Configure Cisco IOS Firewall Context-Based Access Control
Prepare for CBAC

For CBAC to work properly, IP access lists must be configured appropriately at the interface. Follow the three general rules shown in Figure when evaluating IP access lists at the firewall.

NOTE:

If the firewall only has two connections, one to the internal network and one to the external network, using all inbound access lists works well because packets are stopped before they get a chance to affect the router itself.

Basic Configuration
When CBAC is configured for the first time, it is helpful to start with a basic access list configuration that makes the operation of the firewall easy to understand without compromising security. The basic configuration allows all network traffic from the protected networks access to the unprotected networks, while blocking all network traffic, with some exceptions, from the unprotected networks to the protected networks.

Use the guidelines shown in Figure for configuring the initial firewall access lists.

External Interface
The following guidelines apply to access lists when CBAC is configured on an external interface:

  • If there is an outbound IP access list configured at the external interface, the access list can be a standard or extended access list. This outbound access list should permit traffic that is to be inspected by CBAC. If traffic is not permitted, it will not be inspected by CBAC, and will be dropped.
  • The inbound IP access list at the external interface must be an extended access list. This inbound access list should deny traffic that is to be inspected by CBAC. CBAC will create temporary openings in this inbound access list as appropriate to permit only return traffic that is part of a valid, existing session.

Internal Interface
The following guidelines apply to access lists when CBAC is configured on an internal interface:

  • If there is an inbound IP access list at the internal interface or an outbound IP access list at external interfaces, these access lists can be either standard or extended access lists. These access lists should permit traffic that is to be inspected by CBAC. If traffic is not permitted, it will not be inspected by CBAC, and will be dropped.
  • The outbound IP access list at the internal interface and the inbound IP access list at the external interface must be extended access lists. These outbound access lists should deny traffic that is to be inspected by CBAC. CBAC will create temporary openings in these outbound access lists as appropriate to permit only return traffic that is part of a valid, existing session. It is not necessary to configure an extended access list at both the outbound internal interface and the inbound external interface, but at least one is necessary to restrict traffic flowing through the firewall into the internal protected network.

Web Links