Implementing Firewall Technologies

As networks expanded and began handling sensitive business and personal data, the demand for stronger security measures led to the creation of the firewall. The term “firewall” originally referred to a physical barrier—typically made of stone or metal—designed to prevent the spread of fire between buildings. In networking, firewalls serve a similar purpose: they separate trusted, protected networks from untrusted or public networks, such as the internet, to prevent unauthorized access.

In the early days, network protection relied primarily on Access Control Lists (ACLs). These lists—standard, extended, numbered, or named—controlled traffic based on IP addresses and ports. While effective for basic filtering, ACLs lacked intelligence and required constant manual updates. As networks evolved, new firewall technologies emerged to address more complex threats.

Evolution of Firewall Technologies

By the late 1990s, stateful firewalls became the standard. These devices could track active sessions and make decisions based on the state and context of traffic. For example, stateful inspection ensured that only packets belonging to established, valid sessions were allowed through. Early Cisco implementations used “TCP established” ACL options and reflexive ACLs, later evolving into dynamic and time-based ACLs that provided temporary or scheduled access control.

Today’s firewalls have grown far beyond simple packet filters. Modern types include:

Packet-filtering firewalls – Inspect packets based on IP, port, and protocol.
Stateful firewalls – Maintain session tables to track ongoing connections.
Application (proxy) firewalls – Filter traffic based on application-layer data.
Network Address Translation (NAT) firewalls – Hide internal IPs for privacy and security.
Host-based firewalls – Protect individual devices or servers.
Zone-Based Firewalls (ZBF) – Define security zones and policies between them.
Next-Generation Firewalls (NGFW) – Combine deep packet inspection, threat intelligence, and intrusion prevention in one system.

In modern network design, firewalls must be strategically placed to secure sensitive systems while still allowing necessary communication. The best designs balance protection and accessibility by layering firewall rules at the edge, core, and host levels.

Hands-On Learning

To reinforce these concepts, learners should practice configuring and testing real or simulated firewall technologies. In lab environments, students can use Cisco routers to explore:

Access Control Lists (ACLs) – Restrict management access and mitigate attacks.
Context-Based Access Control (CBAC) – A legacy, stateful inspection method on IOS routers.
Zone-Based Policy Firewall (ZPF) – The modern, modular approach to policy-based firewalling on Cisco devices.

Example configuration of a simple ZBF on a Cisco router:


! Define security zones
zone security INSIDE
zone security OUTSIDE

! Create a policy map for traffic inspection
class-map type inspect match-any WEB-TRAFFIC
match protocol http
match protocol https

policy-map type inspect INSIDE-TO-OUTSIDE
class type inspect WEB-TRAFFIC
inspect
class class-default
drop log

! Apply zones to interfaces
zone-pair security IN-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE

interface GigabitEthernet0/0
zone-member security OUTSIDE

interface GigabitEthernet0/1
zone-member security INSIDE

Hands-on labs are available to guide learners through configuring ACLs, CBAC, and ZBF using both the command-line interface (CLI) and graphical tools. These exercises encourage real-world thinking about how to secure edge routers and internal resources effectively.

Access Control Lists

Access Control Lists (ACLs) remain a fundamental tool in network security, used to filter, permit, or deny traffic based on a set of defined conditions. ACLs help administrators enforce security policies, mitigate attacks, and control how packets traverse network interfaces. They can filter traffic at multiple layers of the OSI model, from Layer 2 (Data Link) through Layer 4 (Transport) and even Layer 7 (Application).

Understanding ACL Types and Evolution

Historically, ACLs were implemented as simple numbered lists that filtered traffic using Ethernet types or MAC addresses. For example, ACL numbers 200–299 were used for Ethernet-type filters, while ACLs numbered 700–799 filtered based on MAC addresses. Today, ACLs have evolved to focus primarily on IP traffic, using IPv4 or IPv6 addresses combined with TCP and UDP port numbers to classify and control packets with much greater precision.

Standard ACLs

Standard ACLs are the simplest type and filter packets solely based on the source IP address. They cannot inspect destination information or port numbers. They are best used close to the destination network to avoid unnecessarily filtering legitimate traffic.


R1(config)# access-list 10 permit 192.168.10.0 0.0.0.255
R1(config)# access-list 10 deny any
R1(config-if)# ip access-group 10 in

In this example, only packets sourced from the 192.168.10.0/24 network are permitted to enter the interface. All other traffic is implicitly denied.

Extended ACLs

Extended ACLs provide much greater control by filtering based on multiple fields: source and destination IP addresses, Layer 4 protocols (TCP, UDP, ICMP, etc.), and port numbers. They are typically placed close to the source of the traffic to minimize unnecessary network load.


R1(config)# access-list 101 permit tcp 192.168.10.0 0.0.0.255 any eq 443
R1(config)# access-list 101 deny tcp any any eq 21
R1(config)# access-list 101 permit ip any any
R1(config-if)# ip access-group 101 in

This configuration allows HTTPS traffic (TCP/443) from the 192.168.10.0/24 network while denying FTP (TCP/21) from any source.

Named ACLs

To make ACL management easier, Cisco introduced named ACLs, which replace numeric identifiers with descriptive names. Named ACLs are more flexible: you can insert, delete, or reorder specific entries without recreating the entire list.


R1(config)# ip access-list extended SECURE-WEB
R1(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq 443
R1(config-ext-nacl)# deny ip any any log
R1(config-ext-nacl)# exit
R1(config-if)# ip access-group SECURE-WEB in

Named ACLs are ideal for dynamic environments where frequent policy updates are required. The no command can remove individual entries without deleting the entire ACL.

VTY Line Access Control

ACLs can also be applied to virtual terminal (VTY) lines to restrict remote administrative access via SSH or Telnet. Standard ACLs are typically used for this purpose.


R1(config)# ip access-list standard ADMIN-ACCESS
R1(config-std-nacl)# permit 192.168.100.0 0.0.0.255
R1(config)# line vty 0 4
R1(config-line)# access-class ADMIN-ACCESS in
R1(config-line)# transport input ssh

This configuration restricts SSH access to the router to devices within the 192.168.100.0/24 subnet.

Logging and Monitoring ACL Activity

When troubleshooting or investigating attacks, administrators can enable logging within ACL statements. The log keyword records matching packets to the router’s console, buffer, or syslog server. However, logging consumes additional CPU resources and should only be used temporarily during diagnostics.


