index_188
Router Security Configuration Guide
UNCLASSIFIED
188
UNCLASSIFIED
Version 1.0g
Step 3. Set up an Outbound Access List
Before CBAC can do its work, there must be an access list applied to traffic from the
trusted net to the untrusted net. This access list must permit the protocols on the
desired services list. Also, this access list must be an extended IP access list. The
source address for each rule in the access list should be a network address or address
range valid for the trusted network; the destination address can be the catch-all any.
For more information about access lists, see Section 4.3.
The example below shows an access list for our desired services list. In this example,
the access list is applied to the outside interface, in the outbound direction; in general,
this is a safe choice.
South(config)# ! Create the access list
South(config)# no access-list 110
South(config)# ip access-list extended 110
South(config-ext-nacl)# permit icmp 14.2.10.0 0.0.0.255 any
South(config-ext-nacl)# permit udp 14.2.10.0 0.0.0.255 any eq ntp
South(config-ext-nacl)# permit udp 14.2.10.0 0.0.0.255 any eq
domain
South(config-ext-nacl)# permit tcp 14.2.10.0 0.0.0.255 any eq www
South(config-ext-nacl)# permit tcp 14.2.10.0 0.0.0.255 any eq ftp
South(config-ext-nacl)# permit tcp 14.2.10.0 0.0.0.255 any eq
telnet
South(config-ext-nacl)# permit tcp 14.2.10.0 0.0.0.255 host
14.2.9.3 eq smtp
South(config-ext-nacl)# permit tcp 14.2.10.0 0.0.0.255 host
14.2.9.3 eq pop3
South(config-ext-nacl)# deny ip any any
South(config-ext-nacl)# exit
South(config)# ! Apply the access list to the outside interface
South(config)# interface eth 0/0
South(config-if)# ip access-group 110 out
South(config-if)# exit
South(config)#
Step 4. Set up an Inbound Access List
CBAC works by modifying inbound access lists: it can work with an access list
applied to the interface on the trusted or untrusted networks, or even both. An
inbound access list intended for use with a simple CBAC firewall scheme should
block all TCP and UDP services, even those on the desired servic es list.
The example access list below blocks TCP and UDP traffic effectively, permits a
modest set of useful ICMP messages, and permits the RIP routing protocol (see
Section 4.3).
South(config)# ! create inbound access list for CBAC to work on
South(config)# no access-list 111
South(config)# ip access-list extended 111
South(config-ext-nacl)# permit icmp any any echo-reply