Configure CBAC for Firewalls

I installed a version 12.2 iOS firewall on the Cisco 2514 Series Access router. At that time, the router was also using extended ACLs to filter traffic that was entered from the Internet interface. After disconnecting the cables from the external interface, I sorted and removed the existing ACLs and implemented the following iOS firewall performance.

One common denominator in configuring ACLs and CBAC is the need to install an Internet router at the entrance to the external interface, which avoids the harmful traffic attacks on the Internet by private networks. This configuration is fairly straightforward for those firewalls that allow only the return traffic that originated from the internal connection. To achieve this, I added an extended access list to the interface I was entering, which would block all the traffic I wanted to check:

Router (config) # access-list deny TCP any
Router (config) # access-list deny UDP any
Router (config) # interface serial0
Router (config-if) # Ip Access-group

In previous statements, when applied to a check on an external interface, all TCP and UDP were blocked. This provides a filtering method for checking all incoming TCP and UDP traffic. By applying the access list to an external 101 port, you can ensure that the Internet router is intercepted as soon as it arrives on the Internet. I'm also suspicious. Implement more granular control by specifying specific application layer protocols, just like this example:
Router (config) # access-list-Deny TCP/any-eq SMTP

This description can block all SMTP traffic outside the internal network. In the access list, this should be placed before the previous TCP filtering instructions, otherwise it will not work.

Definition Timeout

The next step in this process is to define timeouts and maximum values when using CBAC to track connections. You can define several different values to enhance CBAC's ability to defend against cyber attacks. In a startup environment, most timeout and maximum settings have a default value that is suspicious to meet the general requirements. Many timeouts and maximum values control how the router responds to Dos attacks. (I'll do a more in-depth discussion of the clock/MAX value at other times.) ）

Remember that CBAC does not check ICMP and checks only TCP and UDP. Therefore, you need to increase the corresponding ACL entry to properly limit ICMP. Consider adding these ICMP portals to your ACL. This allows your internal network to ping to the host on the Internet, allowing your router to respond to the correct ICMP traffic.

Until now, we have seen how to configure the portal of the extended access list and apply the configuration of entry flow rules to the external interface. ACLS block all traffic at the inlet and can be inspected with CBAC. I use the default timeout and maximum settings, and I don't make any changes. I recommend that you start with the defaults and then adjust to your needs. If you don't know what the impact of changing these settings will be on the operation of the firewall, it's not a good idea to change the settings rashly. Next, I defined the actual check rule to manage which application layer protocol should be checked. Let's look at the command structure for the check rule.