|
Two-Interface Branch Office
Configuration
This sample configuration file describes a firewall configured
with CBAC. The firewall is positioned between a protected field
office internal network and a WAN connection to the corporate
headquarters. CBAC is configured on the firewall in order to protect
the internal network from potential network threats coming from the
WAN side.
The firewall has two interfaces configured:
- Interface Ethernet0 connects to the internal protected
network.
- Interface Serial0 connects to the WAN with Frame Relay.
!----------------------------------------------------------------------
! This first section contains some configuration that is not
required for CBAC,
! but illustrates good security practices. Note that there are no
! services on the Ethernet side. E-mail is picked up via POP from a
server on the
! corporate side.
!----------------------------------------------------------------------
!
hostname user1-examplecorp-fr
!
boot system flash c1600-fw1600-l
enable secret 5 <elided>
!
username user1 password <elided>
ip subnet-zero
no ip source-route
ip domain-name example.com
ip name-server 172.19.2.132
ip name-server 198.92.30.32
!
!
!----------------------------------------------------------------------
!The next section includes configuration required specifically for
CBAC
!----------------------------------------------------------------------
!
!The following commands define the inspection rule "myfw",
allowing
!the specified protocols to be inspected. Note that Java applets
will be permitted
!according to access list 51, defined later in this configuration.
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http java-list 51 timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
!
!The following interface configuration applies the "myfw"
inspection rule to
!inbound traffic at Ethernet 0. Since this interface is on the
internal network
!side of the firewall, traffic entering Ethernet 0 is actually
!exiting the internal network. Applying the inspection rule to this
interface causes
!inbound traffic (which is exiting the network) to be inspected;
return traffic will
!only be permitted back through the firewall if part of a session
which began from
!within the network.
!Also note that access list 101 is applied to inbound traffic at
Ethernet 0.
!Any traffic that passes the access list will be inspected by CBAC.
!(Traffic blocked by the access list will not be inspected.)
interface Ethernet0
description ExampleCorp Ethernet chez user1
ip address 172.19.139.1 255.255.255.248
ip broadcast-address 172.19.131.7
no ip directed-broadcast
no ip proxy-arp
ip inspect myfw in
ip access-group 101 in
no cdp enable
!
interface Serial0
description Frame Relay (Telco ID 22RTQQ062438-001) to ExampleCorp
HQ
no ip address
ip broadcast-address 0.0.0.0
encapsulation frame-relay IETF
no arp frame-relay
bandwidth 56
service-module 56k clock source line
service-module 56k network-type dds
frame-relay lmi-type ansi
!
!Note that the following interface configuration applies access list
111 to
!inbound traffic at the external serial interface. (Inbound traffic
is
!entering the network.) When CBAC inspection occurs on traffic
exiting the
!network, temporary openings will be added to access list 111 to
allow returning
!traffic that is part of existing sessions.
!
interface Serial0.1 point-to-point
ip unnumbered Ethernet0
ip access-group 111 in
bandwidth 56
no cdp enable
frame-relay interface-dlci 16
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0.1
!
!The following access list defines "friendly" and
"hostile" sites for Java
!applet blocking. Because Java applet blocking is defined in the
inspection
!rule "myfw" and references access list 51, applets will
be actively denied
!if they are from any of the "deny" addresses and allowed
only if they are from
!either of the two "permit" networks.
!
access-list 51 deny 172.19.1.203
access-list 51 deny 172.19.2.147
access-list 51 permit 172.18.0.0 0.1.255.255
access-list 51 permit 192.168.1.0 0.0.0.255
access-list 51 deny any
!
!The following access list 101 is applied to interface Ethernet 0
above.
!This access list permits all traffic that should be CBAC inspected,
and also
!provides anti-spoofing. The access list is deliberately set up to
deny unknown
!IP protocols, because no such unknown protocols will be in
legitimate use.
!
access-list 101 permit tcp 172.19.139.0 0.0.0.7 any
access-list 101 permit udp 172.19.139.0 0.0.0.7 any
access-list 101 permit icmp 172.19.139.0 0.0.0.7 any
access-list 101 deny ip any any
!
!The following access list 111 is applied to interface Serial 0.1
above.
!This access list filters traffic coming in from the external side.
When
!CBAC inspection occurs, temporary openings will be added to the
beginning of
!this access list to allow return traffic back into the internal
network.
!This access list should restrict traffic that will be inspected by
!CBAC. (Remember that CBAC will open holes as necessary to permit
returning traffic.)
!Comments precede each access list entry. These entries are not all
specifically
!related to CBAC, but are created to provide general good security.
!
!Anti-spoofing.
access-list 111 deny ip 172.19.139.0 0.0.0.7 any
!Sometimes EIGRP is run on the Frame Relay link. When you use an
!input access list, you have to explicitly allow even control
traffic.
!This could be more restrictive, but there would have to be entries
!for the EIGRP multicast as well as for the office's own unicast
address.
access-list 111 permit igrp any any
!
!These are the ICMP types actually used...
!administratively-prohibited is useful when you are trying to figure
out why
!you cannot reach something you think you should be able to reach.
access-list 111 permit icmp any 172.19.139.0 0.0.0.7
administratively-prohibited
!
!This allows network admins at headquarters to ping hosts at the
field office:
access-list 111 permit icmp any 172.19.139.0 0.0.0.7 echo
!
!This allows the field office to do outgoing pings
access-list 111 permit icmp any 172.19.139.0 0.0.0.7 echo-reply
!
