You are on page 1of 62

For review only.

Please do not distribute
DRAFT May 2003. All rights reserved.

© 2003, Cisco Systems, Inc. All rights
© 2003,
reserved.
Cisco Systems, Inc. All rights reserved. FNS 1.0—3-11
Module 3
ACLs and CBAC

© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-2
Learning Objectives

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

• Describe the process of creating, applying,
editing and troubleshooting ACLs
• Understand the types of ACLs
• Understand how CBAC works
• Configure, apply and test CBAC

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-3
Overview

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

This module will discuss, in greater detail, how
routers are utilized to secure a network through
the use of Access Control Lists (ACLs) and
Context-based Access Control (CBAC).

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-4
Key terms

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

• CBAC
• Turbo ACLs
• Lock and Key ACLs
• Authentication Proxy
• PAM

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-5
Access Control Lists

© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-6
Identifying Access Lists

Cisco routers can identify access lists using two
methods:

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

• Access list number (All IOS versions)—The number of
the access list determines what protocol it is filtering:
– (1-99) and (1300-1399)—Standard IP access lists.
– (100-199) and (2000-2699)—Extended IP access lists.
– (800-899)—Standard IPX access lists.
• Access list name (IOS versions > 11.2)—You provide
the name of the access list:
– Names contain alphanumeric characters.
– Names cannot contain spaces or punctuation and must
begin with a alphabetic character.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-7
Basic Types of IP Access Lists
Cisco routers support two basic types of IP
access lists:

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

• Standard—Filter IP packets based on the source
address only.
• Extended—Filter IP packets based on several
attributes, including:
– Protocol type.
– Source and destination IP addresses.
– Source and destination TCP/UDP ports.
– ICMP and IGMP message types.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-8
Standard Numbered Access List
Format

Router(config)#

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

access-list access-list-number {deny | permit}
source [source-wildcard]

Austin2(config)# access-list 2 permit 36.48.0.3
Austin2(config)# access-list 2 deny 36.48.0.0
0.0.255.255
Austin2(config)# access-list 2 permit 36.0.0.0

0.255.255.255
Austin2(config)# interface e0/1
Austin2(config-if)# ip access-group 2 in

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-9
Standard Named Access List Format

Router(config)#

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

ip access-list standard access-list-name
Router(config-std-nacl)#
{deny | permit} source [source-wildcard]

Austin2(config)# ip access-list standard protect
Austin2(config-std-nacl)# deny 36.48.0.0
0.0.255.255
Austin2(config-std-nacl)# permit 36.0.0.0
0.255.255.255
Austin2(config)# exit

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-10
Extended Numbered Access List
Format
Miami SMTP
e0/0 128.88.1.0 host
Internet

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

128.88.3.0 128.88.1.2

Router(config)#
access-list access-list-number {deny | permit}
{protocol-number | protocol-keyword}{source
source-wildcard | any | host} {source-port}
{destination destination-wildcard | any | host}
{destination-port} [established][log | log-input]
Miami(config)# access-list 103 permit tcp any
128.88.0.0 0.0.255.255 established
Miami(config)# access-list 103 permit tcp any host

128.88.1.2 eq smtp
Miami(config)# interface e0/0
Miami(config-if)# ip access-group 103 in
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-11
Extended Named Access List Format
Router(config)#
ip access-list extended access-list-name

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

Router(config-ext-nacl)#
{deny | permit} {protocol-number | protocol-
keyword} {source source-wildcard | any | host}
{source-port} {destination destination-wildcard
| any | host} {destination-port}
[established][log | log-input]
Miami(config)# ip access-list extended mailblock
Miami(config-ext-nacl)# permit tcp any
128.88.0.0 0.0.255.255 established
Miami(config-ext-nacl)# permit tcp any host
128.88.1.2 eq smtp
Miami(config-ext-nacl)# exit

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-12
Commenting IP Access-List Entries

Router(config)#

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

remark message

Miami(config)# access-list 102 remark Allow
traffic to file server
Miami(config)# access-list 102 permit ip any
host 128.88.1.6

