Awhile ago a friend asked me for a write up on IOS Firewall/CBAC. At the time I hadn’t felt like writing about it as I don’t use it much, but I recently had to configure it, so I thought I may as well take a break from Juniper posts and do the article.

The IOS Firewall uses CBAC (Context-Based Access Control) to inspect traffic flows at the upper layers. CBAC will inspect the outgoing traffic while maintaining stateful intformation for each session. It will then open pinholes in the firewall/incoming ACL to allow appropriate traffic back in. Something I forgot to point out, CBAC can be very CPU intensive, your traffic. Keep that in mind before and do some testing before deploying it on your network. Here’s the topology:


We have our router running IOS firewall, its WAN connection is on Fa0/1 out to the internet, and its LAN connection is on Fa0/0, which connects to some servers and workstations. Let’s configure the firewall:

We see that CBAC can inspect many different applications:

EDGE(config)#ip inspect name Incoming ?
  802-11-iapp       IEEE 802.11 WLANs WG IAPP
  ace-svr           ACE Server/Propagation
  appfw             Application Firewall
  appleqtc          Apple QuickTime
  bgp               Border Gateway Protocol
  biff              Bliff mail notification
  bittorrent        bittorrent
  bootpc            Bootstrap Protocol Client
  bootps            Bootstrap Protocol Server
  cddbp             CD Database Protocol
  cifs              CIFS
  cisco-fna         Cisco FNATIVE
  cisco-net-mgmt    cisco-net-mgmt
  cisco-svcs        cisco license/perf/GDP/X.25/ident svcs
  cisco-sys         Cisco SYSMAINT
  cisco-tdp         Cisco TDP
  cisco-tna         Cisco TNATIVE
  citrix            Citrix IMA/ADMIN/RTMP
  citriximaclient   Citrix IMA Client
  clp               Cisco Line Protocol
  creativepartnr    Creative Partnr
  creativeserver    Creative Server
  cuseeme           CUSeeMe Protocol
  daytime           Daytime (RFC 867)
  dbase             dBASE Unix
  dbcontrol_agent   Oracle dbControl Agent po
  ddns-v3           Dynamic DNS Version 3
  dhcp-failover     DHCP Failover
  directconnect     Direct Connect Version 2.0
  discard           Discard port
  dns               Domain Name Server
  dnsix             DNSIX Securit Attribute Token Map
  echo              Echo port
  edonkey           eDonkey
  entrust-svc-hdlr  Entrust KM/Admin Service Handler
  entrust-svcs      Entrust sps/aaas/aams
  esmtp             Extended SMTP
  exec              Remote Process Execution
  fasttrack         FastTrack Traffic - KaZaA, Morpheus, Gro
  fcip-port         FCIP
  finger            Finger
  fragment          IP fragment inspection
  ftp               File Transfer Protocol
  ftps              FTP over TLS/SSL
  gdoi              GDOI
  giop              Oracle GIOP/SSL
  gnutella          Gnutella Version2 Traffic - BearShare, S
  gopher            Gopher
  gtpv0             GPRS Tunneling Protocol Version 0
  gtpv1             GPRS Tunneling Protocol Version 1
  h323              H.323 Protocol (e.g, MS NetMeeting, Intel Video Phone)
  h323-annexe       H.323 Protocol AnnexE (e.g, MS NetMeetin
  h323-nxg          H.323 Protocol AnnexG
  hp-alarm-mgr      HP Performance data alarm manager
  hp-collector      HP Performance data collector
  hp-managed-node   HP Performance data managed node
  hsrp              Hot Standby Router Protocol
  http              HTTP Protocol
  https             Secure Hypertext Transfer Protocol
  ica               ica (Citrix)
  icabrowser        icabrowser (Citrix)
  icmp              ICMP Protocol
  ident             Authentication Service
  igmpv3lite        IGMP over UDP for SSM
  imap              IMAP Protocol
  imap3             Interactive Mail Access Protocol 3
  imaps             IMAP over TLS/SSL
  ipass             IPASS
  ipsec-msft        Microsoft IPsec NAT-T
  ipx               IPX
  irc               Internet Relay Chat Protocol
  irc-serv          IRC-SERV
  ircs              IRC over TLS/SSL
  ircu              IRCU
  isakmp            ISAKMP
  iscsi             iSCSI
  iscsi-target      iSCSI port
  kazaa2            Kazaa Version 2
  kerberos          Kerberos
  kermit            kermit
  l2tp              L2TP/L2F
  ldap              Lightweight Directory Access Protocol
  ldap-admin        LDAP admin server port
  ldaps             LDAP over TLS/SSL
  login             Remote login
  lotusmtap         Lotus Mail Tracking Agent Protocol
  lotusnote         Lotus Note
  microsoft-ds      Microsoft-DS
  ms-cluster-net    MS Cluster Net
  ms-dotnetster     Microsoft .NETster Port
  ms-sna            Microsoft SNA Server/Base
  ms-sql            Microsoft SQL
  ms-sql-m          Microsoft SQL Monitor
  msexch-routing    Microsoft Exchange Routing
  msrpc             Microsoft Remote Procedure Call
  mysql             MySQL
  n2h2server        N2H2 Filter Service Port
  ncp               NCP (Novell)
  net8-cman         Oracle Net8 Cman/Admin
  netbios-dgm       NETBIOS Datagram Service
  netbios-ns        NETBIOS Name Service
  netbios-ssn       NETBIOS Session Service
  netshow           Microsoft NetShow Protocol
  netstat           Variant of systat
  nfs               Network File System
  nntp              Network News Transport Protocol
  ntp               Network Time Protocol
  oem-agent         OEM Agent (Oracle)
  oracle            Oracle
  oracle-em-vp      Oracle EM/VP
  oraclenames       Oracle Names
  orasrv            Oracle SQL*Net v1/v2
  parameter         Specify inspection parameters
  pcanywheredata    pcANYWHEREdata
  pcanywherestat    pcANYWHEREstat
  pop3              POP3 Protocol
  pop3s             POP3 over TLS/SSL
  pptp              PPTP
  pwdgen            Password  Generator Protocol
  qmtp              Quick Mail Transfer Protocol
  r-winsock         remote-winsock
  radius            RADIUS & Accounting
  rcmd              R commands (r-exec, r-login, r-sh)
  rdb-dbs-disp      Oracle RDB
  realaudio         Real Audio Protocol
  realsecure        ISS Real Secure Console Service Port
  router            Local Routing Process
  rpc               Remote Prodedure Call Protocol
  rsvd              RSVD
  rsvp-encap        RSVP ENCAPSULATION-1/2
  rsvp_tunnel       RSVP Tunnel
  rtc-pm-port       Oracle RTC-PM port
  rtelnet           Remote Telnet Service
  rtsp              Real Time Streaming Protocol
  send              SEND
  shell             Remote command
  sip               SIP Protocol
  sip-tls           SIP-TLS
  skinny            Skinny Client Control Protocol
  sms               SMS RCINFO/XFER/CHAT
  smtp              Simple Mail Transfer Protocol
  snmp              Simple Network Management Protocol
  snmptrap          SNMP Trap
  socks             Socks
  sqlnet            SQL Net Protocol
  sqlserv           SQL Services
  sqlsrv            SQL Service
  ssh               SSH Remote Login Protocol
  sshell            SSLshell
  ssp               State Sync Protocol
  streamworks       StreamWorks Protocol
  stun              cisco STUN
  syslog            SysLog Service
  syslog-conn       Reliable Syslog Service
  tacacs            Login Host Protocol (TACACS)
  tacacs-ds         TACACS-Database Service
  tarantella        Tarantella
  tcp               Transmission Control Protocol
  telnet            Telnet
  telnets           Telnet over TLS/SSL
  tftp              TFTP Protocol
  time              Time
  timed             Time server
  tr-rsrb           cisco RSRB
  ttc               Oracle TTC/SSL
  udp               User Datagram Protocol
  uucp              UUCPD/UUCP-RLOGIN
  vdolive           VDOLive Protocol
  vqp               VQP
  webster           Network Disctionary
  who               Who's service
  winmx             WinMx file-sharing application
  wins              Microsoft WINS
  x11               X Window System
  xdmcp             XDM Control Protocol