!Path MTU discovery requires too-big messages
access-list 111 permit icmp any 172.19.139.0 0.0.0.7 packet-too-big
!
!Outgoing traceroute requires time-exceeded messages to come back
access-list 111 permit icmp any 172.19.139.0 0.0.0.7 time-exceeded
!
!Incoming traceroute
access-list 111 permit icmp any 172.19.139.0 0.0.0.7 traceroute
!
!Permits all unreachables because if you are trying to debug
!things from the remote office, you want to see them. If nobody ever
did
!any debugging from the network, it would be more appropriate to
permit only
!port unreachables or no unreachables at all.
access-list 111 permit icmp any 172.19.139.0 0.0.0.7 unreachable
!
!
!These next two entries permit users on most ExampleCorp networks to
Telnet to
!a host in the field office. This is for remote administration by
the network admins.
access-list 111 permit tcp 172.18.0.0 0.1.255.255 host 172.19.139.1
eq telnet
access-list 111 permit tcp 192.168.1.0 0.0.0.255 host 172.19.139.1
eq telnet
!
!Final deny for explicitness
access-list 111 deny ip any any
!
no cdp run
snmp-server community <elided> RO
!
line con 0
exec-timeout 0 0
password <elided>
login local
line VTY 0
exec-timeout 0 0
password <elided>
login local
length 35
line VTY 1
exec-timeout 0 0
password 7 <elided>
login local
line VTY 2
exec-timeout 0 0
password 7 <elided>
login local
line VTY 3
exec-timeout 0 0
password 7 <elided>
login local
line VTY 4
exec-timeout 0 0
password 7 <elided>
login local
!
scheduler interval 500
end
Multiple-Interface Branch-Office Configuration
In this configuration example, a single Cisco 3600 series
firewall router is positioned at a branch office. It has four
internal networks and two WAN connections to the corporate
headquarters. CBAC is configured on the firewall to protect two of
the internal networks from potential network threats coming from the
WAN side and from less secure internal networks. Antispoofing
protection is added at each interface with client systems.
Note: This example shows a moderately high level of
trust by the administrators toward the expected users. Additional
protection could be added to this configuration for a situation in a
lower level of trust. That configuration would include ICMP
filtering statements, significantly more protocol and address
control through the use of more restrictive access control lists,
and antispoofing applied everywhere. This configuration does not
contain those additional restrictions because that would detract
from the CBAC example.
The branch office has this sample network configuration:
- Ethernet interface 0/0 supports the Human Resources department
servers. This network includes an email (SMTP and point of
presence 3 [POP3]) host and a Windows NT server. The Windows NT
server is the Primary Domain Controller (PDC) for the Human
Resources domain and has a trust relationship with the rest of
the company; however, it contains applications and databases
that must not be accessed by the rest of the company or the
other groups in the branch office. The devices on this LAN are
accessible only by users in the Human Resources department on
Ethernet interface 0/1. The mail server must be able to send and
receive e-mail (through SMTP sessions) with all other devices.
The Windows 95 machines can use this machine as their e-mail
server (for sending email through SMTP sessions) and as a
repository for accumulating e-mail that they can then download
through POP3 sessions. No one else in the company is allowed to
form POP3 sessions to any machine on this LAN.
- Ethernet interface 0/1 supports the Windows 95 computers in
the Human Resources department. These users must have access to
the Human Resources mail servers located on Ethernet interface
0/0 as well as access to the rest of the company. Access to the
Windows NT server resources is controlled through the Windows NT
permissions assigned to each user in the Windows NT domain.
- Ethernet interface 1/0 supports the branch office Web servers,
which can be accessed by everyone in the company. These servers
use TCP ports 80 (HTTP) and 443 (SHTTP) for inbound Web access.
This network also includes a backup domain controller (BDC) for
the overall domain that is also used as file, print, and service
server.
Ethernet interface 1/1 supports all users who are not in the
Human Resources department. These users have no access to the
Human Resources department servers, but they can access the other
network interfaces and the serial interfaces for WAN connectivity.
Serial interface 0/0 and 0/1 connect to the WAN with T1 links
(links to corporate headquarters). In this sample configuration,
the DNS servers are located somewhere within the rest of the
company.
Additionally, network management (SNMP) and Telnet sessions are
limited to the management network (192.168.55.0), which is located
somewhere within the rest of the company across the serial
interface.
!
------------------------------------------------------------------
! This first section contains some configuration that is not
required
! for CBAC, but illustrates good security practices.
! ------------------------------------------------------------------
!Add this line to get timestamps on the syslog messages.
service timestamps log datetime localtime show-timezone
!
hostname Router1
!
boot system flash c3600-fw3600-l
!
! Configure AAA user authentication.
aaa new-model
aaa authentication login lista tacacs+ enable
!
enable secret 5 <elided>
ip subnet-zero
!
! Disable source routing to help prevent spoofing.
no ip source-route
!
! Set up the domain name and server IP addresses.
ip domain-name example.com
ip name-server 192.168.55.132
ip name-server 192.168.27.32
!
! The audit-trail command enables the delivery of specific CBAC
messages
! through the syslog notification process.
ip inspect audit-trail
!
! Establish the time-out values for DNS queries. When this
idle-timer expires,
! the dynamic ACL entries that were created to permit the reply to a
DNS request
! will be removed and any subsequent packets will be denied.
ip inspect dns-timeout 10
!
!----------------------------------------------------------------------
!The next section includes configuration statements required
!specifically for CBAC.
