Inspection of Router-Generated Traffic
|
|||||||||||||||||||||||
Contents
Inspection of Router-Generated TrafficLast Updated: March 22, 2012
The Inspection of Router-Generated Traffic feature allows Context-Based Access Control (CBAC) to inspect traffic that is originated by or destined to the router on which CBAC is configured. Previously, inspection of TCP, UDP, and H.323 connections initiated by or destined to the router were allowed.
Finding Feature InformationYour software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Prerequisites for Inspection of Router-Generated Traffic
Restrictions for Inspection of Router-Generated Traffic
voice service voip h323 session transport tcp calls-per-connection 1 h245 tunnel disable h245 caps mode restricted h225 timeout tcp call-idle value 0 Information About Inspection of Router-Generated TrafficCBACCBAC is a Cisco IOS Firewall set feature that provides network protection by using the following functions: Traffic FilteringCBAC filters TCP and UDP packets based on application-layer protocol session information. You can configure CBAC to permit specified TCP and UDP traffic through a firewall only when the connection is initiated from within the network you want to protect. CBAC can inspect traffic for sessions that originate from either side of the firewall, and CBAC can be used for intranet, extranet, and Internet perimeters of your network. Traffic InspectionCBAC inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions. Alerts and Audit TrailsCBAC generates real-time alerts and audit trails. Enhanced audit trail features use SYSLOG to track all network transactions; it records time stamps, the source host, the destination host, the ports used, and the total number of transmitted bytes, for advanced, session-based reporting. Real-time alerts send SYSLOG error messages to central management consoles upon detecting suspicious activity. Using CBAC inspection rules, you can configure alerts and audit trail information on a per-application protocol basis. For example, if you want to generate audit trail information for HTTP traffic, you can specify that in the CBAC rule covering HTTP inspection. Intrusion DetectionCBAC provides a limited amount of intrusion detection to protect against specific Simple Mail Transfer Protocol (SMTP) attacks. With intrusion detection, SYSLOG messages are reviewed and monitored for specific "attack signatures." Certain types of network attacks have specific characteristics, or signatures. When CBAC detects an attack, it resets the offending connections and sends SYSLOG information to the SYSLOG server. Inspection of Router-Generated Traffic OverviewInspection of Router-Generated Traffic enhances CBAC's functionality to inspect TCP, UDP, and H.323 connections that have a router or firewall as one of the connection endpoints. This enables CBAC to open pinholes for TCP, UDP, and H.323 control channel connections to and from the router, and to open pinholes for data and media channels negotiated over the H.323 control channels. Inspection of TCP and UDP channels initiated from the router enables dynamic opening of pinholes on the interface access control list (ACL) to allow return traffic. You do not have to modify the ACL when a TCP connection such as Telnet is made from the router. Inspection of local H.323 connections enables the deployment of CCME, H.323 gateway, and the Cisco IOS Firewall on the same router. This also simplifies ACL configuration on CCME's interface through which H.323 connections are made. Before this feature, in addition to configuring ACLs to allow H.323 connections on a standard port (for example, port 1720), you had to configure ACLs to allow all dynamically negotiated data and media channels. With this feature you just configure the ACLs to allow H.323 control channels on port 1720. The Cisco IOS Firewall inspects all the traffic on the control channel and opens pinholes to allow dynamically negotiated data and media channels. To enable Inspection of Router-Generated Traffic, specify the router-traffic keyword in the ip inspect name command of the appropriate protocol. This allows inspection of traffic to the router and the traffic passing through the router.. How to Configure Inspection of Router-Generated TrafficConfiguring H.323 Inspection
SUMMARY STEPS
DETAILED STEPS Configuring CBAC
SUMMARY STEPS
DETAILED STEPS Verifying the CBAC Configuration
SUMMARY STEPS
DETAILED STEPS
Configuration Examples for Inspection of Router-Generated TrafficExample Configuring CBAC with Inspection of H.323 TrafficThese commands create the ACL. In this example, TCP traffic from subnet 100.168.11.1, 192.168.11.50, and 192.168.100.1 is permitted. access-list 120 permit tcp host 100.168.11.1 any eq 1720 access-list 121 permit tcp host 192.168.11.50 host 100.168.11.1 eq 1720 access-list 121 permit tcp host 192.168.100.1 host 100.168.11.1 eq 1720 These commands create the CBAC inspection rule LOCAL-H323, allowing inspection of the protocol traffic specified by the rule. This inspection rule sets the timeout value to 180 seconds for each protocol (except for RPC). The timeout value defines the maximum time that a connection for a given protocol can remain active without any traffic passing through the router. When these timeouts are reached, the dynamic ACLs that are inserted to permit the returning traffic are removed, and subsequent packets (possibly even valid ones) are not permitted. ip inspect name LOCAL-H323 tftp timeout 180 ip inspect name LOCAL-H323 h323 router-traffic timeout 180 These commands apply the inspection rule and ACL. In this example, the inspection rule LOCAL-H323 is applied to traffic at interface Serial0/3/0. interface Serial0/3/0 ip address 11.168.11.2 255.255.255.0 ip access-group 121 in ip access-group 120 out ip inspect LOCAL-H323 in ip inspect LOCAL-H323 out encapsulation frame-relay frame-relay map ip 11.168.11.1 168 broadcast no frame-relay inverse-arp frame-relay intf-type dce Additional ReferencesRelated DocumentsMIBsTechnical Assistance
Feature Information for Inspection of Router-Generated TrafficThe following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. © 2012 Cisco Systems, Inc. All rights reserved.
|
|||||||||||||||||||||||