I was teaching a lab on Context Based Access Control on a cisco 2600 and experimented using NAT and CBAC. Here are some very interesting facts concerning CBAC:
1) No matter on what interface the ip inspection rule is applied, the return temporary access control list entry to allow the traffic back into the router based on the protocol being inspected is applied to all acls the traffic will encounter on the way back to the source. ie. if ip inspect FWRULE in is applied to the inside interface, and there is an ACL applied outbound on the inside interface and inbound on the out outside interface, then a temporary ACL entry will be applied to both lists.
2) If you are using NAT and you are inspecting traffic inbound on the internal interface, and you have an inbound ACL on the external interface, then CBAC is smart enough to add the temporary ACL entry to the inbound ACL using the inside global address. I must say I'm quite impressed.
0 comments:
Post a Comment