dslreports logo

    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»


how-to block ads

The key of securing network using Cisco IOS is a combination of implementing three factors: ACL (Access List), CBAC (Context Based Access Control), and IDS/IPS (Intrusion Prevention System). Therefore keep in mind that to get the ultimate network security using Cisco IOS, you need to implement all the three and not just one or two factors since those three factors are to complement each other.

There is a little discussion of Reflexive Access List, where was considered a sophisticated IOS-based Firewall until CBAC came along. If you wish, you can just skip the Reflexive Access List discussion and go straight to CBAC discussion; since it is recommended to deploy CBAC instead of the "obsolete" Reflexive Access List.

Note that with the new Zone-Based Firewall features, Cisco IOS configuration looks similar as ASA 5500 firewall. Therefore now you have option to implement Zone-Based Firewall and IDS/IPS features on your router instead of ACL, CBAC, and IDS/IPS.

Please note that some of the features listed may not be supported by your IOS. Ascertain whether your IOS can support the feature that you require or download one from the software upgrade centre at CCO.

Also note that this is NOT meant to be a tutorial on network protection but more of an overview on the most common methods of protection.

1. ACL (Access List)

Access control lists (ACLs) provide basic filtering capabilities. They can be configured for all routed network protocols (IP, AppleTalk, etc.) to filter the packets of those protocols as the packets pass through a router.

ACLs can PREVENT and ALLOW certain traffic from entering or exiting a network. They filter traffic by controlling whether routed packets are forwarded or blocked at the routers interfaces. Your router examines each packet to determine whether to forward or drop the packet, on the basis of the criteria you specified within the ACLs.

Access list criteria could be the source address of the traffic, the destination address of the traffic, the upper-layer protocol (session, presentation or application layer), or other information.

Following FAQ utilizes ACL and basic principles of TCP/IP to create simple but quite effective firewall.

»Cisco Forum FAQ »Basic Internet Firewall for Routers without IOS image Firewall feature

Note that that such firewall is "static" (not flexible) and might not always work in any situation.

Reflexive Access Lists

Reflexive access lists allow IP packets to be filtered based on session information, which is a layer in the OSI model. The session layer establishes, manages, and terminates communication sessions between presentation layer entities. Communication sessions consist of service requests and service responses that occur between applications located in different network devices. The reflexive access lists are able to filter packets on these request and responses.

Reflexive access lists can be used to permit IP traffic for sessions originating from within the local network but to deny IP traffic for sessions that originated outside of the same network. Hence, only if the local network initiated a session or a request, will it be allowed back.

When do I configure a reflexive access list?

Reflexive access lists are normally configured on border routers, which are routers that stand on the boundary between the internal and external network (internet or another internal network). They are also often routers with the firewall feature set.

How does it work?

A reflexive access list is activated when a new session is initiated from inside your network, with a packet traveling to the external network. When triggered, the reflexive access list generates a new, temporary entry, which will permit traffic to enter your network if it is part of the session. If the traffic is not part of the session, it will not be permitted to enter your network.

For example, if an outbound TCP packet is forwarded outside of your network, and this packet is the first packet of a TCP session, then a new, temporary reflexive access list entry will be created. This entry is added to the reflexive access list, which applies to inbound traffic so the firewall will not block the responding packet.

What are the drawbacks of reflexive access lists?

Reflexive access lists do not work with some applications that use port numbers that change during a session. For example, if the port numbers for a return packet are different from the originating packet, the return packet will be denied, even if the packet is actually part of the same session.

The TCP application of FTP is an example of an application with changing port numbers. With reflexive access lists, if you start an FTP request from within your network, the request will not complete. Instead, you must use Passive FTP when originating requests from within your network.

This is where CBAC come to play since the CBAC is considered the more advanced firewall (stateful firewall).

2. CBAC (Context Based Access Control)

What is context based access control?

Context based access control (CBAC), intelligently filters TCP and UDP packets based on application layer and session layer information. You can configure CBAC to permit specified TCP and UDP traffic through a firewall only when the connection is initiated from within the network you want to protect. CBAC can inspect traffic for sessions that originate from either side of the firewall, and CBAC can be used for intranet, extranet, and Internet perimeters of your network.

Without CBAC, traffic filtering is limited to access list implementations that examine packets at the network layer, or at most, the transport layer. However, CBAC examines not only network layer and transport layer information but also examines the application-layer protocol information (such as FTP connection information) to learn about the state of the session. This allows support of protocols that involve multiple channels. Most of the multimedia protocols as well as some other protocols (such as FTP, RPC, and SQL*Net) involve multiple channels.