!----------------------------------------------------------------------
! Define the CBAC inspection rule "inspect1," allowing the
specified protocols to be
! inspected. The first rule enables SMTP specific inspection. SMTP
inspection causes
! the exchange of the SMTP session to be inspected for illegal
commands. Any packets
! with illegal commands are dropped, and the SMTP session will hang
and eventually
! time out.
ip inspect name inspect1 smtp timeout 300
!
! In the next two lines of inspect1, define the maximum time that
each of the UDP and
! TCP sessions are allowed to continue without any traffic passing
! through the router. When these timeouts are reached, the dynamic
ACLs that
! are inserted to permit the returning traffic are removed and
subsequent packets
! (possibly even valid ones) will not be permitted.
ip inspect name inspect1 udp timeout 300
ip inspect name inspect1 tcp timeout 300
!
! Define the CBAC inspection rule "inspect2," allowing the
specified protocols to be
! inspected. These rules are similar to those used in the inspection
rule "inspect1,"
! except that on the interfaces where this rule is applied, SMTP
sessions are not
! expected to go through; therefore, the SMTP rule element is not
applied here.
ip inspect name inspect2 udp timeout 300
ip inspect name inspect2 tcp timeout 3600
!
!----------------------------------------------------------------------
! The next section shows the Ethernet interface configuration
statements for each
! interface, including access lists and inspections rules.
!----------------------------------------------------------------------
! Apply the "inspect1" inspection rule to sessions that
are initiated in the outbound
! direction (toward the LAN) at Ethernet interface 0/0. All packets
in these sessions
! will be inspected by CBAC. Provided that network traffic passes
the Access Control
! List (ACL) restrictions, traffic is then inspected by CBAC for
access through the
! Cisco IOS Firewall. Traffic blocked by the access list is not
inspected by CBAC.
! Access list 110 is applied to outbound traffic on this interface.
interface Ethernet0/0
description HR_Server Ethernet
ip address 172.16.110.1 255.255.255.0
ip access-group 110 out
no ip directed-broadcast
no ip proxy-arp
ip inspect inspect1 out
no cdp enable
!
! Apply access list 120 to inbound traffic on Ethernet interface
0/1.
! Applying access list 120 to inbound traffic provides anti-spoofing
on this interface
! by dropping traffic with a source address matching the IP address
on a network other
! than Ethernet 0/1. The IP helper address lists the IP address of
the DHCP server on
! Ethernet interface 1/0.
interface Ethernet0/1
description HR_client Ethernet
ip address 172.16.120.1 255.255.255.0
ip access-group 120 in
ip helper-address 172.16.130.66
no ip directed-broadcast
no ip proxy-arp
no cdp enable
!
! Apply the "inspect2" inspection rule to sessions that
are initiated in the outbound
! direction (toward the LAN) at Ethernet interface 1/0. Provided
that network traffic
! passes the Access Control List (ACL) restrictions, traffic is then
inspected by CBAC
! through the Cisco IOS Firewall. Traffic blocked by the access list
is not inspected
! by CBAC. Access list 130 is applied to outbound traffic on this
interface.
interface Ethernet1/0
description Web_server Ethernet
ip address 172.16.130.1 255.255.255.0
ip access-group 130 out
no ip directed-broadcast
no ip proxy-arp
ip inspect inspect2 out
no cdp enable
!
! Apply access list 140 to inbound traffic at Ethernet interface
1/1. This
! provides anti-spoofing on the interface by dropping traffic with a
source address
! matching the IP address of a network other than Ethernet 1/1. The
IP helper address
! lists the IP address of the DHCP server on Ethernet interface 1/0.
interface Ethernet1/1
description Everyone_else Ethernet
ip address 172.16.140.1 255.255.255.0
ip access-group 140 in
ip helper-address 172.16.130.66
no ip directed-broadcast
no ip proxy-arp
no cdp enable
!
!----------------------------------------------------------------------
! The next section configures the serial interfaces, including
access lists.
!----------------------------------------------------------------------
! Apply access list 150 to Serial interfaces 0/0. This provides
anti-spoofing on the
! serial interface by dropping traffic with a source address
matching the IP address
! of a host on Ethernet interface 0/0, 0/1, 1/0, or 1/1.
interface Serial0/0
description T1 to HQ
ip address 192.168.150.1 255.255.255.0
ip access-group 150 in
bandwidth 1544
!
interface Serial1/1
description T1 to HQ
ip address 192.168.160.1 255.255.255.0
ip access-group 150 in
bandwidth 1544
!
! ------------------------------
! Configure routing information.
! -------------------------------
router igrp 109
network 172.16.0.0
network 192.168.150.0
network 192.168.160.0
!
! Define protocol forwarding on the firewall. When you turn on a
related command,
! ip helper-address, you forward every IP broadcast in the ip
forward protocol
! command list, including several which are on by default: TFTP
(port 69),
! DNS (port 53), Time service (port 37), NetBIOS Name Server (port
137),
! NetBIOS Datagram Server (port 138), BOOTP client and server
datagrams
! (ports 67 and 68), and TACACS service (port 49). One common
! application that requires helper addresses is Dynamic Host
Configuration
! Protocol (DHCP). DHCP information is carried inside of BOOTP
packets. The
! "no ip forward protocol" statements turn off forwarding
for the specified protocols.
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
no ip forward-protocol udp tftp
ip forward-protocol udp bootpc
!
! Add this line to establish where router syslog messages are sent.
This includes the
! CBAC messages.
logging 192.168.55.131
!
! ---------------------------------------------------------------
! Define the configuration of each access list.