R1(config)# access-list 105 permit tcp any any eq 22 log

Each log entry includes action (permit or deny), protocol, source and destination addresses, and port numbers. Logs are generated for the first match and every five minutes thereafter while traffic continues to match the rule.

Best Practices and Common Pitfalls

Implicit Deny: Every ACL ends with an invisible “deny all” statement. Always include at least one permit rule or all traffic will be blocked.
Order Matters: ACLs are processed top-down. Place specific entries before general ones to avoid unintended blocking.
Directional Filtering: Apply ACLs inbound (in) or outbound (out) depending on traffic flow requirements.
Performance: Keep ACLs as concise as possible. Long, complex ACLs can increase CPU utilization on routers.
Use Named ACLs: They are easier to maintain and modify compared to numbered ACLs.
Sequence Numbers: Modern Cisco IOS versions support numbered ACL entries that can be inserted in order, simplifying edits.

Example Using Sequence Numbers:


R1(config)# ip access-list extended FIREWALL-IN
R1(config-ext-nacl)# 10 permit tcp 10.0.0.0 0.0.0.255 any eq 443
R1(config-ext-nacl)# 20 deny ip any any log
R1(config-ext-nacl)# 15 permit tcp 10.0.0.0 0.0.0.255 any eq 80

Here, the new statement numbered 15 is inserted between 10 and 20 without re-creating the ACL.

Conclusion

ACLs remain a cornerstone of Cisco network security. They provide a flexible, efficient, and powerful method for filtering traffic and enforcing security policies. While more advanced technologies such as Zone-Based Firewalls (ZBF) and Next-Generation Firewalls (NGFW) offer deep inspection capabilities, ACLs continue to play a vital role at the edge and core of modern enterprise networks.

Choosing and Applying Standard vs. Extended ACLs

When designing an access control strategy, the choice between using a standard or extended ACL depends on how granular the filtering needs to be. Standard ACLs filter traffic based only on the source IP address, while extended ACLs provide finer control, allowing filtering by protocols, ports, and destination addresses.

Example 1 – Blocking a Subnet with a Standard ACL

Suppose all traffic from subnet 172.16.4.0/24 must be denied access to another subnet, while all other traffic should pass. A standard ACL can easily achieve this when applied outbound on an interface:


R1(config)# access-list 1 deny 172.16.4.0 0.0.0.255
R1(config)# access-list 1 permit any
R1(config)# interface FastEthernet0/0
R1(config-if)# ip access-group 1 out

This configuration denies traffic from subnet 172.16.4.0/24 from leaving interface Fa0/0, effectively blocking its access to other networks.

Command Breakdown:

1 — Identifies the ACL number (standard ACL range: 1–99).
deny — Blocks traffic matching the defined source address.
172.16.4.0 0.0.0.255 — Specifies the source network and wildcard mask. The 0.0.0.255 mask means the first three octets must match exactly, while the last octet is ignored.
permit any — Allows all other traffic to pass, overriding the implicit deny at the end of every ACL.

Example 2 – Blocking FTP Traffic with an Extended ACL

Extended ACLs allow filtering based on more specific criteria, such as protocols and ports. Consider a scenario where FTP traffic from subnet 172.16.4.0/24 must be blocked from reaching 172.16.3.0/24 while all other traffic remains permitted:


R1(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
R1(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20
R1(config)# access-list 101 permit ip any any
R1(config)# interface FastEthernet0/1
R1(config-if)# ip access-group 101 in

In this configuration:

TCP port 21 corresponds to FTP control traffic.
TCP port 20 corresponds to FTP data transfers.
All other traffic is explicitly permitted using permit ip any any.

ACL Placement Considerations:

Standard ACLs should be placed close to the destination to avoid blocking legitimate traffic prematurely.
Extended ACLs should be placed close to the source to drop unwanted traffic before it consumes network resources.

Example Behavior:

With the above ACL applied inbound on Fa0/1, all FTP traffic from 172.16.4.0/24 destined for 172.16.3.0/24 will be dropped immediately upon entering the router. However, FTP sessions from 172.16.4.0 to other networks are unaffected and will be permitted.

Key Takeaway: Always remember that ACLs are processed top-down and end with an implicit deny all. For proper functionality, ensure a final permit ip any any statement is included when other traffic should pass unfiltered.

ACL Direction, Placement, and Verification

When configuring Access Control Lists (ACLs), understanding the direction of traffic flow through the router is essential. Traffic direction determines whether an ACL inspects packets entering or leaving an interface.

Inbound (Ingress) Traffic: Inbound traffic refers to packets entering a router interface before being routed to their destination. Inbound ACLs filter traffic prior to any routing table lookups, making them efficient for early packet control.

Outbound (Egress) Traffic: Outbound traffic refers to packets that have already been processed by the router’s routing table and are about to exit an interface. Outbound ACLs are applied after the routing decision is made and before the packet leaves the interface.

ACLs can track return traffic dynamically using features such as reflexive ACLs or stateful firewalls like Zone-Based Policy Firewalls (ZBF), which maintain session tables to allow legitimate return traffic automatically.

ACL Placement Guidelines

Extended ACLs — Place these as close to the source as possible. Because extended ACLs filter traffic based on multiple criteria (such as protocol, port, and destination), placing them near the source prevents unwanted traffic from traversing the network unnecessarily.
Standard ACLs — Place these as close to the destination as possible. Since they filter only by source address, placing them too close to the source might block traffic more broadly than intended.

Most modern networks use Extended ACLs to balance access control with resource efficiency. For instance, administrators may permit business-critical HTTPS traffic (TCP port 443) while blocking insecure or nonessential protocols.

Using Tools to Identify Open Ports

Before defining ACL rules, administrators often use network scanners like Nmap to identify open ports on target devices. For example, if an ACL blocks POP3 (TCP port 110) from external access but allows it internally, an Nmap scan will show port 110 as open when performed from within the LAN, but filtered or closed when scanned externally.

Verifying ACL Configuration

Once ACLs are applied, verification ensures that desired traffic passes and unwanted traffic is blocked. Two useful Cisco IOS commands include:


R1# show ip access-lists

This displays all ACLs and the number of packets matching each access control entry (ACE). Packet counts confirm whether ACL rules are functioning as expected.


