Downloads |
Table Of Contents
Cisco IOS Firewall Feature Set
The Cisco IOS Firewall Solution
The Cisco IOS Firewall Feature Set
Other Guidelines for Configuring a Firewall
When and Where to Configure CBAC
Pick an Interface: Internal or External
Configure IP Access Lists at the Interface
Configure Global Timeouts and Thresholds
Configure Application-Layer Protocol Inspection
Configure Generic TCP and UDP Inspection
Apply the Inspection Rule to an Interface
Display Configuration, Status, and Statistics for Context-based Access Control
Debug Context-based Access Control
Transport Level Debug Commands
Application Protocol Debug Commands
Interpret Syslog and Console Messages Generated by Context-based Access Control
Denial-of-Service Attack Detection Error Messages
SMTP Attack Detection Error Message
Turn Off Context-based Access Control
Remote Office to Branch Office Configuration
Two-interface Branch Office Configuration
Multiple Interface Branch Office Configuration
Cisco IOS Firewall Feature Set
Feature Summary
This document describes how you can configure your Cisco networking device to function as a firewall, using Cisco IOS security features in Cisco IOS release 12.0(4)T. Cisco IOS release 12.0(4)T introduces firewall support on the Cisco 800 series routers.
This section covers the following Cisco IOS Firewall information:
•
"The Cisco IOS Firewall Solution"
•
•
Overview of Firewalls
Firewalls are networking devices that control access to your organization's network assets. Firewalls are positioned at the entrance points into your network. If your network has multiple entrance points, you must position a firewall at each point to provide effective network access control.
Firewalls are often placed in between the internal network and an external network such as the Internet. With a firewall between your network and the Internet, all traffic coming from the Internet must pass through the firewall before entering your network.
Firewalls can also be used to control access to a specific part of your network. For example, you can position firewalls at all the entry points into a research and development network to prevent unauthorized access to proprietary information.
The most basic function of a firewall is to monitor and filter traffic. Firewalls can be simple or elaborate, depending on your network requirements. Simple firewalls are usually easier to configure and manage. However, you might require the flexibility of a more elaborate firewall.
The Cisco IOS Firewall Solution
Cisco IOS software provides an extensive set of security features, allowing you to configure a simple or elaborate firewall, according to your particular requirements. You can configure a Cisco device as a firewall if the device is positioned appropriately at a network entry point. Security features that provide firewall functionality are listed in the section "Create a Customized Firewall."
In addition to the security features available in standard Cisco IOS feature sets, there is a Cisco IOS Firewall feature set that gives your router additional firewall capabilities.
The Cisco IOS Firewall Feature Set
The Cisco IOS Firewall feature set combines existing Cisco IOS firewall technology and the Context-based Access Control (CBAC) feature. When you configure the Cisco IOS Firewall feature set on your Cisco router, you turn your router into an effective, robust firewall.
The Cisco IOS Firewall feature set is designed to prevent unauthorized, external individuals from gaining access to your internal network, and to block attacks on your network, while at the same time allowing authorized users to access network resources.
You can use the Cisco IOS Firewall feature set to configure your Cisco IOS router as:
•
•
•
•
The Cisco IOS Firewall feature set provides the following benefits:
•
•
•
Create a Customized Firewall
To create a firewall customized to fit your organization's security policy, you should determine which Cisco IOS security features are appropriate, and configure those features. At a minimum, you must configure traffic filtering using access lists to provide a basic firewall. Context-based Access Control (CBAC) provides advanced traffic inspection functionality that operates as an integral part of your network firewall.
As well as configuring these features, you should follow the guidelines listed in the section "Other Guidelines for Configuring Your Firewall." This section outlines important security practices to protect your firewall and network.
You can create a customized firewall with a variety of Cisco IOS security features:
•
•
•
•
•
•
•
•
•
•
•
•
describes Cisco IOS security features and lists the related chapter of the Security Configuration Guide.
Other Guidelines for Configuring a Firewall
As with all networking devices, you should always protect access into the firewall by configuring passwords as described in the "Configuring Passwords and Privileges" chapter in the Security Configuration Guide. You should also consider configuring user authentication, authorization, and accounting as described in the "Authentication, Authorization, and Accounting (AAA)" part of the Security Configuration Guide.
You should also consider the following recommendations:
•
•
•
•
•
To turn off CDP, enter the no cdp run global configuration command. To turn off NTP, enter the ntp disable interface configuration command on each interface not using NTP.