! ---------------------------------------------------------------
! Defines Telnet controls in access list 12.
access-list 12 permit 192.168.55.0 0.0.0.255
!
! Defines SNMP controls in access list 13.
access-list 13 permit 192.168.55.12
access-list 13 permit 192.168.55.19
!
! Access list 110 permits TCP and UDP protocol traffic for
! specific ports and with a source address on Ethernet interface
0/1. The access list
! denies IP protocol traffic with any other source and destination
address. The
! access list permits ICMP access for any source and destination
! address. Access list 110 is deliberately set up to deny unknown IP
protocols
! because no such unknown protocols will be in legitimate use.
Access list
! 110 is applied to outbound traffic at Ethernet interface 0/0. In
ACL 110,
! network traffic is being allowed access to the ports on any server
on the HR server
! network. In less trusted environments, this can be a security
problem; however, you
! can limit access more severely by specifying specific destination
addresses in the
! ACL statements.
access-list 110 permit tcp 172.16.120.0 0.0.0.255 any eq smtp
access-list 110 permit tcp 172.16.120.0 0.0.0.255 any eq pop3
access-list 110 permit tcp 172.16.120.0 0.0.0.255 any eq 110
access-list 110 permit udp any any eq 137
access-list 110 permit udp any any eq 138
access-list 110 permit udp any any eq 139
access-list 110 permit icmp any any
access-list 110 deny ip any any!
!
! Access-list 120 permits TCP, UDP, and ICMP protocol traffic with a
source address
! on Ethernet interface 0/1, but denies all other IP protocol
traffic. Access list
! 120 is applied to inbound traffic on Ethernet interface 0/1.
access-list 120 permit tcp 172.16.120.0 0.0.0.255 any
access-list 120 permit udp 172.16.120.0 0.0.0.255 any
access-list 120 permit icmp 172.16.120.0 0.0.0.255 any
access-list 120 deny ip any any
!
! Access list 130 permits TCP, UDP, and ICMP protocol traffic for
specific ports and
! with any source and destination address. It opens access to the
web server and to
! all NBT services to the rest of the company, which can be
controlled through the
! trust relations on the Windows NT servers. The bootpc entry
permits access to the
! DHCP server. Access list 130 denies all other IP protocol traffic.
Access list 130 is
! applied to outbound traffic at Ethernet interface 1/0.
access-list 130 permit tcp any any eq www
access-list 130 permit tcp any any eq 443
access-list 130 permit tcp any any eq 110
access-list 130 permit udp any any eq 137
access-list 130 permit udp any any eq 138
access-list 130 permit udp any any eq 139
access-list 130 permit udp any any eq bootpc
access-list 130 permit icmp any any
access-list 130 deny ip any any
!
! Access list 140 permits TCP, UDP, and ICMP protocol traffic with a
source address on
! Ethernet interface 1/1, and it denies all other IP protocol
traffic. Access list 140
! is applied to inbound traffic at Ethernet interface 1/1.
access-list 140 permit tcp 172.16.140.0 0.0.0.255 any
access-list 140 permit udp 172.16.140.0 0.0.0.255 any
access-list 140 permit icmp 172.16.140.0 0.0.0.255 any
access-list 140 deny ip any any
!
! Access list 150 denies IP protocol traffic with a source address
on Ethernet
! interfaces 0/0, 0/1, 1/0, and 1/1, and it permits IP protocol
traffic with any other
! source and destination address. Access list 150 is applied to
inbound traffic
! on each of the serial interfaces.
access-list 150 deny ip 172.16.110.0 0.0.0.255 any
access-list 150 deny ip 172.16.120.0 0.0.0.255 any
access-list 150 deny ip 172.16.130.0 0.0.0.255 any
access-list 150 deny ip 172.16.140.0 0.0.0.255 any
access-list 150 permit ip any any
!
! Disable Cisco Discovery Protocol.
no cdp run
!
snmp-server community <elided> ro 13
tacacs-server host 192.168.55.2
tacacs-server key <elided>
!
!
-----------------------------------------------------------------------------------
! Configures the router console port and the virtual terminal line
interfaces,
! including AAA authentication at login. Authentication is required
for users defined
! in "lista." Access-class 12 is applied on each line,
restricting Telnet access to
! connections with a source address on the network management
network.
!
-----------------------------------------------------------------------------------
line console 0
exec-timeout 3 00
login authentication lista
line aux 0
exec-timeout 3 00
login authentication lista
line VTY 0
exec-timeout 1 30
login authentication lista
access-class 12 in
line VTY 1
exec-timeout 1 30
login authentication lista
access-class 12 in
line VTY 2
exec-timeout 1 30
login authentication lista
access-class 12 in
line vty 3
exec-timeout 1 30
login authentication lista
access-class 12 in
line vty 4
exec-timeout 1 30
login authentication lista
access-class 12 in
!
end
Command Reference
This section documents new or modified commands. All other
commands used with this feature are documented in the Cisco IOS
Release 12.0(5)T command reference publications.
-
ip inspect name (global configuration)
-
ip inspect alert-off
In Cisco IOS Release 12.0(1)T or later, you can search and filter
the output for
show
and
more
commands. This
functionality is useful when you need to sort through large amounts
of output, or if you want to exclude output that you do not need to
see.