Finding Out Your Internal Private IP Address Even When Behind NAT Box

Following is a nice illustration. When your network is behind a NAT/PAT box, then you think that people in the Internet will never know your internal (private) IP address, correct? Wrong!

By using Java (HTTP application) people in the Internet are still able to detect and find out your internal IP addresses. Such Java program may be implemented by ISP that do not allow you to NAT/PAT your public Internet address without paying additional fee for each additional PC or machine. The Java program may be also deployed by hackers.

Click on this link (and scroll down) to see if this Internet website can reveal your internal private IP address

Using HTTP option in the CBAC, you can block incoming HTTP traffic (including Java) from unknown or untrusted network. Check out the following thread for detail story.

»[HELP] Can't hide internal IP on SOHO 97

How does it work?

CBAC inspects traffic that travels through the firewall from the internal network to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewalls access lists to allow return traffic and additional data connections for permissible sessions.

When do I employ CBAC?

You can use CBAC when your firewall will be restricting passing traffic consisting of:
* Standard TCP and UDP Internet applications
* HTTP-based applications including Instant Messaging (i.e. AOL, Yahoo, and MSN IM)
* Multimedia applications
* Oracle support

Please note with the new 12.4 IOS train, more applications are supported. Following is a list that supported under 12.4 IOS train.

802-11-iapp IEEE 802.11 WLANs WG IAPP
ace-svr ACE Server/Propagation
aol America-Online
appfw Application Firewall
appleqtc Apple QuickTime
bgp Border Gateway Protocol
bliff Bliff mail notification
bootpc Bootstrap Protocol Client
bootps Bootstrap Protocol Server
cddbp CD Database Protocol
cifs CIFS
cisco-fna Cisco FNATIVE
cisco-net-mgmt cisco-net-mgmt
cisco-svcs cisco license/perf/GDP/X.25/ident svcs
cisco-sys Cisco SYSMAINT
cisco-tdp Cisco TDP
cisco-tna Cisco TNATIVE
citrix Citrix IMA/ADMIN/RTMP
citriximaclient Citrix IMA Client
clp Cisco Line Protocol
creativepartnr Creative Partnr
creativeserver Creative Server
cuseeme CUSeeMe Protocol
daytime Daytime (RFC 867)
dbase dBASE Unix
dbcontrol_agent Oracle dbControl Agent po
ddns-v3 Dynamic DNS Version 3
dhcp-failover DHCP Failover
discard Discard port
dns Domain Name Server
dnsix DNSIX Securit Attribute Token Map
echo Echo port
entrust-svc-handler Entrust KM/Admin Service Handler
entrust-svcs Entrust sps/aaas/aams
esmtp Extended SMTP
exec Remote Process Execution
fcip-port FCIP
finger Finger
fragment IP fragment inspection
ftp File Transfer Protocol
ftps FTP over TLS/SSL
gdoi GDOI
giop Oracle GIOP/SSL
gopher Gopher
gtpv0 GPRS Tunneling Protocol Version 0
gtpv1 GPRS Tunneling Protocol Version 1
h323 H.323 Protocol (e.g, MS NetMeeting, Intel Video Phone)
h323callsigalt h323 Call Signal Alternate
h323gatestat h323gatestat
hp-alarm-mgr HP Performance data alarm manager
hp-collector HP Performance data collector
hp-managed-node HP Performance data managed node
hsrp Hot Standby Router Protocol
http HTTP Protocol
https Secure Hypertext Transfer Protocol
ica ica (Citrix)
icabrowser icabrowser (Citrix)
icmp ICMP Protocol
ident Authentication Service
igmpv3lite IGMP over UDP for SSM
imap IMAP Protocol
imap3 Interactive Mail Access Protocol 3
imaps IMAP over TLS/SSL
ipass IPASS
ipsec-msft Microsoft IPsec NAT-T
ipx IPX
irc Internet Relay Chat Protocol
irc-serv IRC-SERV
ircs IRC over TLS/SSL
ircu IRCU
isakmp ISAKMP
iscsi iSCSI
iscsi-target iSCSI port
kazaa KAZAA
kerberos Kerberos
kermit kermit
l2tp L2TP/L2F
ldap Lightweight Directory Access Protocol
ldap-admin LDAP admin server port
ldaps LDAP over TLS/SSL
login Remote login
lotusmtap Lotus Mail Tracking Agent Protocol
lotusnote Lotus Note
microsoft-ds Microsoft-DS
ms-cluster-net MS Cluster Net
ms-dotnetster Microsoft .NETster Port
ms-sna Microsoft SNA Server/Base
ms-sql Microsoft SQL
ms-sql-m Microsoft SQL Monitor
msexch-routing Microsoft Exchange Routing
mysql MySQL
n2h2server N2H2 Filter Service Port
ncp-tcp NCP (Novell)
net8-cman Oracle Net8 Cman/Admin
netbios-dgm NETBIOS Datagram Service
netbios-ns NETBIOS Name Service
netbios-ssn NETBIOS Session Service
netshow Microsoft NetShow Protocol
netstat Variant of systat
nfs Network File System
nntp Network News Transport Protocol
ntp Network Time Protocol
oem-agent OEM Agent (Oracle)
oracle Oracle
oracle-em-vp Oracle EM/VP
oraclenames Oracle Names
orasrv Oracle SQL*Net v1/v2
parameter Specify inspection parameters
pcanywheredata pcANYWHEREdata
pcanywherestat pcANYWHEREstat
pop3 POP3 Protocol
pop3s POP3 over TLS/SSL
pptp PPTP
pwdgen Password Generator Protocol
qmtp-tcp Quick Mail Transfer Protocol
r-winsock remote-winsock
radius RADIUS & Accounting
rcmd R commands (r-exec, r-login, r-sh)
rdb-dbs-disp Oracle RDB
realaudio Real Audio Protocol
realsecure ISS Real Secure Console Service Port
router Local Routing Process
rpc Remote Prodedure Call Protocol
rsvd-tcp RSVD
rsvp_tunnel RSVP Tunnel
rtc-pm-port Oracle RTC-PM port
rtelnet Remote Telnet Service
rtsp Real Time Streaming Protocol
send-tcp SEND
shell Remote command
sip SIP Protocol
sip-tls SIP-TLS
skinny Skinny Client Control Protocol
smtp Simple Mail Transfer Protocol
snmp Simple Network Management Protocol
snmptrap SNMP Trap
socks Socks
sqlnet SQL Net Protocol
sqlserv SQL Services
sqlsrv SQL Service
ssh SSH Remote Login Protocol
sshell SSLshell
ssp State Sync Protocol
streamworks StreamWorks Protocol
stun cisco STUN
syslog SysLog Service
syslog-conn Reliable Syslog Service
tacacs Login Host Protocol (TACACS)
tacacs-ds TACACS-Database Service
tarantella Tarantella
tcp Transmission Control Protocol
telnet Telnet
telnets Telnet over TLS/SSL
tftp TFTP Protocol
time Time
timed Time server
tr-rsrb cisco RSRB
ttc Oracle TTC/SSL
udp User Datagram Protocol
vdolive VDOLive Protocol
vqp VQP
webster Network Disctionary
who Whois service
wins Microsoft WINS
x11 X Window System
xdmcp XDM Control Protocol

