index_189
UNCLASSIFIED
Advanced Security Services
Version 1.0g
UNCLASSIFIED
189
South(config-ext-nacl)# permit icmp any any unreachable
South(config-ext-nacl)# permit icmp any any ttl-exceeded
South(config-ext-nacl)# permit udp any any eq rip
South(config-ext-nacl)# deny ip any any log
South(config-ext-nacl)# exit
South(config)# ! apply the access list to the outside interface
South(config)# interface eth 0/0
South(config-if)# ip access-group 111 in
South(config-if)# exit
South(config)#
Step 5. Create a CBAC Ruleset
To create a CBAC ruleset, use the command ip inspect name. The syntax is
shown below.
ip inspect name ruleset-name protocol [alert on/off]
[audit-trail on/off] [timeout override-timeout]
The alert option controls whether use of that protocol causes a console alert
message to be generated; similarly, the audit-trail option controls whether use
of that protocol causes a log message to be generated. Enable the alert and audit-trail
features to get additional log messages, beyond those generate by interface access
lists. (In older versions of CBAC, audit trails could only be turned on globally, using
the command ip inspect audit-trail.)
The example ruleset below supports the example desired service list. The name of
the ruleset is fw1. Its first rule supports DNS and NTP, and the second rule
supports web, Telnet, and POP3 email services.
South(config)# ip inspect name fw1 udp audit-trail on
South(config)# ip inspect name fw1 tcp audit-trail on
South(config)# ip inspect name fw1 ftp audit-trail on
South(config)# ip inspect name fw1 smtp audit-trail on
South(config)#
Step 6. Adjust the CBAC Global Parameters
When CBAC detects a connection attempt by a client on the trusted network, it adds
a rule to the inbound access list to permit the expected response. This rule gets
removed when one of the following conditions are satisfied:
§ The response does not arrive within the allotted timeout time.
§ The connection is idle for longer than an allotted idle time.
§ The connection closes down (TCP only).