To use this functionality, enter a
show
or
more
command followed by the "pipe" character (|), one
of the keywords begin, include, or exclude,
and an expression that you want to search or filter on:
command
| {begin | include | exclude}
regular-expression
Following is an example of the
show atm vc
command in
which you want the command output to begin with the first line where
the expression "PeakRate" appears:
show atm vc
| begin PeakRate
For more information on the search and filter
functionality, refer to the Cisco IOS Release 12.0(1)T feature
module titled CLI String Search.
ip inspect name (global configuration)
To define a set of inspection rules, use the
ip inspect name
global
configuration command.
Use the no form of this command to
remove the inspection rule for a protocol or to remove the entire
set of inspection rules.
Syntax Description
- 
Defaults
No inspection rules are defined until you define them using this
command.
Command Modes
Global configuration
Command History
Usage Guidelines
To define a set of inspection rules, enter this command for each
protocol that you want CBAC to inspect, using the same inspection-name.
Give each set of inspection rules a unique inspection-name.
Define either one or two sets of rules per interface --- you can
define one set to examine both inbound and outbound traffic; or you
can define two sets: one for outbound traffic and one for inbound
traffic.
To define a single set of inspection rules, configure inspection
for all the desired application-layer protocols, and for TCP or UDP
as desired. This combination of TCP, UDP, and application-layer
protocols join together to form a single set of inspection rules
with a unique name.
In general, when inspection is configured for a protocol, return
traffic entering the internal network will be permitted only if the
packets are part of a valid, existing session for which state
information is being maintained.
TCP and UDP Inspection
You can configure TCP and UDP inspection to permit TCP and UDP
packets to enter the internal network through the firewall, even if
the application-layer protocol is not configured to be inspected.
However, TCP and UDP inspection does not recognize
application-specific commands, and therefore might not permit all
return packets for an application, particularly if the return
packets have a different port number than the previous exiting
packet.
Any application-layer protocol that is inspected will take
precedence over the TCP or UDP packet inspection. For example, if
inspection is configured for FTP, all control channel information
will be recorded in the state table, and all FTP traffic will be
permitted back through the firewall if the control channel
information is valid for the state of the FTP session. The fact that
TCP inspection is configured is irrelevant.
With TCP and UDP inspection, packets entering the network must
exactly match an existing session: the entering packets must have
the same source/destination addresses and source/destination port
numbers as the exiting packet (but reversed). Otherwise, the
entering packets will be blocked at the interface.
Application-Layer Protocol Inspection
In general, if you configure inspection for an application-layer
protocol, packets for that protocol should be permitted to exit the
firewall (by configuring the correct ACL), and packets for that
protocol will be allowed back in through the firewall only if they
belong to a valid existing session. Each protocol packet is
inspected to maintain information about the session state.
Java, H.323, RPC, and SMTP, and SQL*Net inspection have
additional information, described in the next four sections.
Java Inspection
Java inspection enables Java applet filtering at the firewall.
Java applet filtering distinguishes between trusted and untrusted
applets by relying on a list of external sites that you designate as
"friendly." If an applet is from a friendly site, the
firewall allows the applet through. If the applet is not from a
friendly site, the applet will be blocked. Alternately, you could
permit applets from all sites except for sites specifically
designated as "hostile."
Note: Before you configure Java inspection, you must
configure a standard access list that defines "friendly"
and "hostile" external sites. You configure this access
list to permit traffic from friendly sites, and to deny traffic from
hostile sites. If you do not configure an access list, but use a
"placeholder" access list in the
ip inspect name
inspection-name
http
command, all Java applets will be blocked.
Caution CBAC does not detect or block encapsulated Java
applets. Therefore, Java applets that are wrapped or encapsulated,
such as applets in .zip or .jar format, are not blocked at
the firewall. CBAC also does not detect or block applets loaded via
FTP, gopher, or HTTP on a nonstandard port.
H.323 Inspection
If you want CBAC inspection to work with NetMeeting 2.0 traffic
(an H.323 application-layer protocol), you must also configure
inspection for TCP. This requirement exists because NetMeeting
2.0 uses an additional TCP channel not defined in the H.323
specification.
RPC Inspection
RPC inspection allows the specification of various program
numbers. You can define multiple program numbers by creating
multiple entries for RPC inspection, each with a different
program number. If a program number is specified, all
traffic for that program number will be permitted. If a
program number is not specified, all traffic for that program
number will be blocked. For example, if you created an RPC entry
with the NFS program number, all NFS traffic will be allowed through
the firewall.
SMTP Inspection
SMTP inspection causes SMTP commands to be inspected for illegal
commands. Any packets with illegal commands are dropped, and the
SMTP session will hang and eventually time out. An illegal command
is any command except for the following legal commands:
- DATA
- EHLO
- EXPN
- HELO
- HELP
- MAIL
- NOOP
- QUIT
- RCPT
- RSET
- SAML
- SEND
- SOML
- VRFY
Use of the timeout Keyword
If you specify a timeout for any of the transport-layer or
application-layer protocols, the timeout will override the global
idle timeout for the interface that the set of inspection rules is
applied to.
If the protocol is TCP or a TCP application-layer protocol, the
timeout will override the global TCP idle timeout. If the protocol
is UDP or a UDP application-layer protocol, the timeout will
override the global UDP idle timeout.
If you do not specify a timeout for a protocol, the timeout value
applied to a new session of that protocol will be taken from the
corresponding TCP or UDP global timeout value valid at the time of
session creation.
IP Fragmentation Inspection
CBAC inspection rules can help protect hosts against certain DoS
attacks involving fragmented IP packets. Even though the firewall
keeps an attacker from making actual connections to a given host,
the attacker may still be able to disrupt services provided by that
host. This is done by sending many noninitial IP fragments or by
sending complete fragmented packets through a router with an ACL
that filters the first fragment of a fragmented packet. These
fragments can tie up resources on the target host as it tries to
reassemble the incomplete packets.
