Configure Cisco IOS Firewall Context-Based Access Control
Define inspection rules for applications

Inspection rules must be defined to specify what IP traffic, and which application-layer protocols, will be inspected by CBAC at an interface. Normally, only one inspection rule is defined. The only exception might occur if CBAC is enabled in two directions at a single firewall interface. In this case two rules must be configured, one for each direction.

An inspection rule should specify each desired application-layer protocol, as well as generic TCP or generic UDP, if desired. The inspection rule consists of a series of statements, each listing a protocol and specifying the same inspection rule name.

Inspection rules include options for controlling alert and audit trail messages and for checking IP packet fragmentation.

Use the ip inspect name command in global configuration mode to define a set of inspection rules. Use the no form of this command to remove the inspection rule for a protocol or to remove the entire set of inspection rules. The syntax for the ip inspect name command is shown in Figure .

Java Inspection
Java inspection enables Java applet filtering at the firewall. Java applet filtering distinguishes between trusted and untrusted applets by relying on a list of external sites that are designated as friendly. If an applet is from a friendly site, the firewall allows the applet through. If the applet is not from a friendly site, the applet will be blocked. Alternately, applets from all sites could be permitted except for sites specifically designated as hostile. The syntax for the ip inspect name command for Java applet filtering inspection is shown in Figure .

NOTE:

CBAC does not detect or block encapsulated Java applets. Therefore, Java applets that are wrapped or encapsulated, such as applets in .zip or .jar format, are not blocked at the firewall. CBAC also does not detect or block applets loaded via FTP, gopher, or HTTP on a nonstandard port.

Remote Procedure Call (RPC) inspection
Before looking at how and why Remote Procedure Call (RPC) Application Inspection is necessary, it is necessary to have a basic understanding of the protocol. RPC is an independent set of functions used for accessing remote nodes on a network. Using RPC network services, applications can be created in much the same way a programmer writes software for a single computer using local procedure calls. The RPC protocols extend the concept of local procedure calls across the network, which means that administrators can develop distributed applications for transparent execution across a network.

RPC inspection enables the specification of various program numbers. It is possible to define multiple program numbers by creating multiple entries for RPC inspection, each with a different program number. If a program number is specified, all traffic for that program number will be permitted. If a program number is not specified, all traffic for that program number will be blocked. For example, if an RPC entry is created with the NFS program number, all NFS traffic will be allowed through the firewall. The syntax of the ip inspect name command for RPC applications is shown in Figure .

SMTP Inspection
SMTP inspection causes SMTP commands to be inspected for illegal commands. Any packets with illegal commands are dropped, and the SMTP session hangs and eventually times out. An illegal command is any command except for the following legal commands: DATA, EXPN, HELO, HELP, MAIL, NOOP, QUIT, RCPT, RSET, SAML, SEND, SOML, and VRFY. The syntax for the ip inspect name command for SMTP application inspection is shown in Figure .