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-13
Basic Rules for Developing Access
Lists

Here are some basic rules you should follow when
developing access lists:

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

• Rule #1—Write it out!
– Get a piece of paper and write out what you want this access list
to accomplish.
– This is the time to think about potential problems.
• Rule #2—Setup a development system.
– Allows you to copy and paste statements easily.
– Allows you to develop a library of access lists.
– Store the files as ASCII text files.
• Rule #3—Apply access list to a router and test.
– If at all possible, run your access lists in a test environment
before placing them into production.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-14
Access List Directional Filtering

Austin1

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

s0/0 e0/0
Internet

e0/1

Inbound Outbound

• Inbound—Data flows toward router interface.
• Outbound—Data flows away from router interface.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-15
Applying Access Lists to Interfaces
Router(config)#
ip access-group {access-list-number | access-

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

list-name} {in | out}

Tulsa(config)# interface e0/1
Tulsa(config-if)# ip access-group 2 in
Tulsa(config-if)# exit
Tulsa(config)# interface e0/2
Tulsa(config-if)# ip access-group mailblock out

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-16
Displaying Access Lists
Router#
show access-lists {access-list-number | access-

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

list-name}
Miami# show access-lists
Extended IP access list 102
permit ip any host 128.88.1.6
Extended IP access list mailblock
permit tcp any 128.88.0.0 0.0.255.255
established
Miami#

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-17
Enable Turbo ACLs

R2

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

e0/0 e0/1 Remote access LAN 16.2.1.0/24
16.1.1.2 16.2.1.1

Router(config)#
access-list compiled
Router#
show access-list compiled
R2(config)# access-list compiled
R2(config)# exit
R2# show access-list compiled

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-18
Enhanced Access Lists

Cisco routers support several enhanced types of
access lists:

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

• Dynamic (Lock and Key)—Create dynamic entries.
• Time-Based—Access lists whose statements
become active based upon the time of day and/or
day of the week.
• Reflexive—Create dynamic openings on the
untrusted side of a router based on sessions
originating from a trusted side of the router.
• Context-Based Access Control (CBAC)—Allows for
secure handling of multi-channel connections
based on upper layer information.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-19
Types of IP ACLs

© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-20
Context-based Access Control
(CBAC)

© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-21
CBAC

• Packets are inspected entering the firewall by CBAC if they
are not specifically denied by an ACL.

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

• CBAC permits or denies specified TCP and UDP traffic
through a firewall.
• A state table is maintained with session information.
• ACLs are dynamically created or deleted.
• CBAC protects against DoS attacks.
TCP

Internet
UDP

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-22
Cisco IOS ACLs

• Provide traffic filtering by

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

– Source and destination IP addresses.
– Source and destination ports.
• Can be used to implement a filtering firewall
– Ports are opened permanently to allow traffic,
creating a security vulnerability.
– Do not work with applications that negotiate
ports dynamically.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-23
For review only. Please do not distribute
FNS 1.0—3-24
How CBAC Works

© 2003, Cisco Systems, Inc. All rights reserved.
DRAFT May 2003. All rights reserved.
How CBAC Works (Cont)

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-25
Supported Protocols

• TCP (single channel) • Java

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

• UDP (single channel) • SQL*Net
• RPC • RTSP (such as
• FTP RealNetworks)
• TFTP • H.323 (such as NetMeeting,
ProShare, CUSeeMe)
• UNIX R-commands (such
as rlogin, rexec, and rsh) • Other multimedia
• SMTP – Microsoft NetShow
• HTTP (Java blocking) – StreamWorks
– VDOLive

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-26
Alerts and Audit Trails

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

• CBAC generates real-time alerts and audit
trails.
• Audit trail features use Syslog to track all
network transactions.
• With CBAC inspection rules, you can
configure alerts and audit trail information on
a per-application protocol basis.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-27
CBAC Configuration

