work on older IOS
releases.

FW(config)# ip inspect name myrules icmp timeout 5
FW(config)# ip inspect name myrules http alert off
FW(config)# ip inspect name myrules ftp audit-trail on

To apply the rule set to an interface, use the interface level command ip
inspect name direction. Apply “myrules” to the inside interface on FW with an
inbound direction. This means that any traffic initiated from the inside interface
going through the router will have IP inspection performed on it.

FW(config)# interface serial0/0/0
FW(config-if)# ip inspect myrules in

In this scenario, you could also apply it outbound on the outside interface to
achieve the same effect. When would this not apply?

4 - 8

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 6-2

Copyright

© 2007, Cisco Systems, Inc

Step 5: Block Unwanted Outside Traffic

Configure an extended access list to deny any traffic coming in the outside
interface. The access list must be extended because CBAC needs to open up
temporary holes in it for return traffic and cannot do this with standard access
lists. Also have the deny portion of the access-list log packets that are blocked.
Apply this access list to be inbound on the outside interface on the firewall.

NOTE: If you are using an older IOS release that did not accept ICMP
inspection earlier, you may want to add the statement access-list 100 permit
icmp any any before the deny statement in this access list to allow all ICMP
traffic to go through (since it will not be inspected by CBAC).

FW(config)# access-list 100 deny ip any any log
FW(config)# interface serial0/0/1
FW(config-if)# ip access-group 100 in

Step 6: Verify CBAC Operation

Telnet from OUTSIDE to INSIDE. This should fail.

OUTSIDE# telnet 172.16.12.1
Trying 172.16.12.1 ...
% Destination unreachable; gateway or host down

OUTSIDE#

In addition, you should see a log message appear on FW. This log message is
not from CBAC but instead from the access list denying the packet.

FW#
*Feb 18 02:11:11.823: %SEC-6-IPACCESSLOGP: list 100 denied tcp 192.168.23.3(0)
-> 172.16.12.1(0), 1 packet

Now, attempt to telnet from INSIDE to OUTSIDE. Leave the telnet session open
so you can verify the connection on FW.

INSIDE# telnet 192.168.23.3
Trying 192.168.23.3 ... Open


User Access Verification

Password:
OUTSIDE>

On FW, issue the show ip inspect all command to see the configuration and
operation of CBAC. Notice the inspected TCP connection between INSIDE and
OUTSIDE is listed at the end.

FW# show ip inspect all
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]

5 - 8

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 6-2

Copyright

© 2007, Cisco Systems, Inc

max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name myrules
tcp alert is on audit-trail is off timeout 3600
udp alert is on audit-trail is off timeout 30
icmp alert is on audit-trail is off timeout 5
http alert is off audit-trail is off timeout 3600
ftp alert is on audit-trail is on timeout 3600

Interface Configuration
Interface Serial0/0/0
Inbound inspection rule is myrules
tcp alert is on audit-trail is off timeout 3600
udp alert is on audit-trail is off timeout 30
icmp alert is on audit-trail is off timeout 5
http alert is off audit-trail is off timeout 3600
ftp alert is on audit-trail is on timeout 3600
Outgoing inspection rule is not set
Inbound access list is not set
Outgoing access list is not set

Established Sessions
Session 458348C4 (172.16.12.1:54736)=>(192.168.23.3:23) tcp SIS_OPEN

View detailed session information by issuing the show ip inspect detail
command on FW.

FW# show ip inspect sessions detail
Established Sessions
Session 458348C4 (172.16.12.1:54736)=>(192.168.23.3:23) tcp SIS_OPEN
Created 00:03:25, Last heard 00:03:23
Bytes sent (initiator:responder) [37:79]
In SID 192.168.23.3[23:23]=>172.16.12.1[54736:54736] on ACL 100 (11
matches)

Close the telnet connection when you are done verifying CBAC operation.

OUTSIDE> exit

[Connection to 192.168.23.3 closed by foreign host]
INSIDE#

Note: If your Cisco IOS release does not support ICMP inspection, skip the
following verification step since ICMP traffic will not be inspected.

Enable debugging of IP inspection for ICMP traffic using the debug ip inspect
protocol command. In a production environment, debugging CBAC is not
recommended because of the high amounts of output it can generate.

FW# debug ip inspect icmp
INSPECT ICMP Inspection debugging is on

From the INSIDE router, ping OUTSIDE. Note that this would not work if you try
to ping the other way because it would be denied by the access list. If

6 - 8

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 6-2

Copyright

© 2007, Cisco Systems, Inc

attempted, the denied packets from OUTSIDE to INSIDE would be logged to
FW’s console line as well.

INSIDE# ping 192.168.23.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/60 ms

FW#
*Feb 18 02:23:29.591: CBAC: ICMP Echo pkt 172.16.12.1 => 192.168.23.3
*Feb 18 02:23:29.591: CBAC: ICMP Echo pkt 172.16.12.1 => 192.168.23.3
*Feb 18 02:23:29.591: CBAC: ICMP Echo pkt 172.16.12.1 => 192.168.23.3
*Feb 18 02:23:29.619: CBAC: ICMP Echo Reply pkt 192.168.23.3 => 172.16.12.1
*Feb 18 02:23:29.647: CBAC: ICMP Echo pkt 172.16.12.1 => 192.168.23.3
*Feb 18 02:23:29.675: CBAC: ICMP Echo Reply pkt 192.168.23.3 => 172.16.12.1
*Feb 18 02:23:29.703: CBAC: ICMP Echo pkt 172.16.12.1 => 192.168.23.3
*Feb 18 02:23:29.735: CBAC: ICMP Echo Reply pkt 192.168.23.3 => 172.16.12.1
*Feb 18 02:23:29.763: CBAC: ICMP Echo pkt 172.16.12.1 => 192.168.23.3
*Feb 18 02:23:29.791: CBAC: ICMP Echo Reply pkt 192.168.23.3 => 172.16.12.1
*Feb 18 02:23:29.819: CBAC: ICMP Echo pkt 172.16.12.1 => 192.168.23.3
*Feb 18 02:23:29.847: CBAC: ICMP Echo Reply pkt 192.168.23.3 => 172.16.12.1
FW# undebug all

Final Configurations

INSIDE# show run
hostname INSIDE
!
interface Serial0/0/0
ip address 172.16.12.1 255.255.255.0
clock rate 64000
no shutdown
!
ip route 0.0.0.0 0.0.0.0 172.16.12.2
!
line vty 0 4
password cisco
login
end

FW# show run
hostname FW
!
ip inspect name myrules tcp
ip inspect name myrules udp
ip inspect name myrules icmp timeout 5
ip inspect name myrules http alert off
ip inspect name myrules ftp audit-trail on
ip inspect udp idle-time 60
!
interface Serial0/0/0
ip address 172.16.12.2 255.255.255.0
ip inspect myrules in
no shutdown
!
interface Serial0/0/1
ip address 192.168.23.2 255.255.255.0
ip access-group 100 in
clock rate 64000
no shutdown

7 - 8

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 6-2

Copyright

© 2007, Cisco Systems, Inc

!
access-list 100 deny ip any any log
end

OUTSIDE# show run
hostname OUTSIDE
!
interface Serial0/0/1
ip address 192.168.23.3 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 192.168.23.2
!
line vty 0 4
password cisco
login
end

8 - 8

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 6-2

Copyright

© 2007, Cisco Systems, Inc