index_191
UNCLASSIFIED
Advanced Security Services
Version 1.0g
UNCLASSIFIED
191
After this step, CBAC should be running on the router.
Step 8. Test the CBAC Configuration
Perform some simple tests from a host on the trusted network, to see that CBAC is
working. The test shown here has two parts: first, starting a telnet session from a
host on the trusted network to a host on the untrusted network, and second,
confirming that CBAC is managing the session. For more detailed testing
information, see Section 6.
The example below shows a Telnet session from a host on the trusted network
(14.2.10.6) to a host on the untrusted network (14.2.9.250).
$ telnet 14.2.9.250
Trying 14.2.9.250...
Connected to 14.2.9.250.
Escape character is '^]'.
Welcome to the CENTRAL router. No unauthorized users,
please!
Username: nziring
Password:
Central>
While the Telnet session is active, check the CBAC session status on the router using
the command show ip inspect sessions. It should show the telnet session, as
illustrated in the example below. If the command gives no output, then CBAC is not
working.
South# show ip inspect sessions
Established Sessions
Session 6187B230 (14.2.10.189:3175)=>(14.2.9.250:23) tcp
SIS_OPEN
South#
If the CBAC configuration seems to be working, save the router configuration to
NVRAM at this point with the command copy running startup.
5.3.3. Configuration Sample
The configuration command listing below shows the configuration commands for a
firewall router with a simple CBAC configuration. The desired service list for this
firewall is: DNS, NTP, HTTP, FTP, Telnet, SMTP (to a single host), and POP3 (to a
single host). This sample is formatted as it would appear in a configuration text file
stored on a host for download to the router South.
no access-list 110
ip access-list extended 110
permit icmp 14.2.10.0 0.0.0.255 any