General overview of Context-Based Access Control (CBAC).

On the Cisco IOS you can enable state-full firewall and enable protocols which should be inspected. There are many general settings like audit, logging and some settings per each named inspection. Each named inspection has to be applied on an interface with proper direction (in/out).

ip inspect name CBAC ftp timeout 30

ip inspect name CBAC tcp

int gig0/0

inspect CBAC out

There is no implicit deny for non-inspected protocols after the inspection (like for ZBFW) and to protect your network you have to add an access list with the deny statement:

ip access-list extended OUT

deny ip any any


int gig0/0

ip access-group OUT in
 
3
Kudos
 
3
Kudos

Now read this

VPN - GRE over IPsec SSO

As I promised in my last post I will add the stateful switchover to the following scenario: The first step is to remove tunnel1 from r5 and r4 and then add tunnel0 on r4. Next implementation of HSRP and changing ‘tunnel source’ on r3 and... Continue →