R1# show running-config | include access-group

This command identifies which interfaces have ACLs applied and in which direction (inbound or outbound).

Logging Considerations

While the log option can be used to monitor packets that match ACL entries in real time, it can impose a heavy processing load on routers and switches. Logging should be enabled temporarily for troubleshooting or validation, then disabled once the configuration has been verified.

Example Verification Workflow:


R1# show ip access-lists
R1# show running-config | section interface
R1# debug ip packet detail
R1# undebug all

Using this workflow, administrators can view ACL hit counts, confirm interface bindings, and perform targeted debugging—then quickly disable debugging to restore performance.

Key Takeaway: Effective ACL design relies on correctly identifying traffic direction, strategic placement, and proper verification. Misplaced ACLs or unchecked logging can degrade performance or inadvertently block critical business services.

Configuring ACLs with Cisco SDM (Legacy) and Modern Alternatives

In earlier Cisco IOS environments, Cisco Security Device Manager (SDM) provided a graphical interface for configuring routers, including Standard and Extended Access Control Lists (ACLs). Although SDM simplified complex configurations for administrators, it has since become a legacy tool. Cisco SDM has been replaced by Cisco Configuration Professional (CCP) and, more recently, by Cisco DNA Center and web-based GUIs found on modern ISR and Catalyst devices.

Nevertheless, understanding SDM remains valuable for legacy networks and certification purposes, as many older routers still support SDM-based configurations.

Legacy SDM Interface Overview

SDM consisted of two main frames:

About Your Router — Displayed router model, software version, and hardware specifications.
Configuration Overview — Summarized firewall, VPN, routing, and Intrusion Prevention System (IPS) settings.

ACL configuration was accessed via Configure > Additional Tasks > ACL Editor. Administrators could create, edit, and apply access rules through the SDM wizard interface.

Types of Rules in Cisco SDM

Within SDM, ACLs were grouped under several functional categories:

Access Rules — Controlled inbound and outbound traffic on interfaces or vty lines.
NAT Rules — Mapped internal IPs to public IPs for Internet access.
IPsec Rules — Defined traffic to be encrypted for secure VPN communication.
NAC Rules — Determined which hosts could access the network.
Firewall and QoS Rules — Controlled security filtering and traffic prioritization.
Unsupported Rules — Created outside SDM and not editable in the GUI (read-only).
Externally Defined Rules — Supported but created via CLI; not tied to an interface in SDM.
SDM Default Rules — Predefined templates used in SDM configuration wizards.

Creating Standard ACLs Using Cisco SDM (Legacy Procedure)

Open Configure > Additional Tasks > ACL Editor > Access Rules.
Click Add to open the “Add a Rule” window.
Assign a name or number to the ACL and choose Standard Rule from the drop-down list.
Click Add to create entries, selecting Permit or Deny actions.
Select an address type:
- A Network — Matches all IPs in a subnet.
- A Host Name or IP — Matches a single host.
- Any IP Address — Matches all sources.
Enter the appropriate IP address and wildcard mask.
(Optional) Add a description and enable Log Matches Against This Entry for monitoring.
Click OK to finalize the rule, then use Move Up/Down to reorder entries if needed.

Applying ACLs to Interfaces

From the Add a Rule window, click Associate.
Select an active interface (up/up status) from the drop-down list.
Choose Inbound or Outbound for the ACL direction.
If an ACL already exists on that interface, SDM offers to:
- Cancel the operation,
- Append the new rule, or
- Replace the existing rule entirely.

To view the actual IOS commands SDM generates, go to View > Running Config from the menu bar. This allows administrators to understand the underlying CLI structure that SDM executes on the router.

Modern Alternatives to SDM

Cisco Configuration Professional (CCP) — The direct successor to SDM, providing a web-based interface for small to mid-sized routers.
Cisco DNA Center — A centralized, enterprise-grade solution for policy-based management, analytics, and automation of modern Cisco networks.
CLI and REST APIs — In modern environments, administrators typically use CLI or automated workflows (Ansible, NETCONF/YANG) to configure ACLs and policies.

Example CLI Equivalent of a Standard ACL Configuration


R1(config)# access-list 10 permit 192.168.10.0 0.0.0.255
R1(config)# access-list 10 deny any
R1(config)# interface GigabitEthernet0/1
R1(config-if)# ip access-group 10 in

Key Takeaway: While Cisco SDM is now considered obsolete, understanding its workflow is useful for managing legacy devices. Modern network management emphasizes centralized, API-driven configuration and automation tools that build upon the foundational concepts introduced by SDM.

Dynamic ACLs (Lock-and-Key Access Control)

Dynamic Access Control Lists (ACLs), also known as lock-and-key ACLs, were introduced in Cisco IOS around 1996 — before ACL logging and reflexive ACLs became standard features. They represented one of the earliest forms of on-demand, user-authenticated access control on Cisco routers. Dynamic ACLs apply exclusively to IP traffic and rely on Telnet or SSH authentication combined with Extended ACLs to grant temporary access through a router or firewall.

How Dynamic ACLs Work

By default, an extended ACL is configured to deny traffic through the router. When an external user wants to gain access, they initiate a Telnet or SSH session to the router. Once authenticated—either through a local username/password or an AAA server (RADIUS or TACACS+)—the router terminates the session and dynamically inserts a new, temporary ACL entry into the access list. This entry allows the authenticated user’s IP traffic for a specific duration, controlled by idle and absolute timeout values.

This process effectively creates a temporary “hole” in the firewall—only for authenticated and approved users—and closes it automatically when the timer expires or the user disconnects.

Why Use Dynamic ACLs?

Dynamic ACLs are particularly useful for:

Allowing specific remote users or user groups controlled access to internal hosts.
Enabling temporary connectivity between a small subset of internal hosts and a protected external network.
Providing enhanced security compared to static ACLs by requiring authentication before creating any access entries.

Advantages of Dynamic ACLs

Authenticate users with challenge-based verification (username and password).
Reduce administrative overhead in large networks.
Improve router efficiency by processing fewer ACL entries.
Minimize exposure to attacks through automated ACL expiration.
Enable user-triggered, temporary access through firewalls without weakening existing rules.

Dynamic ACL Workflow

The remote user opens a Telnet or SSH connection to the router.
The router prompts for credentials and authenticates using:
- A local username database (configured with username commands).
- An AAA server (RADIUS or TACACS+).
- A line password (least secure and rarely used).
If authentication succeeds, the router closes the session and adds a temporary ACL entry to the configured extended ACL.
The user gains temporary access to internal resources as defined by the ACL entry.