Using fragmentation inspection, the firewall maintains an interfragment
state (structure) for IP traffic. Noninitial fragments are
discarded unless the corresponding initial fragment was permitted to
pass through the firewall. Noninitial fragments received before the
corresponding initial fragments are discarded.
Note: Fragmentation inspection can have undesirable
effects in certain cases, because it can result in the firewall
discarding any packet whose fragments arrive out of order. There are
many circumstances that can cause out-of-order delivery of
legitimate fragments. Apply fragmentation inspection in situations
where legitimate fragments, which are likely to arrive out of order,
might have a severe performance impact.
Because routers running Cisco IOS software are used in a very
large variety of networks, and because the CBAC feature is often
used to isolate parts of internal networks from one another, the
fragmentation inspection feature is not enabled by default.
Fragmentation detection must be explicitly enabled for an inspection
rule using the
ip inspect name
command. Unfragmented traffic
is never discarded because it lacks a fragment state. Even when the
system is under heavy attack with fragmented packets, legitimate
fragmented traffic, if any, will still get some fraction of the
firewall fragment state resources, and legitimate, unfragmented
traffic can flow through the firewall unimpeded.
Examples
The following example causes the software to inspect TCP sessions
and UDP sessions, and to specifically allow CU-SeeMe, FTP, and RPC
traffic back through the firewall for existing sessions only. For
UDP traffic, audit trail is on. For FTP traffic, the idle timeout is
set to override the global TCP idle timeout. For RPC traffic,
program numbers 100003, 100005, and 100021 are permitted:
ip inspect name myrules tcp
ip inspect name myrules udp audit-trail on
ip inspect name myrules cuseeme
ip inspect name myrules ftp timeout 120
ip inspect name myrules rpc program-number 100003
ip inspect name myrules rpc program-number 100005
ip inspect name myrules rpc program-number 100021
The following example adds fragment checking to software
inspection of TCP and UDP sessions for the rule named myname.
In this example, the firewall software will allocate 100 state
structures, and the timeout value for dropping unassembled packets
is set to 4 seconds. If 100 initial fragments for 100 different
packets are sent through the router, all of the state structures
will be used up. The initial fragment for packet 101 will be
dropped. Additionally, if the number of free state structures
(structures available for use by unassembled packets) drops below
the threshold values, 32 or 16, the timeout value is automatically
reduced to 2 or 1, respectively. Changing the timeout value frees
packet state structures more quickly:
ip inspect name myrules tcp
ip inspect name myrules udp audit-trail on
ip inspect name myrules cuseeme
ip inspect name myrules ftp timeout 120
ip inspect name myrules rpc program-number 100003
ip inspect name myrules rpc program-number 100005
ip inspect name myrules rpc program-number 100021
ip inspect name myrules fragment max 100 timeout 4
Related Commands 
Syntax Description
This command has no arguments or keywords.
Defaults
Alert messages are displayed.
Command Modes
Global configuration
Command History 
Usage Guidelines
Use the
ip inspect alert-off
command to disable alert
messages.
Examples
The following command turns off CBAC alert messages:
no ip inspect alert-off
Debug Commands
This section documents the modified
debug
command related
to the CBAC feature.
debug ip inspect
To display messages about CBAC event, use the
debug ip inspect
EXEC
command. The
no
form of this command disables
debugging output.
debug ip inspect
{function-trace | object-creation
| object-deletion | events | timers |
protocol
| detailed}
no debug ip inspect detailed
Syntax Description
- 
[table 7 here] --- Protocol
Keywords for the debug ip inspect Command
Command History 
Examples
The following is sample output from the
debug ip inspect
function-trace
command:
*Mar 2 01:16:16: CBAC FUNC: insp_inspection
*Mar 2 01:16:16: CBAC FUNC: insp_pre_process_sync
*Mar 2 01:16:16: CBAC FUNC: insp_find_tcp_host_entry addr 40.0.0.1
bucket 41
*Mar 2 01:16:16: CBAC FUNC: insp_find_pregen_session
*Mar 2 01:16:16: CBAC FUNC: insp_get_idbsb
*Mar 2 01:16:16: CBAC FUNC: insp_get_idbsb
*Mar 2 01:16:16: CBAC FUNC: insp_get_irc_of_idb
*Mar 2 01:16:16: CBAC FUNC: insp_get_idbsb
*Mar 2 01:16:16: CBAC FUNC: insp_create_sis
*Mar 2 01:16:16: CBAC FUNC: insp_inc_halfopen_sis
*Mar 2 01:16:16: CBAC FUNC: insp_link_session_to_hash_table
*Mar 2 01:16:16: CBAC FUNC: insp_inspect_pak
*Mar 2 01:16:16: CBAC FUNC: insp_l4_inspection
*Mar 2 01:16:16: CBAC FUNC: insp_process_tcp_seg
*Mar 2 01:16:16: CBAC FUNC: insp_listen_state
*Mar 2 01:16:16: CBAC FUNC: insp_ensure_return_traffic
*Mar 2 01:16:16: CBAC FUNC: insp_add_acl_item
*Mar 2 01:16:16: CBAC FUNC: insp_ensure_return_traffic
*Mar 2 01:16:16: CBAC FUNC: insp_add_acl_item
*Mar 2 01:16:16: CBAC FUNC: insp_process_syn_packet
*Mar 2 01:16:16: CBAC FUNC: insp_find_tcp_host_entry addr 40.0.0.1
bucket 41
*Mar 2 01:16:16: CBAC FUNC: insp_create_tcp_host_entry
*Mar 2 01:16:16: CBAC* FUNC: insp_fast_inspection
*Mar 2 01:16:16: CBAC* FUNC: insp_inspect_pak
*Mar 2 01:16:16: CBAC* FUNC: insp_l4_inspection
*Mar 2 01:16:16: CBAC* FUNC: insp_process_tcp_seg
*Mar 2 01:16:16: CBAC* FUNC: insp_synrcvd_state
*Mar 2 01:16:16: CBAC* FUNC: insp_fast_inspection
*Mar 2 01:16:16: CBAC* FUNC: insp_inspect_pak
*Mar 2 01:16:16: CBAC* FUNC: insp_l4_inspection
*Mar 2 01:16:16: CBAC* FUNC: insp_process_tcp_seg
*Mar 2 01:16:16: CBAC* FUNC: insp_synrcvd_state
*Mar 2 01:16:16: CBAC FUNC: insp_dec_halfopen_sis
*Mar 2 01:16:16: CBAC FUNC: insp_remove_sis_from_host_entry
*Mar 2 01:16:16: CBAC FUNC: insp_find_tcp_host_entry addr 40.0.0.1
bucket 41
This output shows the functions called by CBAC as a session is
inspected. Entries with an asterisk (*) after the word "CBAC"
are entries when the fast path is used; otherwise, the process path
is used.