If you must run NTP, configure NTP only on required interfaces, and configure NTP to listen only to certain peers.
Any enabled service could present a potential security risk. A determined, hostile party might be able to find creative ways to misuse the enabled services to access the firewall or the network.
For local services that are enabled, protect against misuse. Protect by configuring the services to communicate only with specific peers, and protect by configuring access lists to deny packets for the services at specific interfaces.
•
You should also disable source routing. For IP, enter the no ip source-route global configuration command. Disabling source routing at all routers can also help prevent spoofing.
You should also disable minor services. For IP, enter the no service tcp-small-servers and no service udp-small-servers global configuration commands. In Cisco IOS Release 12.0 and later, these services are disabled by default.
•
•
Directed broadcasts can be misused to multiply the power of denial-of-service attacks, because every denial-of-service packet sent is broadcast to every host on a subnet. Furthermore, some hosts have other intrinsic security risks present when handling broadcasts.
•
•
CBAC Overview
This section describes how to configure Context-based Access Control (CBAC). CBAC provides advanced traffic inspection functionality and can be used as an integral part of your network's firewall.
For a complete description of the CBAC commands used in this section, refer to the "Context-Based Access Control Commands" chapter in the Security Command Reference.
This section describes:
•
What CBAC Does
CBAC intelligently inspects TCP and UDP packets based on application-layer protocol session information and can be used for intranets, extranets, and the Internet. You can configure CBAC to permit specified TCP and UDP traffic through a firewall only when the connection is initiated from within the network you want to protect. (In other words, CBAC can inspect traffic for sessions that originate from the external network.) However, while this example discusses inspecting traffic for sessions that originate from the external network, CBAC can inspect traffic for sessions that originate from either side of the firewall.
Without CBAC, traffic filtering is limited to access list implementations that examine packets at the network layer, or at most, the transport layer. However, CBAC examines not only network layer and transport layer information but also examines the application-layer protocol information (such as FTP connection information) to learn about the state of the TCP or UDP session. This allows support of protocols that involve multiple channels created as a result of negotiations in the control channel. Most of the multimedia protocols as well as some other protocols (such as FTP, RPC, and SQL*Net) involve multiple channels.
CBAC inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions (sessions that originated from within the protected internal network).
Inspecting packets at the application layer and maintaining TCP and UDP session information provides CBAC with the ability to detect and prevent certain types of network attacks such as SYN-flooding. A SYN-flooding attack occurs when a network attacker floods a server with a barrage of requests for connection and does not complete the connection. The resulting volume of half-open connections can overwhelm the server, causing it to deny service to valid requests.
Denial-of-service (DoS) detection and prevention inspects packet sequence numbers in TCP connections. If they are not within expected ranges, the router drops suspicious packets. When the router detects unusually high rates of new connections, it issues an alert message. The router drops half-open TCP connection state tables to prevent system resource depletion.
Additional features include Java blocking and real-time alerts and audit trails. Java blocking can be configured to filter based on the server address or completely deny access to Java applets that are not embedded in an archived or compressed file.
Enhanced audit trail features use SYSLOG to track all transactions; recording time stamps, source host, destination host, ports used, and the total number of transmitted bytes, for advanced, session-based reporting.
Real-time alerts send SYSLOG error messages to central management consoles upon detecting suspicious activity. Network managers have the ability to respond immediately to intrusions.
What CBAC Does Not Do
CBAC does not protect against attacks originating from within the protected network. CBAC only detects and protects against attacks that travel through the firewall.
CBAC protects against certain attacks but should not be considered a perfect, impenetrable defense. Determined, skilled attackers might be able to launch effective attacks. While there is no such thing as a perfect defense, CBAC detects and prevents most of the popular attacks on your network.
How CBAC Works
You should understand the material in this section before you configure CBAC. If you do not understand how CBAC works, you might inadvertently introduce security risks by configuring CBAC inappropriately.
How CBAC Works—Overview
CBAC creates temporary openings in access lists at firewall interfaces. These openings are created when specified traffic exits your internal network through the firewall. The openings allow returning traffic (that would normally be blocked) and additional data channels to enter your internal network back through the firewall. The traffic is allowed back through the firewall only if it is part of the same session as the original traffic that triggered CBAC when exiting through the firewall.