Configuration Steps

Step 1 – Create an Extended ACL

Start by defining an extended ACL that initially blocks traffic but allows Telnet or SSH connections used for authentication. A placeholder entry will be dynamically updated once users authenticate.


Router(config)# access-list 110 permit tcp any host 192.168.1.1 eq 22
Router(config)# access-list 110 dynamic remote_access timeout 10 permit ip any 192.168.10.0 0.0.0.255
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip access-group 110 in

Step 2 – Configure Authentication

Define authentication using a local database or AAA server. For example:


Router(config)# username netadmin secret MySecurePass
Router(config)# aaa new-model
Router(config)# aaa authentication login default local

Step 3 – Enable Dynamic Authentication on VTY Lines

Enable lock-and-key authentication using the autocommand access-enable command on the vty lines:


Router(config)# line vty 0 4
Router(config-line)# autocommand access-enable host timeout 5
Router(config-line)# login authentication default

This configuration forces authentication before dynamic ACL entries are created. The host keyword ensures that the user’s specific IP address replaces the any keyword in the ACL entry, allowing user-specific filtering. The timeout value defines the idle timeout—how long the ACL entry remains active without activity.

Timeouts in Dynamic ACLs

Absolute Timeout — Configured in the ACL itself using the timeout parameter (1–9999 minutes). Defines how long the entry exists regardless of activity.
Idle Timeout — Configured with the autocommand access-enable command. Defines how long the session remains active without traffic.

Example Combined Configuration


! Step 1 - Define dynamic ACL
Router(config)# access-list 120 permit tcp any host 192.168.1.1 eq 22
Router(config)# access-list 120 dynamic remote_access timeout 15 permit ip any 192.168.10.0 0.0.0.255
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip access-group 120 in

! Step 2 - Configure authentication
Router(config)# username guest secret Secure123
Router(config)# aaa new-model
Router(config)# aaa authentication login default local

! Step 3 - Enable lock-and-key authentication
Router(config)# line vty 0 4
Router(config-line)# login authentication default
Router(config-line)# autocommand access-enable host timeout 5

How It Works:

A remote user connects to the router via SSH on port 22.
After successful authentication, the router dynamically adds an entry permitting the user’s IP to access 192.168.10.0/24 for up to 15 minutes.
If no traffic occurs for 5 minutes, the idle timeout removes the entry automatically.

Modern Context

While dynamic (lock-and-key) ACLs were groundbreaking in the mid-1990s, they are now largely considered legacy security mechanisms. Modern Cisco platforms use AAA-based authentication with downloadable ACLs (dACLs) from Cisco ISE or ACS servers. These dACLs provide the same dynamic access concept—authenticated, temporary, per-user access—but with centralized policy management and enhanced scalability.

Summary

Dynamic ACLs introduced the concept of authenticated, temporary access control—a precursor to modern network access control frameworks. While they’re rarely used in production networks today, understanding them provides foundational insight into how Cisco’s context-based firewalls and Identity-Based Networking Services (IBNS) evolved.

Configure Time-Based ACLs

Time-based Access Control Lists (ACLs), introduced to Cisco IOS in 1998, extend the functionality of extended ACLs by allowing permit/deny actions to be enforced only during specified time periods. This enables administrators to control access to network resources based on time of day, day of week, or specific calendar dates.

Time-based ACLs are especially useful when a temporary firewall exception is needed but should not remain open indefinitely. Examples include:

Allowing Internet access during employee lunch hours only.
Allowing vendor access during a scheduled maintenance window.
Enabling logging only during suspicious time periods to reduce performance impact.

How Time-Based ACLs Work

Time-based ACLs are built on extended ACLs. A time-range object is created and then referenced inside a permit or deny statement. IOS evaluates the ACL entry only when the router’s clock matches the defined time window.

Creating a Time Range

Each time range must have a unique name (no spaces, must begin with a letter). The time-range configuration mode supports two types of schedules: absolute (one-time event) and periodic (recurring schedule).


Router(config)# time-range RANGE_NAME
Router(config-time-range)# absolute start-time start-date end-time end-date
Router(config-time-range)# periodic day hh:mm to [day] hh:mm

Absolute Time Range — one-time period only.

Example time format: 15:00 (3:00 PM)
Date format: 07 July 2025
If start time is omitted → defaults to current time
If end time is omitted → defaults to 23:59 31 December 2035

Periodic Time Range — recurring schedule.

Supported keywords for repeating periods include:

monday, tuesday, wednesday, thursday, friday, saturday, sunday
daily — every day
weekdays — Monday through Friday
weekend — Saturday and Sunday

The router’s system clock must be set accurately for time-based ACLs to work correctly (manual clock or NTP recommended).

Referencing Time Ranges in ACLs

A time range is activated by adding time-range NAME to an extended ACL entry:


Router(config)# access-list 100 permit tcp 10.1.1.0 0.0.0.255 any eq 443 time-range WORK_HOURS

The ACL entry is evaluated only when the router’s clock falls within the defined time window.

Configuration Example – Allow Internet Access Only During Lunch and After Work

Requirement: Employees should not access the Internet during normal business hours. Internet access should be permitted only during lunch (12:00–13:00) and again from 17:00–19:00.


R1(config)# time-range employee-time
R1(config-time-range)# periodic weekdays 12:00 to 13:00
R1(config-time-range)# periodic weekdays 17:00 to 19:00
R1(config-time-range)# exit

R1(config)# access-list 100 permit ip 192.168.1.0 0.0.0.255 any time-range employee-time
R1(config)# access-list 100 deny ip any any

R1(config)# interface FastEthernet0/1
R1(config-if)# ip access-group 100 in

Result:

Employees can reach the Internet only during 12:00–13:00 and 17:00–19:00 on weekdays.
Traffic is denied during all other times without requiring manual ACL edits.
Security is improved by automatically closing access outside approved windows.

Best Practices for Time-Based ACLs

Use NTP for clock accuracy — incorrect time invalidates the ACL logic.
Log sparingly — high-volume logging during peak hours may affect performance.
Avoid overlapping time ranges to prevent unpredictable behavior.
Place extended time-based ACLs as close to the source as possible.