The following is sample output from the
debug ip inspect
object-creation
and
debug ip inspect object-deletion
command:
*Mar 2 01:18:30: CBAC OBJ_CREATE: create pre-gen sis 25A3574
*Mar 2 01:18:30: CBAC OBJ_CREATE: create acl wrapper 25A36FC -- acl
item 25A3634
*Mar 2 01:18:30: CBAC OBJ_CREATE: create sis 25C1CC4
*Mar 2 01:18:30: CBAC OBJ_DELETE: delete pre-gen sis 25A3574
*Mar 2 01:18:30: CBAC OBJ_CREATE: create host entry 25A3574 addr
10.0.0.1 bucket 31
*Mar 2 01:18:30: CBAC OBJ_DELETE: delete sis 25C1CC4
*Mar 2 01:18:30: CBAC OBJ_DELETE: delete create acl wrapper 25A36FC
-- acl item 25A3634
*Mar 2 01:18:31: CBAC OBJ_DELETE: delete host entry 25A3574 addr
10.0.0.1
The following is sample output from the
debug ip inspect
object-creation,
debug ip inspect object-deletion, and
debug
ip inspect events
commands:
*Mar 2 01:18:51: CBAC OBJ_CREATE: create pre-gen sis 25A3574
*Mar 2 01:18:51: CBAC OBJ_CREATE: create acl wrapper 25A36FC -- acl
item 25A3634
*Mar 2 01:18:51: CBAC Src 10.1.0.1 Port [1:65535]
*Mar 2 01:18:51: CBAC Dst 10.0.0.1 Port [46406:46406]
*Mar 2 01:18:51: CBAC Pre-gen sis 25A3574 created: 10.1.0.1[1:65535]
30.0.0.1[46406:46406]
*Mar 2 01:18:51: CBAC OBJ_CREATE: create sis 25C1CC4
*Mar 2 01:18:51: CBAC sis 25C1CC4 initiator_addr (10.1.0.1:20)
responder_addr (30.0.0.1:46406) initiator_alt_addr
(40.0.0.1:20) responder_alt_addr (10.0.0.1:46406)
*Mar 2 01:18:51: CBAC OBJ_DELETE: delete pre-gen sis 25A3574
*Mar 2 01:18:51: CBAC OBJ_CREATE: create host entry 25A3574 addr
10.0.0.1 bucket 31
*Mar 2 01:18:51: CBAC OBJ_DELETE: delete sis 25C1CC4
*Mar 2 01:18:51: CBAC OBJ_DELETE: delete create acl wrapper 25A36FC
-- acl item 25A3634
*Mar 2 01:18:51: CBAC OBJ_DELETE: delete host entry 25A3574 addr
10.0.0.1
The following is sample output from the
debug ip inspect
timers
command:
*Mar 2 01:19:15: CBAC Timer Init Leaf: Pre-gen sis 25A3574
*Mar 2 01:19:15: CBAC Timer Start: Pre-gen sis 25A3574 Timer:
25A35D8 Time: 30000 milisecs
*Mar 2 01:19:15: CBAC Timer Init Leaf: sis 25C1CC4
*Mar 2 01:19:15: CBAC Timer Stop: Pre-gen sis 25A3574 Timer: 25A35D8
*Mar 2 01:19:15: CBAC Timer Start: sis 25C1CC4 Timer: 25C1D5C Time:
30000 milisecs
*Mar 2 01:19:15: CBAC Timer Start: sis 25C1CC4 Timer: 25C1D5C Time:
3600000 milisecs
*Mar 2 01:19:15: CBAC Timer Start: sis 25C1CC4 Timer: 25C1D5C Time:
5000 milisecs*Mar 2 01:19:15: CBAC Timer
Stop: sis 25C1CC4 Timer: 25C1D5C
The following is sample output from the
debug ip inspect tcp
command:
*Mar 2 01:20:43: CBAC* sis 25A3604 pak 2541C58 TCP P ack
4223720032 seq 4200176225(22) (10.0.0.1:46409) => (10.1.0.1:21)
*Mar 2 01:20:43: CBAC* sis 25A3604 ftp L7 inspect result:
PROCESS-SWITCH packet
*Mar 2 01:20:43: CBAC sis 25A3604 pak 2541C58 TCP P ack 4223720032
seq 4200176225(22) (10.0.0.1:46409) => (10.1.0.1:21)
*Mar 2 01:20:43: CBAC sis 25A3604 ftp L7 inspect result: PASS packet
*Mar 2 01:20:43: CBAC* sis 25A3604 pak 2544374 TCP P ack 4200176247
seq 4223720032(30) (10.0.0. 1:46409) <= (10.1.0.1:21)
*Mar 2 01:20:43: CBAC* sis 25A3604 ftp L7 inspect result: PASS
