-
Cisco IOS Security Configuration Guide: Securing the Data Plane, Release 12.4
-
Access Control Lists (ACLs)
-
IP Access List Features Roadmap
-
IP Access List Overview
-
Creating an IP Access List and Applying It to an Interface
-
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values
-
Refining an IP Access List
-
Displaying and Clearing IP Access List Data Using ACL Manageability
-
Controlling Access to a Virtual Terminal Line
-
Access List-Based RBSCP
-
ACL IP Options Selective Drop
-
ACL Authentication of Incoming rsh and rcp Requests
-
-
Configuring Lock-and-Key Security (Dynamic Access Lists)
-
Configuring IP Session Filtering (Reflexive Access Lists)
-
Configuring TCP Intercept (Preventing Denial-of-Service Attacks)
-
Context-Based Access Control
-
Configuring Context-based Access Control
-
Application Firewall - Instant Message Traffic Enforcement
-
Cisco IOS Firewall MIB
-
Cisco IOS Firewall Performance Improvements
-
Cisco IOS Firewall Stateful Failover
-
Cisco IOS Firewall Support for TRP
-
Email Inspection Engine
-
ESMTP Support for Cisco IOS Firewall
-
Firewall ACL Bypass
-
Firewall N2H2 Support
-
Firewall Stateful Inspection of ICMP
-
Firewall Support for SIP
-
Firewall Support of Skinny Client Control Protocol (SCCP)
-
Firewall Websense URL Filtering
-
Granular Protocol Inspection
-
HTTP Inspection Engine
-
Inspection of Router-Generated Traffic
-
TCP Out-of-Order Packet Support for Cisco IOS Firewall and Cisco IOS IPS
-
Transparent Cisco IOS Firewall
-
Virtual Fragmentation Reassembly
-
VRF Aware Cisco IOS Firewall
-
- Cisco IOS Intrusion Prevention System (IPS)
-
Configuring Port to Application Mapping
-
Configuring Cisco IOS Intrusion Prevention System (IPS)
-
Configuring IP Security Options
- Unicast Reverse Path Forwarding (uRPF)
-
Access Control Lists (ACLs)
Table Of Contents
Inspection of Router-Generated Traffic
Prerequisites for Inspection of Router-Generated Traffic
Restrictions for Inspection of Router-Generated Traffic
Information About Inspection of Router-Generated Traffic
Inspection of Router-Generated Traffic Overview
How to Configure Inspection of Router-Generated Traffic
Verifying the CBAC Configuration
Configuration Examples for Inspection of Router-Generated Traffic
Configuring CBAC with Inspection of H.323 Traffic: Example
Inspection of Router-Generated Traffic
The Inspection of Router-Generated Traffic feature allows Context-Based Access Control (CBAC) to inspect traffic that is originated by or destined to the router on which CBAC is configured. Previously, inspection of Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and H.323 connections initiated by or destined to the router were allowed.
Feature History for Inspection of Router-Generated Traffic
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for Inspection of Router-Generated Traffic
•
•
•
•
Prerequisites for Inspection of Router-Generated Traffic
•
•
Restrictions for Inspection of Router-Generated Traffic
•
•
voice service voiph323session transport tcp calls-per-connection 1h245 tunnel disableh245 caps mode restrictedh225 timeout tcp call-idle value 0Information About Inspection of Router-Generated Traffic
To configure Inspection of Router-Generated Traffic, you need to understand the following concepts:
•
•
CBAC
CBAC is a Cisco IOS Firewall set feature that provides network protection by using the following functions:
Traffic Filtering
CBAC filters TCP and UDP packets based on application-layer protocol session information. You can configure CBAC to permit specified TCP and UDP traffic through a firewall only when the connection is initiated from within the network you want to protect. CBAC can inspect traffic for sessions that originate from either side of the firewall, and CBAC can be used for intranet, extranet, and Internet perimeters of your network.
Traffic Inspection
CBAC inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions.
Alerts and Audit Trails
CBAC generates real-time alerts and audit trails. Enhanced audit trail features use SYSLOG to track all network transactions; it records time stamps, the source host, the destination host, the ports used, and the total number of transmitted bytes, for advanced, session-based reporting. Real-time alerts send SYSLOG error messages to central management consoles upon detecting suspicious activity.
Using CBAC inspection rules, you can configure alerts and audit trail information on a per-application protocol basis. For example, if you want to generate audit trail information for HTTP traffic, you can specify that in the CBAC rule covering HTTP inspection.
