Home > CISCO, Security > Quick Practice Lab: Configure CBAC

Quick Practice Lab: Configure CBAC

April 5th, 2010

This quick lab demonstrates how CBAC is configured and applied to interfaces.

“Gateway” is configured with an ACL on the outside interface, preventing all traffic from entering¬† the network. To allow internal machines to ping and telnet to the external network, “ip inspect” commands¬† have been configured to permit established icmp, telnet, and tcp sessions.

Testing CBAC:

  1. Ping 10.10.11.1 from External. The ping should fail since the ACL denies it.
  2. Ping 10.20.1.1 from Internal. The ping should succeed because CBAC is configured.
  3. Telnet to 10.20.1.1 from Internal. The telnet should succeed because CBAC is configured.

CBAC - Practice Lab

Configuration on “Gateway”:

hostname Gateway
!
username cisco password 0 cisco
!
ip ssh version 1
!
ip inspect audit-trail
ip inspect name testcbac telnet
ip inspect name testcbac tcp
ip inspect name testcbac icmp
!
interface FastEthernet0/0
ip address 10.10.11.2 255.255.255.0
ip inspect testcbac in
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.20.1.2 255.255.255.0
ip access-group cbac_acl in
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 10.10.11.0 255.255.255.0 10.10.11.1
ip route 20.20.1.0 255.255.255.0 20.20.1.1
!
ip access-list extended cbac_acl
deny ip any any
!
line con 0
line vty 0 4
password cisco
login
!
end

Success Criteria:

Gateway#sh ip inspect all
Session audit trail is enabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec — tcp finwait-time is 5 sec
tcp idle-time is 3600 sec — udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name testcbac
telnet alert is on audit-trail is on timeout 3600
tcp alert is on audit-trail is on timeout 3600
icmp alert is on audit-trail is on timeout 10

Interface Configuration
Interface FastEthernet0/0
Inbound inspection rule is testcbac
telnet alert is on audit-trail is on timeout 3600
tcp alert is on audit-trail is on timeout 3600
icmp alert is on audit-trail is on timeout 10
Outgoing inspection rule is not set
Inbound access list is not set
Outgoing access list is not set

Gateway#

Categories: CISCO, Security Tags:
Comments are closed.