In , the inbound access lists at S0 and S1 are configured to block Telnet traffic, and there is no outbound access list configured at E0. When the connection request for User1's Telnet session passes through the firewall, CBAC creates a temporary opening in the inbound access list at S0 to permit returning Telnet traffic for User1's Telnet session. (If the same access list is applied to both S0 and S1, the same opening would appear at both interfaces.) If necessary, CBAC would also have created a similar opening in an outbound access list at E0 to permit return traffic.
Figure 1
CBAC Opens Temporary Holes in Firewall Access Lists
How CBAC Works—Details
This section describes how CBAC inspects packets and maintains state information about sessions to manage the traffic flow through the interface.
Packets Are Inspected
With CBAC, you specify which protocols you want to be inspected, and you specify an interface and interface direction (in or out) where inspection originates. Only specified protocols will be inspected by CBAC. For these protocols, packets flowing through the firewall in any direction are inspected, as long as they flow through the interface where inspection is configured.
Packets entering the firewall are inspected by CBAC only if they first pass the inbound access list at the interface. If a packet is denied by the access list, the packet is simply dropped and not inspected by CBAC.
CBAC inspects and monitors only the control channels of connections; the data channels are not inspected. For example, during FTP sessions both the control and data channels (which are created when a data file is transferred) are monitored for state changes, but only the control channel is inspected (that is, the CBAC software parses the FTP commands and responses).
CBAC inspection tracks sequence numbers in all TCP packets, and drops those packets with sequence numbers that are not within expected ranges.
CBAC inspection recognizes application-specific commands (such as illegal SMTP commands) in the control channel, and detects and prevents certain application-level attacks.
When CBAC suspects an attack, the DoS feature can take several actions:
•
•
•
CBAC uses timeout and threshold values to manage session state information, helping to determine when to drop sessions that do not become fully established. Setting timeout values for network sessions helps prevent DoS attacks by freeing up system resources, dropping sessions after a specified amount of time. Setting threshold values for network sessions helps prevent DoS attacks by controlling the number of half-open sessions, which limits the amount of system resources applied to half-open sessions. When a session is dropped, CBAC sends a reset message to the devices at both end points (source and destination) of the session. When the system under DoS attack receives a reset command, it releases, or frees up, processes and resources related to that incomplete session.
CBAC provides three thresholds against DoS attacks:
•
•
•
If a threshold is exceeded, CBAC has two options: send a reset message to the end points of the oldest half-open session, making resources available to service newly arriving SYN packets; or block all SYN packets temporarily for the duration configured by the threshold value. When the router blocks a SYN packet, the TCP three-way handshake is never initiated, which prevents the router from using memory and processing resources needed for valid connections.
DoS detection and prevention requires that you create a CBAC inspection rule and apply that rule on an interface. The inspection rule must include the protocols that you want to monitor against DoS attacks. For example, if you have TCP inspection enabled on the inspection rule, then CBAC can track all TCP connections to watch for DoS attacks. If the inspection rule includes FTP protocol inspection but not TCP inspection, CBAC tracks only FTP connections to watch for DoS attacks on FTP servers.
For detailed information about setting timeout and threshold values in CBAC to detect and prevent DoS attacks, refer in the "Configure Global Timeouts and Thresholds" section.
A State Table Maintains Session State Information
Whenever a packet is inspected, a state table is updated to include information about the state of the packet's connection.
Return traffic will only be permitted back through the firewall if the state table contains information indicating that the packet belongs to a permissible session. Inspection controls the traffic that belongs to a valid session and forwards the traffic it does not know. When return traffic is inspected, the state table information is updated as necessary.
UDP "Sessions" Are Approximated
With UDP—a connectionless service—there are no actual sessions, so the software approximates sessions by examining the information in the packet and determining if the packet is similar to other UDP packets (for example, similar source/destination addresses and port numbers) and if the packet was detected soon after another similar UDP packet. "Soon" means within the configurable UDP idle timeout period.
Access List Entries Are Dynamically Created and Deleted to Permit Return Traffic and Additional Data Connections
CBAC dynamically creates and deletes access list entries at the firewall interfaces, according to the information maintained in the state tables. These access list entries are applied to the interfaces to examine traffic flowing back into the internal network. These entries create temporary openings in the firewall to permit only traffic that is part of a permissible session.
The temporary access list entries are never saved to NVRAM.