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

• Set audit trails and alerts.
• Set global timeouts and thresholds.
• Define Port-to-Application Mapping (PAM).
• Define inspection rules.
• Apply inspection rules and ACLs to
interfaces.
• Test and verify.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-28
Configure CBAC
(Task 1 and 2)

© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-29
Enable Audit Trail and Alert

Router(config)#

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

ip inspect audit-trail
• Enables the Syslog server and turns on logging

Router(config)# logging on
Router(config)# logging 10.0.0.3
Router(config)# ip inspect audit-trail

Router(config)#
[no] ip inspect alert-off
• Alert can be turned off

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-30
TCP, SYN, and FIN Wait Times

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

Router(config)#
ip inspect tcp synwait-time seconds
• Specifies the time the Cisco IOS Firewall waits
for a TCP session to reach the established state.

Router(config)#
ip inspect tcp finwait-time seconds
• Specifies the time the Cisco IOS Firewall waits for
a FIN exchange to complete before quitting the
session.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-31
TCP, UDP, and DNS Idle Times

Router(config)#

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

ip inspect tcp idle-time seconds
ip inspect udp idle-time seconds
• Specifies the time allowed for a TCP or UDP 
session with no activity.

Router(config)#
ip inspect dns-timeout seconds
• Specifies the time allowed for a DNS session 
with no activity.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-32
Global Half-Opened Connection
Limits

Router(config)#

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

ip inspect max-incomplete high number
• Defines the number of existing half­opened sessions 
that cause the software to start deleting half­opened 
sessions (aggressive mode).

Router(config)#
ip inspect max-incomplete low number
• Defines the number of existing half­opened sessions 
that cause the software to stop deleting half­opened 
sessions.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-33
Global Half-Opened Connection Limits (cont.)

Router(config)#

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

ip inspect one-minute high number
• Defines the number of new half­opened 
sessions per minute at which they start being 
deleted.

Router(config)#
ip inspect one-minute low number
• Defines the number of new half­opened 
sessions per minute at which they stop being 
deleted.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-34
Half-Opened Connection Limits
by Host
Router(config)#
ip inspect tcp max-incomplete host number

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

block-time seconds
• Defines the number of half-opened TCP sessions with the same
host destination address that can exist at a time before the Cisco
IOS Firewall starts deleting half-open sessions to the host.
• After the number of half-opened connections is exceeded to a
given host, the software deletes half-open sessions on that host
in the following manner:
– If block-time is 0, the oldest half-opened session is deleted,
per new connection request, to allow new connections.
– If block-time is greater than 0, all half-opened sessions are
deleted, and new connections to the host are not allowed
during the specified block time.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-35
Port-to-Application Mapping
(Task 3)

© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-36
Port-to-Application Mapping

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

• Ability to configure any port number for an
application protocol.
• CBAC uses PAM to determine the
application configured for a port.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-37
User-Defined Port Mapping

Router(config)#

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

ip port-map appl_name port port_num
• Maps a port number to an application.

Router(config)#
access-list permit acl_num ip_addr
ip port-map appl_name port port_num list acl_num
• Maps a port number to an application for a given host.

Router(config)#
access-list permit acl_num ip_addr wildcard_mask
ip port-map appl_name port port_num list acl_num
• Maps a port number to an application for a given network.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-38
Display PAM Configuration
Router#
show ip port-map

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

• Shows all port mapping information.
Router#
show ip port-map appl_name
• Shows port mapping information for a given application.
Router#
show ip port-map port port_num
• Shows port mapping information for a given application on a
given port.

Router# sh ip port-map ftp
Default mapping: ftp port 21 system defined
Host specific: ftp port 1000 in list 10 user

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-39
Define Inspection Rules
(Task 4)

© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-40
Inspection Rules for Application
Protocols

Router(config)#

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

ip inspect name inspection-name protocol [alert {on|
off}] [audit-trail {on|off}] [timeout seconds]
• Defines the application protocols to inspect.
• Will be applied to an interface
– Available protocols: tcp, udp, cuseeme, ftp, http, h323, netshow, rcmd,
realaudio, rpc, smtp, sqlnet, streamworks, tftp, and vdolive.
– alert, audit-trail, and timeout are configurable per protocol and override
global settings.