Time-based ACLs remain useful today in environments that need scheduled access control without full firewall automation—though modern enterprise networks increasingly replace them with solutions such as dynamic downloadable ACLs (dACLs) from Cisco ISE and zero-trust identity policies.

Verifying and Troubleshooting ACLs

Once an Access Control List (ACL) has been deployed, verification and troubleshooting are essential to ensure the ACL is filtering traffic as intended. Misconfigured ACLs can accidentally block legitimate traffic or unintentionally allow unauthorized access, so monitoring is a core security responsibility.

Viewing ACL Hit Counters

The primary verification method is the show access-lists command, which displays every ACL entry along with the number of packets that matched it. Each match counter reflects how many times traffic has been permitted or denied by that entry.


Router# show access-lists
Router# show access-lists 100
Router# show access-lists BLOCK_FTP

Interpreting the output:

A high number of matches indicates that the ACE is receiving a lot of traffic — sometimes more than intended.
A low (or zero) match count suggests that traffic is not reaching that ACE, or the ACL entry may be too specific or ordered incorrectly.
If every ACE shows zero matches, the ACL may not be applied to any interface — or applied in the wrong direction (in/out).

Using Debug for Real-Time Packet Inspection

For deeper troubleshooting, especially when packet filtering behaviors are unclear, use debug ip packet to observe traffic as it is processed by the router.


Router# debug ip packet
Router# debug ip packet 100
Router# debug ip packet 100 detail

Details and cautions:

detail displays granular information such as protocol, TCP/UDP port numbers, codes, and ICMP types.
The debug output explicitly shows permitted and denied packets in real time.
A "g" in the debug output indicates the next-hop gateway for that packet.
Warning: this command consumes CPU and memory — it can impact performance in production environments.

Stop debugging output using:


Router# undebug all

Best Practices for ACL Verification

Always review show access-lists after applying or modifying an ACL.
Use debug selectively — ideally during maintenance windows or in lab environments.
Watch for unexpected high or low match counts to detect overly broad or overly restrictive ACEs.
If an ACL appears to have no effect, confirm:
- It is applied to the correct interface
- It is applied in the proper direction (inbound / outbound)
- The sequence of ACEs reflects the intended logic (first match wins)

Even though there are only a few ACL verification commands, testing every ACL after deployment is critical. Proper validation prevents accidental service disruption and ensures the network remains protected against unauthorized access.

Using ACLs to Mitigate Network Threats

Access Control Lists (ACLs) remain one of the simplest and most effective first-line defenses in network security. When deployed properly, ACLs not only filter traffic — they actively mitigate attacks, block spoofed packets, protect key services, and limit malicious ICMP behavior.

Common Security Threats Addressed by ACLs

IP address spoofing (inbound and outbound)
TCP SYN flood attacks
Smurf and ICMP flood attacks
Unauthorized traceroute mapping
Unwanted ICMP traffic entering or leaving the network

Blocking IP Spoofing

Most DoS attacks rely on spoofing. A router should never receive inbound packets containing internal or special-use source IP addresses. ACLs can immediately eliminate spoofed traffic by denying packets with forbidden source ranges.

Block inbound spoofed sources such as:

Local host addresses — 127.0.0.0/8
Private RFC1918 ranges — 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
Multicast address ranges — 224.0.0.0/4

Best practice also applies outbound:

If a packet leaves the network, its source IP must belong to the internal organization. All other source addresses should be denied.


! Drop spoofed inbound IPs
ip access-list extended BLOCK-SPOOF
 deny ip 127.0.0.0 0.255.255.255 any
 deny ip 10.0.0.0 0.255.255.255 any
 deny ip 172.16.0.0 0.15.255.255 any
 deny ip 192.168.0.0 0.0.255.255 any
 deny ip 224.0.0.0 15.255.255.255 any
 permit ip any any

Permitting Only Required Services Through the Firewall

Some protocols must be allowed through security boundaries — for example:

DNS (TCP/UDP 53)
SMTP (TCP 25)
FTP (TCP 20/21) — although FTPS/SFTP is strongly preferred

Routers may also require administrative access from approved IPs:

SSH — preferred for remote access
Syslog — to forward logs to a SIEM
SNMP — typically restricted to management hosts only


! Example — allow secure management
ip access-list extended MGMT-ACCESS
 permit tcp host 203.0.113.10 any eq 22        ! SSH from NOC
 permit udp host 203.0.113.20 any eq 514       ! Syslog collector
 permit udp host 203.0.113.30 any eq 161       ! SNMP manager
 deny   ip any any

Controlling ICMP for Security and Stability

ICMP plays two roles — attackers abuse it, but network devices also rely on it for troubleshooting and path management. A secure ACL approach blocks harmful ICMP messages while allowing operationally important ones.

Recommended ICMP allowed inbound:

Echo reply — enables internal host pings to external hosts
Source quench — throttling notifications
Unreachable — required for troubleshooting and ACL-generated rejects

Recommended ICMP allowed outbound:

Echo — outbound pings initiated by internal hosts
Parameter problem
Packet too big — required for MTU discovery
Source quench — rate control

All other ICMP messages should be blocked by default.


! Example ICMP control policy
ip access-list extended ICMP-FILTER
 ! Inbound (from Internet)
 permit icmp any any echo-reply
 permit icmp any any source-quench
 permit icmp any any unreachable
 deny   icmp any any
 ! Outbound
 permit icmp any any echo
 permit icmp any any parameter-problem
 permit icmp any any packet-too-big
 deny   icmp any any

Summary

ACLs can eliminate spoofed packets before they reach critical systems.
Only the minimum required services should be permitted through a firewall boundary.
ICMP must be filtered selectively — neither fully blocked nor fully allowed.
ACLs form the foundation of firewall protection, even in modern networks that rely on next-gen firewalls and IPS.

ACLs are powerful, but they are just one part of a secure perimeter. The next step in strengthening network defenses is exploring stateful firewalls, Zone-Based Firewall (ZBF), and Context-Based Access Control (CBAC), which build upon ACLs to provide deeper inspection and dynamic session awareness.

Introduction to Firewalls and Their Role in Modern Network Security

The term firewall originated long before computer networks existed. It described a fire-resistant barrier (usually stone or metal) that stopped flames from spreading between structures. The automotive and aviation industries later adopted the term for the partition that isolates the engine compartment from passengers. Today, the term has evolved again — a firewall in networking is a barrier that prevents unauthorized, malicious, or untrusted traffic from entering protected portions of a network.