Intrusion Detection
CBAC provides a limited amount of intrusion detection to protect against specific Simple Mail Transfer Protocol (SMTP) attacks. With intrusion detection, SYSLOG messages are reviewed and monitored for specific "attack signatures." Certain types of network attacks have specific characteristics, or signatures. When CBAC detects an attack, it resets the offending connections and sends SYSLOG information to the SYSLOG server.
Inspection of Router-Generated Traffic Overview
Inspection of Router-Generated Traffic enhances CBAC's functionality to inspect TCP, UDP, and H.323 connections that have a router or firewall as one of the connection endpoints. This enables CBAC to open pinholes for TCP, UDP, and H.323 control channel connections to and from the router, and to open pinholes for data and media channels negotiated over the H.323 control channels.
Inspection of TCP and UDP channels initiated from the router enables dynamic opening of pinholes on the interface access control list (ACL) to allow return traffic. You do not have to modify the ACL when a TCP connection such as Telnet is made from the router.
Inspection of local H.323 connections enables the deployment of CCME, H.323 gateway, and the Cisco IOS Firewall on the same router. This also simplifies ACL configuration on CCME's interface through which H.323 connections are made. Before this feature, in addition to configuring ACLs to allow H.323 connections on a standard port (for example, port 1720), you had to configure ACLs to allow all dynamically negotiated data and media channels. With this feature you just configure the ACLs to allow H.323 control channels on port 1720. The Cisco IOS Firewall inspects all the traffic on the control channel and opens pinholes to allow dynamically negotiated data and media channels.
To enable Inspection of Router-Generated Traffic, specify the router-traffic keyword in the ip inspect name command of the appropriate protocol.
How to Configure Inspection of Router-Generated Traffic
This section contains the following procedures:
•
•
•
Configuring H.323 Inspection
To configure the H.323 protocol, perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Configuring CBAC
To configure CBAC, perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Verifying the CBAC Configuration
To verify the CBAC configuration, perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Step 1
Use this command to show a particular configured inspection rule. The following example configures the inspection rule myinspectionrule. The output shows the protocols that should be inspected by CBAC and the corresponding idle timeouts for each protocol.
Router# show ip inspect name myinspectionruleInspection Rule ConfigurationInspection name myinspectionruletcp timeout 3600udp timeout 30ftp timeout 3600Step 2
Use this command to show the CBAC configuration, including global timeouts, thresholds, and inspection rules.
Router# show ip inspect configSession audit trail is disabledone-minute (sampling period) thresholds are [400:500] connectionsmax-incomplete sessions thresholds are [400:500]max-incomplete tcp connections per host is 50. Block-time 0 minute.tcp synwait-time is 30 sec -- tcp finwait-time is 5 sectcp idle-time is 3600 sec -- udp idle-time is 30 secdns-timeout is 5 secInspection Rule Configurationinspection name myinspectionruletcp timeout 3600udp timeout 30ftp timeout 3600Step 3
Use this command to show the interface configuration with respect to applied inspection rules and access lists.
Router# show ip inspect interfacesInterface ConfigurationInterface Ethernet0Inbound inspection rule is myinspectionruletcp timeout 3600udp timeout 30ftp timeout 3600Outgoing inspection rule is not setInbound access list is not setOutgoing access list is not setStep 4
Use this command to display existing sessions that CBAC is currently tracking and inspecting. The following sample output shows that an outgoing ACL and an inbound ACL (dynamic ACLs) have been created to allow return traffic.
Router# show ip inspect session detailEstablished SessionsSession 80E87274 (192.168.1.116:32956)=>(192.168.101.115:23) tcp SIS_OPENCreated 00:00:08, Last heard 00:00:04Bytes sent (initiator:responder) [140:298] acl created 2Outgoing access-list 102 applied to interface FastEthernet0/0Inbound access-list 101 applied to interface FastEthernet0/1Step 5
Use this command to show all CBAC configuration and all existing sessions that are currently being tracked and inspected by CBAC.