When and Where to Configure CBAC
CBAC is highly flexible and can be configured on any interface of any firewall for protecting internal networks. Such firewalls should be Cisco routers with the Cisco Firewall feature set configured as described previously in the section "The Cisco IOS Firewall Feature Set."
Use CBAC when the firewall will be passing TCP, UDP, and common application traffic.
Use CBAC for applications if you want the application's traffic to be permitted through the firewall only when the traffic session is initiated from a particular side of the firewall (usually from the protected internal network).
In many cases, you will configure CBAC in one direction, in or out, at a single interface. This configuration causes traffic to be permitted back into the internal network only if the traffic is part of a permissible (valid, existing) session. This is a typical configuration for protecting your internal networks from traffic that originates on the Internet.
You can also configure CBAC in both directions on the same interface if you want to inspect sessions initiated on either side of the interface. Configuring CBAC in both directions can be useful in a corporate intranet or extranet environment where you want to manage sessions between different groups of users or between corporate partners.
The CBAC Process
This section describes a sample sequence of events that occurs when CBAC is configured at an external interface that connects to an external network such as the Internet.
In this example, a TCP packet exits the internal network through the firewall's external interface. The TCP packet is the first packet of a Telnet session, and Telnet is configured for CBAC inspection.
1
2
3
(If the packet's application—Telnet—was not configured for CBAC inspection, the packet would simply be forwarded out the interface at this point without being inspected by CBAC. See the section "Define an Inspection Rule" for configuring CBAC inspection information.)
4
5
6
7
8
9
In the sample process just described, the firewall access lists are configured as follows:
•
•
If the inbound access list had be configured to permit all traffic, CBAC would be creating pointless openings in the firewall for packets that would be permitted anyway.
Supported Protocols
You can configure CBAC to inspect the following types of sessions:
•
•
You can also configure CBAC to specifically inspect certain application-layer protocols. The following application-layer protocols can all be configured for CBAC:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
When a protocol is configured for CBAC, the protocol's traffic will be inspected, state information will be maintained, and in general, packets will be allowed back through the firewall only if they belong to a permissible session.
Benefits
•
•
•
•
•
You can use the Cisco IOS Firewall feature set to configure your Cisco IOS router as:
•
•
•
•
Restrictions
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Memory and Performance Impact
Using CBAC uses less than approximately 600 bytes of memory per connection. Because of the memory usage, you should use CBAC only when you need to. There is also a slight amount of additional processing that occurs whenever packets are inspected.
Sometimes CBAC must evaluate long access lists, which might have presented a negative impact to performance. However, this impact is avoided, because CBAC evaluates access lists using an accelerated method (CBAC hashes access lists and evaluates the hash).
Platforms
The Cisco IOS Firewall feature set is supported on the following platforms:
•
•
•
•
•
•
•
•
Prerequisites
None.
Supported MIBs and RFCs
None.
Configuration Tasks
To configure CBAC, complete the tasks described in the following sections:
•
•
•
•
You can also perform the tasks described in the following sections. These tasks are optional.
•
•
•
•
Note
For CBAC configuration examples, refer to the "Configuration Examples" section.
Pick an Interface: Internal or External
You must decide whether to configure CBAC on an internal or external interface of your firewall.
"Internal" refers to the side where sessions must originate for their traffic to be permitted through the firewall. "External" refers to the side where sessions cannot originate (sessions originating from the external side will be blocked).
If you will be configuring CBAC in two directions, you should configure CBAC in one direction first, using the appropriate "internal" and "external" interface designations. When you configure CBAC in the other direction, the interface designations will be swapped. (CBAC is rarely configured in two directions, and usually only when the firewall is between two networks that need protection from each other, such as with two partners' networks connected by the firewall.)
The firewall is most commonly used with one of two basic network topologies. Determining which of these topologies is most like your own can help you decide whether to configure CBAC on an internal interface or on an external interface.
The first topology is shown in . In this simple topology, CBAC is configured for the external interface Serial 1. This prevents specified protocol traffic from entering the firewall and the internal network, unless the traffic is part of a session initiated from within the internal network.
Figure 2
Simple Topology—CBAC Configured at the External Interface
The second topology is shown in . In this topology, CBAC is configured for the internal interface Ethernet 0. This allows external traffic to access the services in the Demilitarized Zone (DMZ), such as DNS services, but prevents specified protocol traffic from entering your internal network—unless the traffic is part of a session initiated from within the internal network.