In modern networks, a firewall is a system or collection of systems that enforces an access control policy between trusted and untrusted environments. A firewall may take many forms, including:

A router applying filtering rules
A Layer 3 switch using VLAN separation for traffic isolation
A dedicated hardware firewall appliance
A host running firewall software (e.g., Windows Firewall, iptables, macOS PF)
A combination of multiple devices working together

Regardless of scale or complexity, all firewalls share core characteristics:

Resistant to attack — hardened to handle malicious traffic without compromise
Act as the controlled chokepoint — all inbound and outbound traffic must pass through the firewall
Enforce security policy — decide which traffic is allowed or denied based on rules

Evolution of Firewall Technology

1988 — Packet Filter Firewalls (Stateless)
DEC introduced the first network firewall based on packet filtering. Individual packets were inspected using criteria such as source/destination IP, protocol, and port — then permitted or denied. These early firewalls were stateless, meaning they did not track whether packets belonged to an ongoing connection.

1989 — Stateful Firewalls
AT&T Bell Labs pioneered the stateful firewall, which tracks active sessions. When a connection is established, temporary dynamic rules are created and removed when the session ends. Stateful inspection significantly improved protection against spoofing and DoS attacks by distinguishing legitimate return traffic from unsolicited traffic.

1990s onward — Dedicated Firewall Appliances
Early firewalls ran as software on routers and servers. As traffic volumes increased, dedicated firewall appliances emerged to offload the CPU-intensive work of packet inspection. Today, organizations may deploy:

Next-Generation Firewalls (NGFW)
Unified Threat Management (UTM) appliances
Cloud-native firewalls (e.g., AWS, Azure, Google Cloud)
Router-integrated firewalls (e.g., Cisco ISR with Zone-Based Policy Firewall)

Modern Cisco ISR routers continue to support full stateful firewall capabilities, providing enterprise-grade protection for environments that don’t require a dedicated appliance.

Benefits of Using Firewalls

Prevent exposure of sensitive hosts and applications to untrusted users
Sanitize protocol flows and reduce exploitation of protocol vulnerabilities
Block malicious traffic before it reaches endpoints
Provide centralized and scalable policy enforcement
Simplify security management by controlling access at strategic network points

Limitations and Risks of Firewalls

A misconfigured firewall can become a single point of failure
Certain applications cannot operate securely across firewall boundaries
Users may attempt to bypass controls (VPNs, proxies, encrypted tunnels)
Packet inspection can introduce latency under heavy load
Attackers can disguise attack traffic to look legitimate (e.g., HTTPS tunneling)

Because of these risks, modern network security relies on defense-in-depth — combining firewalls with intrusion prevention, segmentation, endpoint security, strong authentication (Zero Trust), and continuous monitoring.

Why Understanding Firewall Types Matters

There is no single firewall type capable of solving every security challenge. The appropriate choice depends on:

Network size and topology
Application and protocol requirements
Compliance and regulatory standards
The balance between performance and inspection depth
Budget and manageability

Types of Firewalls and How They Filter Network Traffic

A firewall system is often made up of multiple components, but the most recognizable function is traffic filtering — the selective permitting or denying of packets based on an organization’s security policy. Filtering can be implemented in several ways, which leads to different categories of firewalls. The most common types include:

Packet-filtering firewall — Typically a router that filters packets based on Layer 3 and sometimes Layer 4 information.
Stateful firewall — Tracks the state of connections and differentiates between initiation, data transfer, and termination phases.
Application gateway (proxy) firewall — Filters traffic at Layers 3, 4, 5, and 7, often using deep packet inspection in software.
Address-translation firewall — Uses NAT to conserve IPv4 addresses while hiding internal addressing structure from the outside world.
Host-based firewall — Firewall software running on an endpoint (PC, server, or virtual machine).
Transparent firewall — Filters IP traffic between two bridged interfaces without affecting IP addressing or routing.
Hybrid firewall — Combines multiple architectures, such as a stateful firewall paired with application-layer inspection.

Packet-Filtering Firewalls

Packet-filtering firewalls operate primarily at the Network Layer (Layer 3) but frequently enforce rules using Layer 4 protocol and port information. ACL-style logic determines whether a packet is permitted or denied based on:

Source IP address
Destination IP address
Protocol (TCP/UDP/ICMP/other)
Source and destination port numbers
SYN flag (to detect new TCP sessions)

These firewalls are sometimes called static filters because each packet is evaluated individually, without tracking whether it belongs to an active session. Despite their limitations, packet filters remain foundational — especially as part of router-based perimeter defenses.

Because services rely on specific ports, packet filters can be highly effective at limiting attack surfaces. For example, blocking outbound TCP port 25 on selected subnets prevents malware-infected workstations from attempting to send bulk spam or exfiltrate stolen data via SMTP.

Stateful Firewalls

Stateful firewalls are the most widely used firewall technology today. Instead of making decisions one packet at a time, a stateful firewall builds and maintains a state table that tracks connection information across all network interfaces. Each session is recorded in the table using metadata such as:

Source and destination IP addresses
Source and destination port numbers
TCP sequence and acknowledgment numbers
TCP control flags (SYN, ACK, FIN, RST)

When a client inside the network initiates a connection, the stateful firewall records the session. When the external server responds, the packet is compared against the state table — legitimate return traffic is permitted automatically without requiring explicit ACL entries.

Modern stateful firewalls go even further, implementing protocol-aware support mechanisms. Examples include:

Parsing FTP port commands and dynamically opening return channels
Matching DNS queries with DNS responses to block hijacked replies
Validating TCP sequence behavior to reduce RST-flood spoofs

A potential drawback is that stateful inspection can expose internal IP addressing unless combined with NAT or proxy functions — which is why most commercial firewalls today blend stateful filtering + NAT + deep inspection into a single platform.

Firewall Solutions in Cisco Environments

Cisco offers multiple firewall implementation paths, each suitable for different scale and budget requirements:

Cisco IOS Firewall — Stateful firewall capabilities built directly into Cisco routers; ideal for branch offices and small to midsize deployments.
Cisco PIX Security Appliances (now end-of-life) — Early dedicated appliance platform designed for strong policy enforcement and VPN services.
Cisco ASA Adaptive Security Appliances — Industry-standard platform that integrates firewall, SSL/IPsec VPN, Unified Communications security, IPS, and content inspection into a single device.

