The access-list thought that these packets were part of an ongoing conversation and allowed them to sneak past. To fix this problem God shook heaven and earth and created reflexive access-lists. With these new and improved protectors of Gods interfaces packets were only allowed through if they matched a rule created for traffic flowing in the other direction. With this new method, return packets would only be allowed through if they matched a dynamic rule created by the original outgoing packet. God set back and looked at his creation and all was as it should be. Then one day applications were created that used dynamic ports for return traffic. For instance a person connects to a server on port 80, and the server responds with a packet on a random port between 45000 and 62000. Since the return packets did not match the originating packets the return packets would be dropped.

To fix this new problem God created CBAC or Content Based Access Control. With this new enhanced type of security found in the Firewall Feature set, traffic is inspected at layer 4 on the way out, and a dynamic access-list is created inbound on the interface to allow the traffic to return. Since CBAC inspects traffic on a higher level of the OSI model it can understand protocols that use dynamic port assignment, it can glean useful information from upper layer protocols that will help it make intelligent state full firewalling decisions and improve security while reducing false positives. You can see how over the years the security that we use has become ever more sophisticated to combat the ever clever internet hacker.

Below I will show you how to use CBAC on your router, Keep in mind that CBAC is part of the firewall feature set so may require additional licensing if your organization has to upgrade the ios. Ip inspect is configured in two areas. The first thing you have to do is create an inspection rule, and define what higher layer protocols you want to inspect. The next thing you have to do is apply the rule in the outbound direction on the interface you want to protect. You must also have either an access-list applied in the inbound direction; the access-list can be blank. When configuring the inspection rule you can choose from a number of protocols to look at. For ip inspect to work and to fix the issue with reflexive access-lists you only have to inspect layer 4 protocols such as tcp and udp. However CBAC supports many higher level protocols such as http, SMTP, real-audio, and other session and presentation, layer protocols.

Here is a config that shows some of the many possible protocols that can be inspected with CBAC. I have listed the two main ones at the top. Another tip, if you have sip phones with private nat’d addresses behind this router and you want them to connect outside you need the ip inspect sip command to translate that properly through nat.

!
ip inspect name cbac-example tcp
ip inspect name cbac-example udp
ip inspect name cbac-example vdolive
ip inspect name cbac-example smtp
ip inspect name cbac-example http
ip inspect name cbac-example rtsp
ip inspect name cbac-example sip
ip inspect name cbac-example skinny
ip inspect name cbac-example tftp
ip inspect name cbac-example ftp
ip audit po max-events 100
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 ip access-group from_internet in
 ip inspect cbac-example out
 duplex auto
 speed auto
!

Here is a related article on ACL’s.

#ip access-list extended  (name goes here)

The neat thing about named access-lists is that when you do a show access-list command you see number s next to the lines in the acl. This allows you to add or remove lines without deleting the whole access-list.

test#sh ip access-list

extended ip access-list example
	10 permit ip any any
	20 deny tcp any any eq 80
	30 permit udp any any eq 53

Reflexive access-lists allow you to filter connections based on session. Reflexive ACL’s are part of the ip plus feature set and was the first attempt to create a statefull inspection firewall on routers. Before the invention of reflexive access-lists the only way we had to allow stateful return traffic from the internet was by using the establish keyword. The problem with the established keyword is that the router only checks for the ack bit on the packets. The ack bit is set on packets once the 3 way handshake has been completed. the problem with this is that it does not do anything for udp packets since those connections are stateless, and it is very easy for hackers to set the ack bit. To get around this problem Cisco invented the reflexive access-list.

permit tcp any any eq 80 established

Reflexive access-lists are very easy. I have added the code for the access-list below. Basically reflexive access-list are made up of two parts. The first part, is the access-list that filters outbound traffic. This access-list is made up of statements that allow outbound traffic. thekey part here is the reflect statement. What this means is that you want to reflect that packet in another access list.

In my example below I reflected the statements in an access-list called dynamic. Now I created two access-lists. I created an inbound access-list to allow static inbound traffic to my webserver. I created an outbound access-list to allow traffic from my lan to the internet. I told my inbound access-list to check the reflexive entries before blocking traffic using the evaluate command. This is all there is too it. With these simple commands you can commands you can configure a statefull firewall to protect your network from harm. As good as this is though it isn’t perfect. It doesn’t work for application which use dynamic port numbers for return traffic. To solve this problem cisco added layer 4 inspection and refined reflexive access-lists in what they call Content Based Access Control or CBAC. However CBAC is part of the ios fw feature set and is a topic for another time.

interface FastEthernet0/0
 description WAN Interface
 ip address 192.168.0.1 255.255.255.0
 ip access-group internet_in in
 ip access-group lan_out out
 duplex auto
 speed auto
!
!
ip access-list extended internet_in
 remark Internet---->lan traffic
 permit tcp any any eq 80
 permit tcp any any eq 443
 evaluate dynamic
!
!
ip access-list extended lan_out
 remark inside----->internet traffic
 permit tcp any any eq www reflect dynamic
 permit tcp any any eq 443 reflect dynamic
 permit tcp any any eq 22 reflect dynamic
 permit tcp any any eq ftp reflect dynamic
 permit tcp any any eq telnet reflect dynamic
 permit tcp any any eq pop3 reflect dynamic
 permit tcp any any eq nntp reflect dynamic
 permit tcp any any eq smtp reflect dynamic
!
!