First we’ll configure our inspect list:

EDGE(config)#ip inspect name Incoming sip
EDGE(config)#ip inspect name Incoming dns
EDGE(config)#ip inspect name Incoming http
EDGE(config)#ip inspect name Incoming https
EDGE(config)#ip inspect name Incoming ssh
EDGE(config)#ip inspect name Incoming isakmp
EDGE(config)#ip inspect name Incoming ftp
EDGE(config)#ip inspect name Incoming smtp
EDGE(config)#ip inspect name Incoming pop3
EDGE(config)#ip inspect name Incoming imap
EDGE(config)#ip inspect name Incoming tcp
EDGE(config)#ip inspect name Incoming udp
EDGE(config)#ip inspect name Incoming icmp

We’re inspecting normal traffic here, nothing crazy. Now we need to apply the list to an interface:

EDGE(config)#int fa0/1
EDGE(config-if)# ip inspect Incoming ?
  in   Inbound inspection
  out  Outbound inspection
EDGE(config-if)# ip inspect Incoming out

We have the option of inspecting the traffic as it comes in, or as it goes out. Here we are inspecting our traffic from inside as it goes outside. I’ve named the list “Incoming”, which may seem counter inuitive since we’re applying it in the outgoing direction, but the purpose of inspecting it is to let return traffic back in, so I like to name it more logically.

Now let’s see it in actions. Let’s look at an HTTP flow to Google on our current topology:

One of our LAN hosts (192.168.25.20) is initiating HTTP traffic to Google (74.125.157.147). CBAC should see this traffic go out and then allow the return traffic back in, which is exactly what it does:

EDGE#sh ip inspect sessions | i 192.168.25.20
 Session 6706032C (192.168.25.20:47710)=>(74.125.157.147:80) http SIS_OPEN

We see the session from our host to Google, so all is working.

That’s IOS Firewall. It’s not too hard to configure and it’s very powerful. Hope this was helpful.

Colby

Colby Glass has been in IT since 2002. He is currently a Systems Engineer (presales) with a Cisco Gold partner and holds the CCNP R/S, CCNP DC, CCDP, CCIP, JNCIA-ER.

More Posts