Router# show ip inspect allSession audit trail is disabledone-minute (sampling period) thresholds are [400:500] connectionsmax-incomplete sessions thresholds are [400:500]max-incomplete tcp connections per host is 50. Block-time 0 minute.tcp synwait-time is 30 sec -- tcp finwait-time is 5 sectcp idle-time is 3600 sec -- udp idle-time is 30 secdns-timeout is 5 secInspection Rule ConfigurationInspection name alltcp timeout 3600udp timeout 30ftp timeout 3600Interface ConfigurationInterface Ethernet0Inbound inspection rule is alltcp timeout 3600udp timeout 30ftp timeout 3600Outgoing inspection rule is not setInbound access list is not setOutgoing access list is not setEstablished SessionsSession 25A6E1C (30.0.0.1:46065)=>(40.0.0.1:21) ftp SIS_OPENSession 25A34A0 (40.0.0.1:20)=>(30.0.0.1:46072) ftp-data SIS_OPEN
Configuration Examples for Inspection of Router-Generated Traffic
This section provides the following configuration examples:
•
Configuring CBAC with Inspection of H.323 Traffic: Example
These commands create the ACL. In this example, TCP traffic from subnet 100.168.11.1, 192.168.11.50, and 192.168.100.1 is permitted.
access-list 120 permit tcp host 100.168.11.1 any eq 1720access-list 121 permit tcp host 192.168.11.50 host 100.168.11.1 eq 1720access-list 121 permit tcp host 192.168.100.1 host 100.168.11.1 eq 1720These commands create the CBAC inspection rule LOCAL-H323, allowing inspection of the protocol traffic specified by the rule. This inspection rule sets the timeout value to 180 seconds for each protocol (except for RPC). The timeout value defines the maximum time that a connection for a given protocol can remain active without any traffic passing through the router. When these timeouts are reached, the dynamic ACLs that are inserted to permit the returning traffic are removed, and subsequent packets (possibly even valid ones) are not permitted.
ip inspect name LOCAL-H323 tftp timeout 180ip inspect name LOCAL-H323 h323 router-traffic timeout 180These commands apply the inspection rule and ACL. In this example, the inspection rule LOCAL-H323 is applied to traffic at interface Serial0/3/0.
interface Serial0/3/0ip address 11.168.11.2 255.255.255.0ip access-group 121 inip access-group 120 outip inspect LOCAL-H323 inip inspect LOCAL-H323 outencapsulation frame-relayframe-relay map ip 11.168.11.1 168 broadcastno frame-relay inverse-arpframe-relay intf-type dceAdditional References
The following sections provide references related to Inspection of Router-Generated Traffic.
Related Documents
CBAC
Cisco IOS Security Command Reference
H.323
Cisco IOS H.323 Configuration Guide
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
RFCs
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
—
Technical Assistance
Command Reference
The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS Security Command Reference at http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html. For information about all Cisco IOS commands, go to the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or to the Cisco IOS Master Commands List.
•
Glossary
CBAC—Context-Based Access Control. Scrutinizes source and destination addresses to enhance security for TCP and UDP applications that use well-known ports, such as FTP and e-mail traffic.
firewall—One or more router or access servers designated as a buffer between any connected public networks and a private network. A firewall router uses access lists and other methods to ensure the security of the private network.
FTP—File Transfer Protocol. An application protocol, part of the TCP/IP protocol stack, for transferring files between network nodes.
H.323—A multimedia conferencing protocol that includes voice, video, and data conferencing for use over packet-switched networks. H.323 allows dissimilar communication devices to communicate with each other by using a standardized communication protocol.
IMAP—Internet Message Access Protocol. A method of accessing e-mail or bulletin board messages kept on a mail server that can be shared. IMAP permits client e-mail applications to access remote message stores as if they were local without actually transferring the message.
IP—Internet Protocol. Connectionless protocol at the network layer (Layer 3) of the OSI reference model. Provides features for addressing, type-of-service specification, fragmentation and reassemble, and security. IP works with TCP and is usually identified as TCP/IP.
POP—Post Office Protocol. A protocol that client e-mail applications use to retrieve mail from a mail server.
SMTP—Simple Mail Transfer Protocol. A simple ASCII protocol that describes the exchange of e-mail between two message-transfer agents using TCP/IP.
TCP—Transmission Control Protocol. A connection-oriented transport-layer protocol that provides reliable full-duplex data transmissions.
TCP/IP—Transmission Control Protocol/Internet Protocol. Common name for the suite of protocols developed by the U.S. Department of Defense in the 1970s to support the construction of worldwide internetworks. TCP and IP are the two best-known protocols in the suite.
UDP—User Datagram Protocol. A connectionless transport-layer protocol for exchanging datagrams without acknowledgments or guaranteed delivery.
VoIP—Voice over IP. Capability of carrying normal telephony-style voice over an IP network with circuit-based telephone-like functionality, reliability, and voice quality. VoIP generally refers to the Cisco standards-based (H.323 and so forth) approach to IP voice traffic.
Note
CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2009 Cisco Systems, Inc. All rights reserved.