Figure 3
DMZ Topology—CBAC Configured at the Internal Interface
Using these two sample topologies, decide whether to configure CBAC on an internal or external interface.
Configure IP Access Lists at the Interface
For CBAC to work properly, you need to make sure that you have IP access lists configured appropriately at the interface.
Follow these two general rules when evaluating your IP access lists at the firewall:
•
All access lists that evaluate traffic leaving the protected network should permit traffic that will be inspected by CBAC. For example, if Telnet will be inspected by CBAC, then Telnet traffic should be permitted on all access lists that apply to traffic leaving the network.
•
For temporary openings to be created in an access list, the access list must be an extended access list. So wherever you have access lists that will be applied to returning traffic, you must use extended access lists. The access lists should deny CBAC return traffic because CBAC will open up temporary holes in the access lists. (You want traffic to be normally blocked when it enters your network.)
Note
External Interface
Here are some tips for your access lists when you will be configuring CBAC on an external interface:
•
•
•
Internal Interface
Here are some tips for your access lists when you will be configuring CBAC on an internal interface:
•
•
•
Configure Global Timeouts and Thresholds
CBAC uses timeouts and thresholds to determine how long to manage state information for a session, and to determine when to drop sessions that do not become fully established. These timeouts and thresholds apply globally to all sessions.
You can use the default timeout and threshold values, or you can change to values more suitable to your security requirements. You should make any changes to the timeout and threshold values before you continue configuring CBAC.
Note
All the available CBAC timeouts and thresholds are listed in the following table, along with the corresponding command and default value.
To change a global timeout or threshold listed in the "Timeout of Threshold Value to Change" column, use the global configuration command in the "Command" column:
The length of time the software waits for a TCP session to reach the established state before dropping the session.
ip inspect tcp synwait-time seconds
30 seconds
The length of time a TCP session will still be managed after the firewall detects a FIN-exchange.
ip inspect tcp finwait-time seconds
5 seconds
The length of time a TCP session will still be managed after no activity (the TCP idle timeout).1
ip inspect tcp idle-time seconds
3600 seconds (1 hour)
The length of time a UDP session will still be managed after no activity (the UDP idle timeout).1
ip inspect udp idle-time seconds
30 seconds
The length of time a DNS name lookup session will still be managed after no activity.
ip inspect dns-timeout seconds
5 seconds
The number of existing half-open sessions that will cause the software to start deleting half-open sessions.2
ip inspect max-incomplete high number
500 existing half-open sessions
The number of existing half-open sessions that will cause the software to stop deleting half-open sessions.2
ip inspect max-incomplete low number
400 existing half-open sessions
The rate of new unestablished sessions that will cause the software to start deleting half-open sessions.2
ip inspect one-minute high number
500 half-open sessions per minute
The rate of new unestablished sessions that will cause the software to stop deleting half-open sessions.2
ip inspect one-minute low number
400 half-open sessions per minute
The number of existing half-open TCP sessions with the same destination host address that will cause the software to start dropping half-open sessions to the same destination host address.3
ip inspect tcp max-incomplete host number block-time minutes
50 existing half-open TCP sessions; 0 minutes
1 The global TCP and UDP idle timeouts can be overridden for specified application-layer protocols' sessions as described in the ip inspect name (global configuration) command description, found in the "Context-Based Access Control Commands" chapter of the Security Command Reference.
2 See the following section, "Half-Open Sessions," for more information.
3 Whenever the max-incomplete host threshold is exceeded, the software will drop half-open sessions differently depending on whether the block-time timeout is zero or a positive non-zero number. If the block-time timeout is zero, the software will delete the oldest existing half-open session for the host for every new connection request to the host and will let the SYN packet through. If the block-time timeout is greater than zero, the software will delete all existing half-open sessions for the host, and then block all new connection requests to the host. The software will continue to block all new connection requests until the block-time expires.
To return any threshold or timeout to the default value, use the no form of the command in the preceding table.
Half-Open Sessions
An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state—the TCP three-way handshake has not yet been completed. For UDP, "half-open" means that the firewall has detected no return traffic.
CBAC measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once per minute.
When the number of existing half-open sessions rises above a threshold (the max-incomplete high number), the software will delete half-open sessions as required to accommodate new connection requests. The software will continue to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (the max-incomplete low number).