ASA was designed as a core component of Cisco’s Self-Defending Network model, providing multi-layer threat defense while maintaining ease of deployment and lower operational costs. ASA remains widely deployed, although many organizations are now transitioning toward Next-Generation Firewalls (NGFWs) with features like SSL decryption, identity-aware policy, and machine-learning-driven threat detection.

Choosing the Right Firewall

Firewalls are not one-size-fits-all. Selecting the correct solution involves a balance of:

Risk and compliance requirements
Application visibility and inspection needs
Performance considerations (latency vs. deep inspection)
Scalability and future expansion
Total cost of ownership (TCO)

No matter which platform is selected, successful deployment depends on thoughtful security architecture — including segmentation, redundancy, logging/monitoring, and policy governance.

Understanding DMZ Architecture and Layered Firewall Defense

In network security, the term demilitarized zone (DMZ) refers to a portion of a network that is isolated by a firewall or a set of firewalls. Borrowed from the military concept of a neutral buffer zone, a DMZ limits where untrusted devices can communicate while protecting trusted internal resources.

A DMZ helps define which parts of a network are trusted and which are untrusted. Firewall design is centered around controlling traffic at interfaces — determining whether to permit or deny packets based on their source, destination, and type of traffic.

Two-Interface Firewall Design

Some deployments are simple, consisting of two firewall interfaces:

Outside network (public/untrusted)
Inside network (private/trusted)

In this model, outbound traffic from the inside is usually allowed to the outside with few restrictions. Inbound traffic from the outside is normally blocked entirely or allowed only in very specific cases. Return traffic associated with legitimate outbound connections is allowed back in.

Three-Interface Firewall Design with a DMZ

More advanced topologies introduce a third interface:

Outside interface – the untrusted public network
Inside interface – the trusted private network
DMZ interface – semi-trusted network for public-facing services

Common DMZ services include email, DNS, HTTP, and HTTPS servers. Typical traffic rules in a three-interface design:

Inside → Outside and Inside → DMZ traffic is generally allowed
DMZ → Outside traffic is allowed (public services returning data)
Outside → DMZ traffic is selectively allowed for approved services only
Outside → Inside traffic is blocked completely unless it is associated with legitimate inside-initiated sessions

Layered Defense and Screened Subnet Architecture

A layered defense combines multiple firewalls and filtering methods to protect both the perimeter and sensitive internal segments. For example, a screened subnet configuration may include:

A packet-filtering router at the edge to block obviously malicious traffic
A hardened firewall or bastion host in the DMZ to enforce deeper application-level controls
An internal firewall or screening router that filters traffic before it reaches internal resources

Only traffic that successfully passes each layer is permitted to reach internal hosts. A bastion host is specifically hardened for this purpose and is commonly located in the DMZ.

Misconceptions About Layered Firewalls

Although layered firewall architectures are powerful, they do not guarantee complete security. Additional considerations include:

Many breaches originate from inside the network — firewalls alone cannot prevent insider abuse or malware introduced via email or USB
Firewalls cannot stop the use of unauthorized modems, wireless hotspots, or cellular tethering
Firewalls do not replace the need for backups, disaster recovery, or cyber-awareness training

A DMZ and layered firewall approach is effective only when combined with monitoring, patching, endpoint protection, and informed users.

Firewall Security Policy Considerations

Security professionals must define and maintain a written firewall policy. A good starting point includes:

Deploy firewalls at key security boundaries
Firewalls are critical, but should not be the only security mechanism
Use a default deny posture — permit only necessary services
Protect physical access to firewall hardware
Monitor logs regularly; tools such as Cisco MARS can help automate this
Require change management for firewall rule modifications
Remember that most external attacks are technical, while most internal attacks are non-technical

DMZ Variations with Cisco Firewalls

A Cisco router running Cisco IOS Firewall can operate as both a router and a firewall. When two firewall devices are deployed, they can be connected by a LAN segment that serves as the DMZ. This setup provides redundancy for public access to DMZ resources and isolates internal networks from direct exposure.

Understanding Context-Based Access Control (CBAC) in Cisco IOS Firewall

Context-Based Access Control (CBAC) is a major component of the legacy Cisco IOS Firewall feature set. Unlike basic ACLs, CBAC performs stateful inspection at the Application Layer, allowing the firewall to understand how protocols behave, track active sessions, and dynamically permit return traffic. This enables CBAC to support complex and multi-channel applications such as FTP, H.323, and multimedia protocols, which standard ACLs cannot properly secure.

CBAC can also parse and translate NAT/PAT-embedded addressing information, helping ensure multi-channel and dynamic protocols continue functioning after address translation. In addition, CBAC can block peer-to-peer applications (such as Gnutella or KaZaA) and popular instant-messaging platforms (e.g., Yahoo!, AOL, MSN), giving administrators fine-grained control over non-business traffic.

Core Functions of CBAC

1. Traffic Filtering
CBAC dynamically permits return TCP/UDP traffic only when a session has been legitimately initiated. When inside hosts create connections, CBAC temporarily opens access in the ACL to allow the return packets back through the firewall. This supports intranet, extranet, and Internet perimeter deployments. Unlike stateless filtering, CBAC evaluates Layer 3 and 4 information and Application Layer state data, enabling support for protocols requiring multiple negotiated channels.

2. Traffic Inspection
Since CBAC tracks TCP/UDP sessions, it can protect against attacks that exploit connection state. For example:

Detecting and limiting SYN-flood attempts
Dropping half-open connections consuming resources
Verifying TCP sequencing to detect spoofed traffic

These protections help reduce DoS attack effectiveness by eliminating abnormal traffic before it reaches internal hosts.

3. Intrusion Detection
CBAC includes a limited intrusion detection capability designed to identify specific attack signatures—particularly those targeting SMTP. When an attack signature is matched, CBAC:
• Terminates the unauthorized connection
• Generates syslog alerts for analysis

4. Alert and Audit Generation
CBAC supports extensive session-based logging through syslog. Each inspected session can record timestamps, source/destination addresses, ports, and bytes transferred. Suspicious activity triggers real-time syslog alerts that can be forwarded to monitoring systems.