Router(config)# ip inspect name FWRULE smtp alert on
audit-trail on timeout 300
Router(config)# ip inspect name FWRULE ftp alert on
audit-trail on timeout 300

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-41
Inspection Rules for Java

Router(config)#

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

ip inspect name inspection-name http java-list
acl-num [alert {on|off}] [audit-trail {on|off}]
[timeout seconds]
• Controls java blocking with a standard ACL.

Router(config)# ip inspect name FWRULE http java-list
10 alert on audit-trail on timeout 300
Router(config)# ip access-list 10 deny 172.26.26.0
0.0.0.255
Router(config)# ip access-list 10 permit 172.27.27.0
0.0.0.255

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-42
Inspection Rules for RPC Applications

Router(config)#

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

ip inspect name inspection-name rpc
program-number number [wait-time minutes]
[alert {on|off}] [audit-trail {on|off}]
[timeout seconds]
• Allows given RPC program numbers—wait­time keeps the 
connection open for a specified number of minutes.

Router(config)# ip inspect name FWRULE rpc
program-number 100022 wait-time 0 alert off
audit-trail on

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-43
Inspection Rules for SMTP Applications

Router(config)#

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

ip inspect name inspection-name smtp [alert
{on|off}] [audit-trail {on|off}] [timeout
seconds]
• Allows only the following legal commands in SMTP 
applications: DATA, EXPN, HELO, HELP, MAIL, NOOP, QUIT, 
RCPT, RSET, SAML, SEND, SOML, and VRFY.
• If disabled, all SMTP commands are allowed through the 
firewall, and potential mail server vulnerabilities are exposed.

Router(config)# ip inspect name FWRULE smtp

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-44
Inspection Rules for IP Packet
Fragmentation

Router(config)#

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

ip inspect name inspection-name fragment max
number timeout seconds
• Protects hosts from certain DoS attacks involving fragmented 
IP packets
– max—number of unassembled fragmented IP packets.
– timeout—seconds when the unassembled fragmented IP 
packets begin to be discarded.

Router(config)# ip inspect name FWRULE
fragment max 254 timeout 4

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-45
Inspection Rules and ACLs
Applied to Router Interfaces
(Task 5)

© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-46
Apply an Inspection Rule to an Interface

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

Router (config-if)#
ip inspect inspection-name {in | out}
• Applies the named inspection rule to an interface.

Router(config)# interface e0/0
Router(config-if)# ip inspect FWRULE in
• Applies the inspection rule to interface e0/0 in inward direction.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-47
General Rules for Applying Inspection
Rules and ACLs

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

• Interface where traffic initiates
– Apply ACL on the inward direction that
permits only wanted traffic.
– Apply rule on the inward direction that
inspects wanted traffic.
• All other interfaces
– Apply ACL on the inward direction that denies
all unwanted traffic.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-48
Example—Two Interface Firewall

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-49
Outbound Traffic

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

Router(config)# ip inspect name OUTBOUND tcp
Router(config)# ip inspect name OUTBOUND udp
• Configure CBAC to inspect TCP and UDP traffic.

Router(config)# access-list 101 permit ip 10.0.0.0
0.0.0.255 any
Router(config)# access-list 101 deny ip any any
• Permit inside­initiated traffic from the 10.0.0.0 network.

Router(config)# interface e0/0
Router(config-if)# ip inspect OUTBOUND in
Router(config-if)# ip access-group 101 in
• Apply an ACL and inspection rule to the inside interface in an 
inward direction.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-50
Inbound Traffic

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

Router(config)# access-list 102 permit icmp any
host 10.0.0.3
Router(config)# access-list 102 permit tcp any
host 10.0.0.3 eq www
Router(config)# access-list 102 deny ip any any
• Permit outside­initiated ICMP and HTTP traffic to host 10.0.0.3.

Router(config)# interface e0/1
Router(config-if)# ip access-group 102 in
• Apply an ACL and inspection rule to outside interface in inward 
direction.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-51
Example—Three-Interface Firewall

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-52
Outbound Traffic

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

Router(config)# ip inspect name OUTBOUND tcp
Router(config)# ip inspect name OUTBOUND udp
• Configure CBAC to inspect TCP and UDP traffic.

Router(config)# access-list 101 permit ip 10.0.0.0
0.0.0.255 any
Router(config)# access-list 101 deny ip any any
• Permit inside­initiated traffic from 10.0.0.0 network.
Router(config)# interface e0/0
Router(config-if)# ip inspect OUTBOUND in
Router(config-if)# ip access-group 101 in
• Apply an ACL and inspection rule to the inside interface in an inward 
direction.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-53
Inbound Traffic

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

Router(config)# ip inspect name INBOUND tcp
• Configure CBAC to inspect TCP traffic.
Router(config)# access-list 102 permit icmp any host
172.16.0.2
Router(config)# access-list 102 permit tcp any host
172.16.0.2 eq www
Router(config)# access-list 102 deny ip any any
• Permit outside­initiated ICMP and HTTP traffic to host 172.16.0.2.
Router(config)# interface e0/1
Router(config-if)# ip access-group 102 in
• Apply an ACL and inspection rule to the outside interface in an inward 
direction.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-54
DMZ-Bound Traffic

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

Router(config)# access-list 103 permit icmp host 172.16.0.2 any
Router(config)# access-list 103 deny ip any any

• Permit only ICMP traffic initiated in the DMZ.
Router(config)# access-list 104 permit icmp any host 172.16.0.2
Router(config)# access-list 104 permit tcp any host 172.16.0.2
eq www
Router(config)# access-list 104 deny ip any any

• Permit only outward ICMP and HTTP traffic to host 172.16.0.2.

Router(config)# interface e1/0
Router(config-if)# ip access-group 103 in
Router(config-if)# ip access-group 104 out

• Apply proper access lists and an inspection rule to the interface.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-55
Test and Verify
(Task 6)

© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-56
show Commands
Router#
show ip inspect name inspection-name

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

show ip inspect config
show ip inspect interfaces
show ip inspect session [detail]
show ip inspect all
• Displays CBAC configurations, interface configurations, and
sessions.
Router# sh ip inspect session
Established Sessions
Session 6155930C (10.0.0.3:35009)=>(172.30.0.50:34233)
tcp SIS_OPEN
Session 6156F0CC (10.0.0.3:35011)=>(172.30.0.50:34234)
tcp SIS_OPEN
Session 6156AF74 (10.0.0.3:35010)=>(172.30.0.50:5002) tcp
SIS_OPEN

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-57
debug Commands
Router#
debug ip inspect function-trace

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

debug ip inspect object-creation
debug ip inspect object-deletion
debug ip inspect events
debug ip inspect timers
• General debug commands.
Router(config)#
debug ip inspect protocol
• Protocol­specific debug.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-58
Remove CBAC Configuration

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

Router(config)#
no ip inspect
• Removes entire CBAC configuration.
• Resets all global timeouts and thresholds 
to the defaults.
• Deletes all existing sessions.
• Removes all associated dynamic ACLs.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-59
Summary

© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-60
Summary

• ACLs are used to filter and secure network traffic.

For review only. Please do not distribute
DRAFT May 2003. All rights reserved.

• While ACLs filter network traffic by controlling whether routed or
switched packets are forwarded or blocked at the interface, CBAC is
used to create temporary openings in the firewall access lists.
• The student should understand the six steps required for configuring
CBAC:
– Set audit trails and alerts
– Set global timeouts and thresholds
– Define PAM
– Define inspection rules
– Apply inspection rules and ACLs to interfaces
– Test and verify

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-61
© 2003, Cisco Systems, Inc. All rights reserved. 62