When the rate of new connection attempts rises above a threshold (the one-minute high number), the software will delete half-open sessions as required to accommodate new connection attempts. The software will continue to delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (the one-minute low number). The rate thresholds are measured as the number of new session connection attempts detected in the last one-minute sample period. The firewall router reviews the "one-minute" rate on an ongoing basis, meaning that the router reviews the rate more frequently than one minute and does not keep deleting half-open sessions for one-minute after a DoS attack has stopped—it will be less time.
Define an Inspection Rule
After you configure global timeouts and thresholds, you must define an inspection rule. This rule specifies what IP traffic (which application-layer protocols) will be inspected by CBAC at an interface.
Normally, you define only one inspection rule. The only exception might occur if you want to enable CBAC in two directions as described earlier in the section "When and Where to Configure CBAC." For CBAC configured in both directions at a single firewall interface, you should configure two rules, one for each direction.
An inspection rule should specify each desired application-layer protocol as well as generic TCP or generic UDP if desired. The inspection rule consists of a series of statements each listing a protocol and specifying the same inspection rule name.
To define an inspection rule, follow the instructions in the following sections:
•
•
•
Configure Application-Layer Protocol Inspection
Note
To configure CBAC inspection for an application-layer protocol, use one or both of the following global configuration commands:
Refer to the description of the ip inspect name (global configuration) command in the "Context-Based Access Control Commands" chapter in the Security Command Reference for complete information about how the command works with each application-layer protocol.
To enable CBAC inspection for Java, see the following section, "Configure Java Inspection."
identifies application protocol keywords.
Configure Java Inspection
With Java, you must protect against the risk of users inadvertently downloading destructive applets into your network. To protect against this risk, you could require all users to disable Java in their browser. If this is not an agreeable solution, you can use CBAC to filter Java applets at the firewall, which allows users to download only applets residing within the firewall and trusted applets from outside the firewall.
Java applet filtering distinguishes between trusted and untrusted applets by relying on a list of external sites that you designate as "friendly." If an applet is from a friendly site, the firewall allows the applet through. If the applet is not from a friendly site, the applet will be blocked. (Alternately, you could permit applets from all external sites except for those you specifically designate as hostile.)
To block all Java applets except for applets from friendly locations, use the following global configuration commands:
CautionCBAC does not detect or block encapsulated Java applets. Therefore, Java applets that are wrapped or encapsulated, such as applets in .zip or .jar format, are not blocked at the firewall. CBAC also does not detect or block applets loaded from FTP, gopher, HTTP on a nonstandard port, and so forth.
Configure Generic TCP and UDP Inspection
You can configure TCP and UDP inspection to permit TCP and UDP packets to enter the internal network through the firewall, even if the application-layer protocol is not configured to be inspected. However, TCP and UDP inspection do not recognize application-specific commands, and therefore might not permit all return packets for an application, particularly if the return packets have a different port number than the previous exiting packet.
Any application-layer protocol that is inspected will take precedence over the TCP or UDP packet inspection. For example, if inspection is configured for FTP, all control channel information will be recorded in the state table, and all FTP traffic will be permitted back through the firewall if the control channel information is valid for the state of the FTP session. The fact that TCP inspection is configured is irrelevant to the FTP state information.
With TCP and UDP inspection, packets entering the network must exactly match the corresponding packet that previously exited the network. The entering packets must have the same source/destination addresses and source/destination port numbers as the exiting packet (but reversed); otherwise, the entering packets will be blocked at the interface. Also, all TCP packets with a sequence number outside of the window are dropped.
With UDP inspection configured, replies will only be permitted back in through the firewall if they are received within a configurable time after the last request was sent out. (This time is configured with the ip inspect udp idle-time command.)
To configure CBAC inspection for TCP or UDP packets, use one or both of the following global configuration commands:
Apply the Inspection Rule to an Interface
After you define an inspection rule, you apply this rule to an interface.
Normally, you apply only one inspection rule to one interface. The only exception might occur if you want to enable CBAC in two directions as described earlier in the section "When and Where to Configure CBAC." For CBAC configured in both directions at a single firewall interface, you should apply two rules, one for each direction.
If you are configuring CBAC on an external interface, apply the rule to outbound traffic.
If you are configuring CBAC on an internal interface, apply the rule to inbound traffic.
To apply an inspection rule to an interface, use the following interface configuration command:
Display Configuration, Status, and Statistics for Context-based Access Control
You can view certain CBAC information by using one or more of the following EXEC commands:
