Cisco: Use CBAC to achieve firewall functionality on router device

Sometimes, because of cost saving usually, the network engineers are forced to use a Cisco router as a firewall (instead of Cisco PIX or ASA). One of the big difference between router and firewall devices is that the ports have different characteristics. If on routers, ports are permitting by default traffic of any packets in and out, on the firewall devices, any packets are denied, if not explicit permitted.Also firewalls look at ports as Inbound at Outbound while for routers this has no meaning.

Anyway I don’t want to discuss here the differences between firewalls are routers, but to show you an example of how to achive firewall functionality by using Control-based Access Control (CBAC). CBAC intelligently filters TCP and UDP packets based on application-layer protocol session information. You can configure CBAC to permit specified TCP and UDP traffic through a firewall only when the connection is initiated from within the network you want to protect. (In other words, CBAC can inspect traffic for sessions that originate from the external network).CBAC inspects traffic and manage state information for TCP or UDP sessions, which allow it to create temporary openings in the access-lists, to allow returning traffic. Without CBAC, traffic filtering is limited to access list implementations that examine packets at the network layer, or at most, the transport layer.

The above explanation is a very technical one. Please have a look at the topology, to understand better what I’m explaining here and also to understand the example below. I will use telnet protocol in this tutorial. From the topology, imagine that you allow on the LAN interface of R2 (Fa0/0) telnet traffic to R3 and nothing else. Also to protect your environment on R2 WAN interface S1/0 you drop and inbound connection by using “deny ip any any” in an access-list. Good you are protected now. But what about the telnet connection? It will no work! Why? It is obivious that if the packet leaving from LAN on port 23 is allowed, the response from R3 is automatically dropped on S1/0 of R2 because of the deny anything access-list. By configuring “ip inspect” you enable CBAC which will keep track your session, so when you will open a telnet connection toR3, the return connection on random port (xxxxx) will be automatically opened by CBAC, despite the deny all access-list configured. In this way you are protected from outside (access is deny) but still able to use the connections you defined (open certain ports for certain session by CBAC).

So, to achieve firewall functionality on a router you have to follow some simple steps:
– use access list to deny any traffic on router’s ports (like firewall behavior)
– open in access-list traffic that you want to establish (remember that this line has to be above the deny line in ACL)
– enable ip inspect rules to open the connection back port

Please have a look into the example below for a better understanding:

Context-based Access Control