Example 5-1 shows sample
session state table information, and Example 5-2 shows the dynamic ACL entry that corresponds to the
information in this state table.
Example 5-1. Connection Information in the State Table
Router# show ip inspect session
Established Sessions
Session 25A4E53 (10.1.1.1:11006)=>(20.1.1.1:23) tcp SIS_OPEN
UDP Connections
UDP is a connectionless transport-layer protocol; hence, there is no state information available to track the flow
of the connections. CBAC deals with UDP sessions by examining the information in the packet and determining
whether the packet is similar to the UDP packet exited earlier. Returning UDP packets are checked within the
idle timeout period to ensure that they have the corresponding source/destination IP addresses and port
numbers.
Dynamic ACL Entries
As discussed earlier, CBAC uses the connection information from the session table to open dynamic holes in the
firewall access list for the returning traffic (that would normally be blocked). CBAC dynamically adds and
removes access list entries at the firewall interfaces. These temporary openings are created in accordance with
the state table for all inspected traffic that originates from an internal (protected) network outbound toward the
unprotected zone through the firewall.
Pages:
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219