-
Cisco IOS Security Configuration Guide: Securing the Data Plane, Release 12.4T
-
Automatic Signature Extraction
-
Cisco IOS Firewall Overview
-
Access Control Lists (ACLs)
-
IP Access List Features Roadmap
-
IP Access List Overview
-
Creating an IP Access List and Applying It to an Interface
-
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values
-
ACL Syslog Correlation
-
Refining an IP Access List
-
Object Groups for ACLs
-
Displaying and Clearing IP Access List Data Using ACL Manageability
-
Controlling Access to a Virtual Terminal Line
-
Access List-Based RBSCP
-
ACL IP Options Selective Drop
-
ACL Authentication of Incoming rsh and rcp Requests
-
-
Configuring IP Session Filtering (Reflexive Access Lists)
-
Configuring Lock-and-Key Security (Dynamic Access Lists)
-
Context-Based Access Control
-
Configuring Context-based Access Control
-
Application Firewall - Instant Message Traffic Enforcement
-
Cisco IOS Firewall MIB
-
Cisco IOS Firewall Performance Improvements
-
Cisco IOS Firewall Stateful Failover
-
Cisco IOS Firewall Support for TRP
-
Email Inspection Engine
-
ESMTP Support for Cisco IOS Firewall
-
Firewall ACL Bypass
-
Firewall N2H2 Support
-
Firewall Stateful Inspection of ICMP
-
Firewall Support for SIP
-
Firewall Support of Skinny Client Control Protocol (SCCP)
-
Firewall Websense URL Filtering
-
Granular Protocol Inspection
-
HTTP Inspection Engine
-
Inspection of Router-Generated Traffic
-
TCP Out-of-Order Packet Support for Cisco IOS Firewall and Cisco IOS IPS
-
Transparent Cisco IOS Firewall
-
Virtual Fragmentation Reassembly
-
VRF Aware Cisco IOS Firewall
-
-
Zone-Based Policy Firewall
-
Zone-Based Policy Firewall
-
Cisco IOS Firewall H.323 Support
-
H.323 RAS Support in Cisco IOS Firewall
-
Cisco IOS Firewall: SIP Enhancements: ALG and AIC
-
Application Inspection and Control for SMTP
-
Subscription-based Cisco IOS Content Filtering
-
Cisco IOS Firewall Support for Skinny Local Traffic and CME
-
User Based Firewall Support
-
- Cisco IOS Intrusion Prevention System (IPS)
- Flexible Packet Matching
-
Configuring IP Security Options
-
Configuring Port to Application Mapping
-
Configuring TCP Intercept (Preventing Denial-of-Service Attacks)
- Unicast Reverse Path Forwarding (uRPF)
- Threat Information Distribution Protocol (TIDP) and TMS
-
Table Of Contents
Information About Firewall ACL Bypass
Benefits of Firewall ACL Bypass
Firewall ACL Bypass Functionality Overview
How to Use Firewall ACL Bypass
Configuration Examples for Verifying Firewall Session Information
Old show ip inspect CLI Output: Example
New show ip inspect CLI Output: Example
Firewall ACL Bypass
The Firewall ACL Bypass feature allows a packet to avoid redundant access control list (ACL) checks by allowing the firewall to permit the packet on the basis of existing inspection sessions instead of dynamic ACLs. Thus, input and output dynamic ACLs searches are eliminated, improving the overall throughput performance of the base engine.
Feature History for Firewall ACL Bypass
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Information About Firewall ACL Bypass
•
•
Information About Firewall ACL Bypass
To better understand how dynamic ACL bypass works, you should understand the following concepts:
•
•
Benefits of Firewall ACL Bypass
Because input and output dynamic ACLs are no longer necessary, the need for context-based access control (CBAC) to create dynamic ACLs on the interface is eliminated. Thus, the following benefits are now available:
•
•
Firewall ACL Bypass Functionality Overview
Before ACL bypassing was implemented, a packet could be subjected to as many as three redundant searches—an input ACL search, an output ACL search, and an inspection session search. Each dynamic ACL that CBAC creates corresponds to a single inspection session. Thus, a matching dynamic ACL entry for a given packet implies that a matching inspection session exists and that the packet should be permitted through the ACL. Because a matching inspection session is often found in the beginning of IP processing, the input and output dynamic ACL searches are no longer necessary and can be eliminated.
ACL bypassing subjects the packet to one search—the inspection session search—during its processing path through the router. When a packet is subjected to a single inspection session search before the ACL checks, the packet is matched against the list of session identifiers that already exist on the interface. (Session identifiers keep track of the source and destination IP addresses and ports of the packets and on which interface the packet arrived.)
Note
How to Use Firewall ACL Bypass
After your firewall is configured for inspection, ACL bypassing is performed by default. That is, you should configure inspection as normal.
To configure CBAC for your firewall, see the following chapter "Configuring Context-Based Access Control" in the Cisco IOS Security Configuration Guide.
Configuration Examples for Verifying Firewall Session Information
After you have configured your firewall for inspection, you can use the show ip inspect sessions detail command to view session inspection information. The following examples show how eliminating dynamic ACLs changes the sample output:
•
•
Old show ip inspect CLI Output: Example
The following is sample output from the show ip inspect session detail command, which shows that an outgoing ACL and an inbound ACL (dynamic ACLs) have been created to allow return traffic:
Router# show ip inspect session detailEstablished SessionsSession 80E87274 (192.168.1.116:32956)=>(192.168.101.115:23) tcp SIS_OPENCreated 00:00:08, Last heard 00:00:04Bytes sent (initiator:responder) [140:298] acl created 2Outgoing access-list 102 applied to interface FastEthernet0/0Inbound access-list 101 applied to interface FastEthernet0/1Router# show access-listsExtended IP access list 101permit tcp host 192.168.101.115 eq telnet host 192.168.1.116 eq 32956 (27 matches)deny udp any anydeny tcp any anypermit ip any anyExtended IP access list 102permit tcp host 192.168.101.115 eq telnet host 192.168.1.116 eq 32956 (27 matches)deny udp any anydeny tcp any anypermit ip any anyNew show ip inspect CLI Output: Example
The following is sample output from the show ip inspect session detail command, which shows related ACL information (such as session identifiers [SID]), but does not show dynamic ACLs, which are no longer created:
Router# show ip inspect session detailEstablished SessionsSession 814063CC (192.168.1.116:32955)=>(192.168.101.115:23) tcp SIS_OPENCreated 00:00:10, Last heard 00:00:06Bytes sent (initiator:responder) [140:298]In SID 192.168.101.115[23:23]=>192.168.1.117[32955:32955] on ACL 101 (15 matches)Out SID 192.168.101.115[23:23]=>192.168.1.116[32955:32955] on ACL 102Router# show access-listExtended IP access list 101deny udp any any (20229 matches)deny tcp any anypermit ip any any (6 matches)Extended IP access list 102deny udp any anydeny tcp any anypermit ip any any (1 match)Additional References
The following sections provide references related to Dynamic ACL Bypass.
Related Documents
Standards
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Command Reference
The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS Security Command Reference at http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html. For information about all Cisco IOS commands, go to the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or to the Cisco IOS Master Commands List.
•
Glossary
connections per second— Metric defined by the number of short-lived connections that can be created and deleted within 1 second by a router running CBAC. (These connections apply only to TCP connections because UDP is a connectionless protocol.)
throughput—Metric defined by the number of packets transferred from the input interface to the output interface within 1 second by a router running CBAC.
Note
CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.
