Lab 6.

2 Configuring CBAC
Learning Objectives Configure CBAC rules on a router Apply CBAC rules on a router

Topology Diagram

Scenario Context-based access control (CBAC) is a powerful tool in the Cisco IOS Firewall feature set. It allows stateful packet inspection of certain types of attacks. In this lab, INSIDE represents an inside corporate router, OUTSIDE represents an outside Internet or ISP router, and FW represents the corporate firewall. CBAC alone is not enough to make a router into a secure Internet firewall, but in addition to other security features it can be a very powerful defense. Step 1: Configure the Physical Interfaces Configure the loopback interfaces with the addresses shown in the topology diagram. Also configure the serial interfaces shown in the diagram. Set the clock rate on the appropriate interface and issue the no shutdown command on all serial connections. Verify that you have connectivity across the local subnet using the ping command.
INSIDE(config)# interface serial0/0/0 INSIDE(config-if)# ip address 172.16.12.1 255.255.255.0 INSIDE(config-if)# clockrate 64000

1-8

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 6-2

Copyright 2007, Cisco Systems, Inc

INSIDE(config-if)# no shutdown FW(config)# interface serial0/0/0 FW(config-if)# ip address 172.16.12.2 255.255.255.0 FW(config-if)# no shutdown FW(config-if)# interface serial0/0/1 FW(config-if)# ip address 192.168.23.2 255.255.255.0 FW(config-if)# clockrate 64000 FW(config-if)# no shutdown OUTSIDE(config)# interface serial0/0/1 OUTSIDE(config-if)# ip address 192.168.23.3 255.255.255.0 OUTSIDE(config-if)# no shutdown

Step 2: Configure Static Default Routes On the INSIDE and OUTSIDE routers, configure static default routes directing traffic to unknown destinations to be forwarded to the FW router. FW will not need any routes because it has interfaces directly connected to both networks (as shown in the topology diagram.)
INSIDE(config)# ip route 0.0.0.0 0.0.0.0 172.16.12.2 OUTSIDE(config)# ip route 0.0.0.0 0.0.0.0 192.168.23.2

Your network should have full IP connectivity at this point. If it does not have full connectivity, troubleshoot. Normally, a single-homed company might use Network Address Translation (NAT) at its corporate edge to protect its network and allow private addressing within the bounds of its network. In that case, the OUTSIDE router, normally a provider edge router would have a static route directing traffic to the address owned by the customer out one of its interfaces. In this scenario you will not configure NAT, and you will use a default route for simplicity. Step 3: Enable Telnet Access You will be using the Telnet protocol to test connectivity in this lab scenario. In order to enable Telnet access on a router beginning with its default configuration, simply apply the password string command on the virtual terminal lines. Apply this configuration change on the INSIDE and OUTSIDE routers. Use cisco as the line password. This will be used later for verification purposes.
INSIDE(config)# line vty 0 4 INSIDE(config-line)# password cisco INSIDE(config-line)# login OUTSIDE(config)# line vty 0 4 OUTSIDE(config-line)# password cisco OUTSIDE(config-line)# login

2-8

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 6-2

Copyright 2007, Cisco Systems, Inc

Step 4: Create IP Inspect Rules CBAC operates by statefully inspecting some protocols and tracking TCP connections and UDP flows. CBAC examines the protocols to determine if incoming, untrusted (outside) traffic is return traffic for an inside-initiated connection, or the result of arbitrarily spoofed packets. For some well-known protocols, CBAC can also examine particular application-layer fields to make sure that the packets are following the protocols of those specific applications correctly. Any traffic that is not accepted by CBAC is treated appropriately according to the rules indicated by the access list on the interface. This is done by explicitly blocking untrusted traffic (which we will configure later) except when allowed by CBAC. Why is it important to keep track of connection states, especially with TCP connections?

The critical part of configuring CBAC involves creating rules to track connections and flows. Create rules to track TCP and UDP flows using the ip inspect name name protocol command. Use the name myrules and apply the CBAC rule to the to Serial0/0/0 interface in the inbound direction. To see the protocols available (most of the protocols listed will be application layer protocols), enter the ip inspect name name command followed by the ? character. Newer IOS versions will have more protocols listed.
FW(config)# ip inspect name myrules ? 802-11-iapp IEEE 802.11 WLANs WG IAPP ace-svr ACE Server/Propagation aol America-Online appfw Application Firewall appleqtc Apple QuickTime bgp Border Gateway Protocol <OUTPUT OMITTED> FW(config)# ip inspect name myrules tcp FW(config)# ip inspect name myrules udp

You can also set CBAC timeouts for various protocols. To change the amount of time that should pass before a UDP flow times out, use the ip inspect udp idle-time timeout command in global configuration mode. The default UDP idle timeout is 30 seconds. Change the UDP timeout to 60 seconds.
FW(config)# ip inspect udp idle-time 60

3-8

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 6-2

Copyright 2007, Cisco Systems, Inc

Why is this particularly important for UDP protocols?

