Lab 20 - CBAC trafic Inspection with ISR router

2.1111111111111 1 1 1 1 1 Rating 2.11 (9 Votes)

CBAC tutorial

Cisco's Context-Based Access Control (CBAC) is a security component similar to reflexive ACL available in ISR routers. This feature has been implemented in Packet Tracer since version 5.3

CBAC enables dynamic modification of inbound access lists to allow some incoming flows even if a "deny any any" ACL has been implemented by first inspecting and recording flows initiated from the protected internal network. The main difference with reflexive ACLs is that whereas reflexive ACLs act solely on L2-L4 protocol attributes, CBAC is able to inspect all the way to the application layer (layer 7), taking into consideration characteristics of a flow on a per-protocol (or context) basis.

Lab Topology

Packet Tracer 6.2 lab 20 (CBAC) topology

 

Lab instructions

Coming soon

 

Lab Solution

Step 1 : Activate security license on ISR 2911 routers

Router>enable
Router#configure terminal

Router(config)#license boot module c2900 technology-package securityk9 

PLEASE  READ THE  FOLLOWING TERMS  CAREFULLY. INSTALLING THE LICENSE OR
LICENSE  KEY  PROVIDED FOR  ANY CISCO  PRODUCT  FEATURE  OR  USING SUCH
PRODUCT  FEATURE  CONSTITUTES  YOUR  FULL ACCEPTANCE  OF  THE FOLLOWING
TERMS. YOU MUST NOT PROCEED FURTHER IF YOU ARE NOT WILLING TO  BE BOUND
BY ALL THE TERMS SET FORTH HEREIN.                                     
                                                                       
Use of this product feature requires  an additional license from Cisco,
together with an additional  payment.  You may use this product feature
on an evaluation basis, without payment to Cisco, for 60 days. Your use
of the  product,  including  during the 60 day  evaluation  period,  is
subject to the Cisco end user license agreement                        
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html  
If you use the product feature beyond the 60 day evaluation period, you
must submit the appropriate payment to Cisco for the license. After the
60 day  evaluation  period,  your  use of the  product  feature will be
governed  solely by the Cisco  end user license agreement (link above),
together  with any supplements  relating to such product  feature.  The
above  applies  even if the evaluation  license  is  not  automatically
terminated  and you do  not receive any notice of the expiration of the
evaluation  period.  It is your  responsibility  to  determine when the
evaluation  period is complete and you are required to make  payment to
Cisco for your use of the product feature beyond the evaluation period.
                                                                       
Your  acceptance  of  this agreement  for the software  features on one
product  shall be deemed  your  acceptance  with  respect  to all  such
software  on all Cisco  products  you purchase  which includes the same
software.  (The foregoing  notwithstanding, you must purchase a license
for each software  feature you use past the 60 days evaluation  period,
so  that  if you enable a software  feature on  1000  devices, you must
purchase 1000 licenses for use past  the 60 day evaluation period.)    
                                                                       
Activation  of the  software command line interface will be evidence of
your acceptance of this agreement.                                     
                                                                       
                                                                       
ACCEPT? [yes/no]: yes
% use 'write' command to make license boot config take effect on next boot
%IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = C2900 Next reboot level = securityk9 and License = securityk9
%LICENSE-6-EULA_ACCEPTED: EULA for feature securityk9 1.0 has been accepted. UDI=CISCO2911/K9:FTX1524PCPQ; StoreIndex=0:Evaluation License Storage

Router(config)#exit
Router#
%SYS-5-CONFIG_I: Configured from console by console

Router#write
Building configuration...
[OK]
Router#reload
Router>enable
Router#show license feature 
Feature name      Enforcement  Evaluation  Subscription   Enabled  RightToUse
ipbasek9          no           no          no             yes      no
securityk9        yes          yes         no             yes      yes
datak9            yes          no          no             no       yes
uck9              yes          yes         no             no       yes

Router#

Step 2 : Configure DHCP and NAT on Router 1

Router(config)#ip dhcp excluded-address 192.168.1.1 192.168.1.9

Router(config)#ip dhcp pool LAN
Router(dhcp-config)#network 192.168.1.0 255.255.255.0
Router(dhcp-config)#default-router 192.168.1.1
Router(config)#interface GigabitEthernet0/0
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#ip nat inside


Router(config)#interface GigabitEthernet0/2
Router(config-if)#ip address 46.20.146.1 255.255.255.252
Router(config-if)#ip nat outside


Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255

Router(config)#ip nat inside source list 1 interface GigabitEthernet0/2 overload

Step 3 : Configure inbound ACL and CBAC on outbound trafic

Configure and apply inbound ACL

Router(config)#ip access-list extended DENY_ANY
Router(config-ext-nacl)#deny ip any any
Router(config-ext-nacl)#exit

Router(config)#int gigabitEthernet 0/2
Router(config-if)#ip access-group DENY_ANY in

Configure CBAC

Router(config)#ip inspect name ALLOWED_TRAFIC http audit-trail on

Router(config)#interface gigabitEthernet 0/2
Router(config-if)#ip inspect ALLOWED_TRAFIC out

Verify CBAC (ip inspect) configuration

Router#show ip inspect all 
Session audit trail is enabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
 Inspection name ALLOWED_TRAFIC
    http alert is on audit-trail is on timeout 3600

Interface Configuration
 Interface GigabitEthernet0/2
  Inbound inspection rule is not set
  Outgoing inspection rule is ALLOWED_TRAFIC
    http alert is on audit-trail is on timeout 3600
  Inbound access list is DENY_ANY
  Outgoing access list is not set

Router#