CBAC can be used to allow the applications traffic through the firewall but only when it is initiated from the protected network.

CBAC is often configured in one direction on a single interface, which will validate the traffic, ensuring it is part of a valid session. This configuration is employed to protect the local network from the Internet.

CBAC can also be used in two directions on one or more interfaces. This method is often employed when networks on both sides of the router needs to be protected. For example, if the firewall is situated between two departments networks, CBAC can restrict the traffic of one departments applications in one direction and restrict traffic in the opposite direction for the other departments applications.

What are the drawbacks of CBAC?

"If you dont ask, you dont get" is the paradigm here. CBAC does not provide intelligent filtering for ALL protocols. It only works for the protocols that you SPECIFY, hence if a protocol is not specified, the ACL will determine its fate.

CBAC is available only for IP protocol traffic. Only TCP and UDP packets are inspected. Other IP traffic, such as ICMP, cannot be inspected with CBAC and should be filtered with basic access lists instead.

If you reconfigure your access lists when you configure CBAC, be aware that if your access lists block TFTP traffic into an interface, you will not be able to netboot over that interface.

Packets with the firewall as the source or destination address are not inspected by CBAC.

CBAC ignores ICMP Unreachable messages. To let specific ICMP traffic to enter, you need to configure the ACL to allow.

H.323 V2 and RTSP protocol inspection supports only the following multimedia client-server applications: Cisco IP/TV, RealNetworks RealAudio G2 Player, Apple QuickTime 4. However with there are more application supported when running 12.4 IOS train as shown previously.

With FTP, CBAC does not allow third-party connections (three-way FTP transfer). Further; when CBAC inspects FTP traffic, it only allows data channels with the destination port in the range of 1024 to 65535. Also, CBAC will not open a data channel if the FTP client-server authentication fails. Therefore when there is a need to have FTP traffic, create ACL to permit such traffic.

CBAC uses less than approximately 600 bytes of memory per connection. There is also a slight amount of additional processing that occurs whenever packets are inspected. Because of the memory and processing usage, you should use CBAC only when your router can handle such work.