On a per-protocol basis, there are other adjustable settings. For instance, you can manipulate CBAC to trigger logging messages based on the matched protocol. This is important for security accounting as well as for debugging purposes. View the options available on a per-protocol basis, using the ? character.
FW(config)# ip inspect name myrules tcp ? alert Turn on/off alert audit-trail Turn on/off audit trail router-traffic Enable inspection of sessions to/from the router timeout Specify the inactivity timeout time <cr>

In a secure network, you would likely set up a Syslog server to monitor security information including communication to external networks. Alert and audit trail messages allow holes in the firewall created by CBAC to be monitored and logged for later use. By default, CBAC logs alert messages to the console which can be configured on a per-protocol basis to override the global settings for the alert messages (as shown above). To change the global setting for alerts, use the command ip inspect alert-off. By default, alerts are on. To enable audit-trail messages, use the global command ip inspect audit-trail. By default, audit-trail messages are off. The timeout argument specifies a perprotocol connection timeout period. Add in Internet Control Message Protocol (ICMP) with a timeout time of 5 seconds, HTTP inspection without alerting, and FTP inspection with an audit-trail. ICMP inspection may not work on older IOS releases.
FW(config)# ip inspect name myrules icmp timeout 5 FW(config)# ip inspect name myrules http alert off FW(config)# ip inspect name myrules ftp audit-trail on

To apply the rule set to an interface, use the interface level command ip inspect name direction. Apply myrules to the inside interface on FW with an inbound direction. This means that any traffic initiated from the inside interface going through the router will have IP inspection performed on it.
FW(config)# interface serial0/0/0 FW(config-if)# ip inspect myrules in

In this scenario, you could also apply it outbound on the outside interface to achieve the same effect. When would this not apply?

4-8

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 6-2

Copyright 2007, Cisco Systems, Inc

Step 5: Block Unwanted Outside Traffic Configure an extended access list to deny any traffic coming in the outside interface. The access list must be extended because CBAC needs to open up temporary holes in it for return traffic and cannot do this with standard access lists. Also have the deny portion of the access-list log packets that are blocked. Apply this access list to be inbound on the outside interface on the firewall. NOTE: If you are using an older IOS release that did not accept ICMP inspection earlier, you may want to add the statement access-list 100 permit icmp any any before the deny statement in this access list to allow all ICMP traffic to go through (since it will not be inspected by CBAC).
FW(config)# access-list 100 deny ip any any log FW(config)# interface serial0/0/1 FW(config-if)# ip access-group 100 in

Step 6: Verify CBAC Operation Telnet from OUTSIDE to INSIDE. This should fail.
OUTSIDE# telnet 172.16.12.1 Trying 172.16.12.1 ... % Destination unreachable; gateway or host down OUTSIDE#

In addition, you should see a log message appear on FW. This log message is not from CBAC but instead from the access list denying the packet.
FW# *Feb 18 02:11:11.823: %SEC-6-IPACCESSLOGP: list 100 denied tcp 192.168.23.3(0) -> 172.16.12.1(0), 1 packet

Now, attempt to telnet from INSIDE to OUTSIDE. Leave the telnet session open so you can verify the connection on FW.
INSIDE# telnet 192.168.23.3 Trying 192.168.23.3 ... Open

User Access Verification Password: OUTSIDE>

On FW, issue the show ip inspect all command to see the configuration and operation of CBAC. Notice the inspected TCP connection between INSIDE and OUTSIDE is listed at the end.
FW# show ip inspect all Session audit trail is disabled Session alert is enabled one-minute (sampling period) thresholds are [400:500] connections max-incomplete sessions thresholds are [400:500]