packet
*Mar 2 01:20:43: CBAC* sis 25A3604 pak 25412F8 TCP P ack 4223720062
seq 4200176247(15) (10.0.0. 1:46409) => (10.1.0.1:21)
*Mar 2 01:20:43: CBAC* sis 25A3604 ftp L7 inspect result: PASS
packet
*Mar 2 01:20:43: CBAC sis 25C1CC4 pak 2544734 TCP S seq
4226992037(0) (10.1.0.1:20) => (10.0.0.1:46411)
*Mar 2 01:20:43: CBAC* sis 25C1CC4 pak 2541E38 TCP S ack 4226992038
seq 4203405054(0) (10.1.0.1:20) <= (10.0.0.1:46411)
This sample shows TCP packets being processed, and lists the
corresponding acknowledge (ACK) packet numbers and sequence (SEQ)
numbers. The number of data bytes in the TCP packet is shown in
parentheses---for example, (22). For each packet shown, the
addresses and port numbers are shown separated by a colon. For
example, (10.1.0.1:21) indicates an IP address of 10.1.0.1 and a TCP
port number of 21.
Entries with an asterisk (*) after the word "CBAC" are
entries when the fast path is used; otherwise, the process path is
used.
The following is sample output from the
debug ip inspect tcp
and
debug ip inspect detailed
commands:
*Mar 2 01:20:58: CBAC* Pak 2541E38 Find session for
(30.0.0.1:46409) (40.0.0.1:21) tcp
*Mar 2 01:20:58: P ack 4223720160 seq 4200176262(22)
*Mar 2 01:20:58: CBAC* Pak 2541E38 Addr:port pairs to match:
(30.0.0.1:46409) (40.0.0.1:21)
*Mar 2 01:20:58: CBAC* sis 25A3604 SIS_OPEN
*Mar 2 01:20:58: CBAC* Pak 2541E38 IP: s=30.0.0.1 (Ethernet0),
d=40.0.0.1 (Ethernet1), len 76,proto=6
*Mar 2 01:20:58: CBAC sis 25A3604 Saving State: SIS_OPEN/ESTAB iisn
4200176160 i_rcvnxt 4223720160 i_sndnxt
4200176262 i_rcvwnd 8760 risn 4223719771 r_rcvnxt 4200176262
r_sndnxt 4223720160 r_rcvwnd 8760
*Mar 2 01:20:58: CBAC* sis 25A3604 pak 2541E38 TCP P ack 4223720160
seq 4200176262(22) (30.0.0.1:46409) =>
(40.0.0.1:21)
*Mar 2 01:20:58: CBAC* sis 25A3604 pak 2541E38 SIS_OPEN/ESTAB TCP
seq 4200176262(22) Flags: ACK
4223720160 PSH
*Mar 2 01:20:58: CBAC* sis 25A3604 pak 2541E38 --> SIS_OPEN/ESTAB
iisn 4200176160 i_rcvnxt 4223720160
i_sndnxt 4200176284 i_rcvwnd 8760 risn 4223719771 r_rcvnxt
4200176262 r_sndnxt 4223720160 r_rcvwnd 8760
*Mar 2 01:20:58: CBAC* sis 25A3604 L4 inspect result: PASS packet
2541E38 (30.0.0.1:46409) (40.0.0.1:21) bytes 22
ftp
*Mar 2 01:20:58: CBAC sis 25A3604 Restoring State: SIS_OPEN/ESTAB
iisn 4200176160 i_rcvnxt 4223
720160 i_sndnxt 4200176262 i_rcvwnd 8760 risn 4223719771 r_rcvnxt
4200176262 r_sndnxt 4223720160 r_rcvwnd 8760
*Mar 2 01:20:58: CBAC* sis 25A3604 ftp L7 inspect result:
PROCESS-SWITCH packet
*Mar 2 01:20:58: CBAC* sis 25A3604 ftp L7 inspect result:
PROCESS-SWITCH packet
*Mar 2 01:20:58: CBAC* Bump up: inspection requires the packet in
the process path(30.0.0.1) (40.0.0.1)
*Mar 2 01:20:58: CBAC Pak 2541E38 Find session for (30.0.0.1:46409)
(40.0.0.1:21) tcp
*Mar 2 01:20:58: P ack 4223720160 seq 4200176262(22)
*Mar 2 01:20:58: CBAC Pak 2541E38 Addr:port pairs to match:
(30.0.0.1:46409) (40.0.0.1:21)
*Mar 2 01:20:58: CBAC sis 25A3604 SIS_OPEN
*Mar 2 01:20:58: CBAC Pak 2541E38 IP: s=30.0.0.1 (Ethernet0),
d=40.0.0.1 (Ethernet1), len 76, proto=6
|