Sometimes CBAC must evaluate long access lists, which might have presented a negative impact to performance. However, this impact is avoided, because CBAC evaluates access lists using an accelerated method (CBAC hashes access lists and evaluates the hash).

CBAC does not protect network attacks initiated from within the local network unless the packets travel through the router that employs CBAC for protection. CBAC can only protect against intrusions/attacks that travel through the router.

When you need to protect such network attacks, then you need implement additional security perimeter such as deploy necessary ACL on inside interfaces of the router. Basic logic is that open only necessary ports and protocol; and close others. For the "necessary open" protocol or port guarding, you then need to run IDS/IPS.

What is required for me to undertake reflexive access list and context based access control?

Reflexive access lists can be configured on most IOS feature sets.

CBAC requires the firewall feature set.

3. Zone-Based Firewall

The new Zone-Based Firewall is replacing the previous Stateful IOS-Based Firewall (the CBAC). Zone-Based Firewall is pretty much similar to PIX/ASA OS 7.0 firewall configuration. Check out the following links for details.

Cisco IOS Zone-Based Policy Firewall
Zone-Based Policy Firewall Design and Application Guide
Zone-Based Policy Firewall Design Guide
Cisco IOS Firewall Q&A
Zone-Based Policy Firewall - Introduction and Implementation

4. IDS/IPS (Intrusion Prevention System)

There are prerequisites to properly run Cisco IOS IPS on routers

* Your router IOS version should be at least 12.3(8)T
* Your router IOS feature should be either Advanced Enterprise, Advanced IP Security, or IP Security with IPS
* Your router DRAM is at least 128MB
* There is Signature Detection File (*.sdf) stored in your router, either in flash memory, PCMCIA inside one of the router's slot, Compact Flash, or similar

SDF (Signature Detection File)

* SDF is basically a reference point for router to perform the IPS function
* The IPS functions available are atomic (IP and TCP inspections), service (HTTP, Mail, etc.)
* Detail description on each IPS function is available on the Cisco links below (the SDF and Configuring Cisco IPS)
* You have a choice to either create your own SDF or download from Cisco
* Should you decide to download from Cisco, you need to have proper Smartnet contract
* When you download from Cisco, you can choose either the 128MB.sdf for Basic IPS or the 256MB.sdf for Advanced IPS features
* 128MB.sdf requires at least 128MB DRAM and 256MB.sdf requires at least 256MB DRAM
* In case your router is 870, 1800, 2800, 3800, or other current router models, there should be the 128MB.sdf already stored on the router's flash memory


* Make sure that the router CPU and memory can handle the workload
* As illustration, 2610XM router with 256MB DRAM and 48MB Flash can jump from 0-1% normal CPU utilization to 99% CPU utilization when running Advanced 256MB.sdf
* For small network environment, the minimal router should be 1841 or similar to properly run Cisco IOS IPS
* You can check out the following FAQ to verify your router CPU power
»Cisco Forum FAQ »Cisco Equipment Performance (per pps and Mbps)

Sample Configuration

ip ips sdf location flash:256MB.sdf
ip ips name MYIPS
interface GigabitEthernet0/1
ip address
ip ips MYIPS in
duplex full
speed 100
media-type rj45
no negotiation auto

* There is 256MB.sdf on the router flash memory
* The IPS will investigate incoming traffic under such router interface

Check out the following link for more info

1. General Info
Cisco IOS IPS Supported Signature List in 5.x Signature Format

2. SDF and Configuring Cisco IPS
Cisco IOS IPS Configuration Guide


1. CBAC Combination Configuration
»Cisco Forum FAQ »Sample IOS Firewall (CBAC) router configuration
»Cisco Forum FAQ »Sample Configuration of ACL-CBAC-IDS/IPS-IPSec VPN on router

2. Official Cisco IOS IDS/IPS Deployment Guide
Cisco IOS IPS Signature Deployment Guide

3. IDS/IPS Configuration in Action
Configuring Cisco IOS IPS Using Cisco SDM and CLI

4. More IOS Firewall Sample Configuration
Configuration Examples and TechNotes

5. Official Cisco IOS Firewall Design Guide and Sample Implementation
Cisco IOS Firewall Design Guide

6. Zone-Based Firewall Sample Configuration
»Cisco Forum FAQ »Zone-Based Firewall Sample Configuration

This FAQ brought to you by: LoneBandit & Rhodium_uk


The above is a summary of Reflexive Access Lists and CBAC. For more information on the capabilities, limitations and syntax of the commands, please consult the CCO.

The authors do not hold any responsibility for any decisions or actions that may arise from this FAQ.

This document is not endorsed by CISCO.

Expand got feedback?

by Covenant See Profile edited by aryoba See Profile
last modified: 2009-01-21 08:51:14