5-8

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 6-2

Copyright 2007, Cisco Systems, Inc

max-incomplete tcp connections per host is 50. Block-time 0 minute. tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec tcp idle-time is 3600 sec -- udp idle-time is 30 sec dns-timeout is 5 sec Inspection Rule Configuration Inspection name myrules tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30 icmp alert is on audit-trail is off timeout 5 http alert is off audit-trail is off timeout 3600 ftp alert is on audit-trail is on timeout 3600 Interface Configuration Interface Serial0/0/0 Inbound inspection rule is myrules tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30 icmp alert is on audit-trail is off timeout 5 http alert is off audit-trail is off timeout 3600 ftp alert is on audit-trail is on timeout 3600 Outgoing inspection rule is not set Inbound access list is not set Outgoing access list is not set Established Sessions Session 458348C4 (172.16.12.1:54736)=>(192.168.23.3:23) tcp SIS_OPEN

View detailed session information by issuing the show ip inspect detail command on FW.
FW# show ip inspect sessions detail Established Sessions Session 458348C4 (172.16.12.1:54736)=>(192.168.23.3:23) tcp SIS_OPEN Created 00:03:25, Last heard 00:03:23 Bytes sent (initiator:responder) [37:79] In SID 192.168.23.3[23:23]=>172.16.12.1[54736:54736] on ACL 100 (11 matches)

Close the telnet connection when you are done verifying CBAC operation.
OUTSIDE> exit [Connection to 192.168.23.3 closed by foreign host] INSIDE#

Note: If your Cisco IOS release does not support ICMP inspection, skip the following verification step since ICMP traffic will not be inspected. Enable debugging of IP inspection for ICMP traffic using the debug ip inspect protocol command. In a production environment, debugging CBAC is not recommended because of the high amounts of output it can generate.
FW# debug ip inspect icmp INSPECT ICMP Inspection debugging is on

From the INSIDE router, ping OUTSIDE. Note that this would not work if you try to ping the other way because it would be denied by the access list. If

6-8

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 6-2

Copyright 2007, Cisco Systems, Inc

attempted, the denied packets from OUTSIDE to INSIDE would be logged to FWs console line as well.
INSIDE# ping 192.168.23.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/60 ms FW# *Feb 18 02:23:29.591: *Feb 18 02:23:29.591: *Feb 18 02:23:29.591: *Feb 18 02:23:29.619: *Feb 18 02:23:29.647: *Feb 18 02:23:29.675: *Feb 18 02:23:29.703: *Feb 18 02:23:29.735: *Feb 18 02:23:29.763: *Feb 18 02:23:29.791: *Feb 18 02:23:29.819: *Feb 18 02:23:29.847: FW# undebug all

CBAC: CBAC: CBAC: CBAC: CBAC: CBAC: CBAC: CBAC: CBAC: CBAC: CBAC: CBAC:

ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP

Echo Echo Echo Echo Echo Echo Echo Echo Echo Echo Echo Echo

pkt 172.16.12.1 => 192.168.23.3 pkt 172.16.12.1 => 192.168.23.3 pkt 172.16.12.1 => 192.168.23.3 Reply pkt 192.168.23.3 => 172.16.12.1 pkt 172.16.12.1 => 192.168.23.3 Reply pkt 192.168.23.3 => 172.16.12.1 pkt 172.16.12.1 => 192.168.23.3 Reply pkt 192.168.23.3 => 172.16.12.1 pkt 172.16.12.1 => 192.168.23.3 Reply pkt 192.168.23.3 => 172.16.12.1 pkt 172.16.12.1 => 192.168.23.3 Reply pkt 192.168.23.3 => 172.16.12.1

Final Configurations
INSIDE# show run hostname INSIDE ! interface Serial0/0/0 ip address 172.16.12.1 255.255.255.0 clock rate 64000 no shutdown ! ip route 0.0.0.0 0.0.0.0 172.16.12.2 ! line vty 0 4 password cisco login end FW# show run hostname FW ! ip inspect name myrules tcp ip inspect name myrules udp ip inspect name myrules icmp timeout 5 ip inspect name myrules http alert off ip inspect name myrules ftp audit-trail on ip inspect udp idle-time 60 ! interface Serial0/0/0 ip address 172.16.12.2 255.255.255.0 ip inspect myrules in no shutdown ! interface Serial0/0/1 ip address 192.168.23.2 255.255.255.0 ip access-group 100 in clock rate 64000 no shutdown

7-8

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 6-2

Copyright 2007, Cisco Systems, Inc

! access-list 100 deny end

ip any any log

OUTSIDE# show run hostname OUTSIDE ! interface Serial0/0/1 ip address 192.168.23.3 255.255.255.0 no shutdown ! ip route 0.0.0.0 0.0.0.0 192.168.23.2 ! line vty 0 4 password cisco login end

8-8

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 6-2

Copyright 2007, Cisco Systems, Inc