How CBAC Improved on Earlier IOS Firewall Methods

Introduced in 1997, CBAC was a major advancement over previous IOS solutions such as TCP established and reflexive ACLs. Key improvements include:

Full TCP connection state monitoring
Tracking of TCP sequence numbers
Inspection of DNS queries and responses
Inspection of selected ICMP types
Application support for multi-channel and negotiated connections
Inspection of NAT-embedded addressing
Inspection at the Application Layer (not just ports and flags)

Operational Characteristics and Limitations

CBAC offers significant protections, but with important considerations:

CBAC only inspects protocols explicitly configured by the administrator. All others rely solely on ACL rules.
CBAC only protects against traffic that . Internal lateral attacks may bypass it if internal routers do not run CBAC.
No firewall is unbeatable — skilled attackers can still find gaps if other security layers are weak.

Even though CBAC is considered a legacy technology today (superseded by Zone-Based Firewall), understanding it remains valuable for:

Certification exams such as CCNA Security and CCNP Security (older blueprints)
Legacy network support environments
Migrating CBAC rule sets to ZBF policies

CBAC Operation

Traditional ACL-based filtering operates only at the Network and Transport Layers. CBAC goes further by implementing a stateful, application-aware packet filter that examines Application Layer information to track the full state of a session — including dynamic protocols like FTP, RPC, and SQL*Net that open multiple channels.

CBAC maintains a state table tracking active TCP, UDP, and ICMP sessions. As traffic exits the protected network, CBAC inserts temporary dynamic ACL entries to permit the returning traffic back in. These entries exist only for the life of the session and are never written to NVRAM.

Step-by-Step: Outbound Telnet Example

Outbound packet hits any inbound ACL first — if denied, it's dropped. If permitted, CBAC inspection rules are evaluated.
If the protocol (e.g., Telnet) is not in the inspection rule, the packet passes with no further tracking.
If inspected, the connection is looked up in the state table. A new entry is created, or the idle timer on an existing entry is reset.
A dynamic ACL entry is inserted on the external interface (inbound direction) to permit the returning session traffic.
When the session ends, both the state table entry and dynamic ACL entry are removed.

TCP Handling

When a TCP SYN packet is received, CBAC checks the ACL and — if permitted — creates a session entry tracking endpoint addresses, port numbers, sequence numbers, and flags. All subsequent packets are validated against this state. After the three-way handshake completes, all packets must carry the ACK flag; CBAC enforces this throughout the session lifetime.

! CBAC TCP session entry (conceptual)
! Src: 192.168.1.10:49200  Dst: 203.0.113.5:23  Proto: TCP
! Flags: SYN > SYN-ACK > ACK  State: ESTABLISHED  Idle: 3600s

UDP Handling

UDP has no handshake or teardown. CBAC creates a connection entry based solely on endpoint addresses and port numbers when the first packet is permitted. The entry is removed after a configurable idle timeout with no traffic.

! CBAC UDP session entry (conceptual)
! Src: 192.168.1.10:5000  Dst: 8.8.8.8:53  Proto: UDP  Idle: 30s

Other IP Protocols

Protocols like GRE and IPsec are handled statelessly — similar to classic packet filtering. When a flow is initially permitted, all matching packets are allowed until an idle timer expires.

Dynamic Application Inspection

Protocols like FTP and VoIP signaling open a primary channel then negotiate secondary channels dynamically. CBAC parses the initial session to learn about these secondary channels and automatically permits them if the primary session was allowed.

! FTP active mode: CBAC parses the PORT command on TCP/21
! and dynamically opens the data channel on TCP/20
ip inspect name CBAC_RULE ftp

Inspection Rules

An inspection rule defines which protocols CBAC monitors and is applied to an interface in a specific direction. Packets denied by an ACL are dropped before inspection occurs.

ip inspect name CBAC_RULE tcp
ip inspect name CBAC_RULE udp
ip inspect name CBAC_RULE ftp
ip inspect name CBAC_RULE smtp
ip inspect name CBAC_RULE http

interface GigabitEthernet0/0
 description Outside Interface
 ip inspect CBAC_RULE out
 ip access-group OUTSIDE_ACL in

Attack Detection

The Cisco IOS Firewall engine detects Application Layer attacks such as illegal SMTP commands. On detection it can generate alerts, protect system resources, or block packets from suspected attackers.

Timeouts and DoS Thresholds

CBAC tracks three thresholds to defend against TCP-based DoS attacks: total half-open sessions, half-open sessions per minute, and half-open sessions per host. When a threshold is exceeded, CBAC either resets the oldest half-open session or temporarily blocks all SYN packets — preventing the three-way handshake from completing and conserving router resources.

ip inspect tcp synwait-time 30
ip inspect tcp idle-time 3600
ip inspect udp idle-time 30
ip inspect dns-timeout 5

ip inspect max-incomplete high 1100
ip inspect max-incomplete low 900
ip inspect one-minute high 1100
ip inspect one-minute low 900
ip inspect tcp max-incomplete host 50 block-time 0

Verification

show ip inspect sessions
show ip inspect sessions detail
show ip inspect all
show ip inspect interfaces
show ip access-lists

Configure CBAC

There are four steps to configure CBAC:

Pick an interface — internal or external.
Configure IP ACLs at the interface.
Define inspection rules.
Apply an inspection rule to an interface.

Pick an Interface

Determine which interface is internal (where sessions originate) and which is external (where sessions are blocked). In a two-interface setup, CBAC blocks specified traffic from entering the protected network unless it belongs to a session initiated from inside. In a three-interface setup with a DMZ, external traffic can reach DMZ resources (e.g., DNS, web) while still being blocked from the internal network.

CBAC can also be configured in both directions on one or more interfaces — useful for extranet/intranet configurations or DoS protection. When configuring bidirectional CBAC, configure one direction first, then swap the internal/external designations for the other direction.

Configure IP ACLs at the Interface

ACLs must be configured on inside, outside, and DMZ interfaces. At minimum, apply ACLs on border routers between internal and external networks. Follow these guidelines:

Start with a basic config that allows outbound traffic from protected networks while blocking inbound traffic from unprotected networks.
Permit traffic that CBAC is set to inspect — e.g., if inspecting Telnet, permit Telnet in all ACLs that apply to the initial flow.
Use extended ACLs for traffic entering from unprotected networks, as CBAC requires extended ACLs to dynamically create temporary openings for return traffic.
Enable antispoofing by denying inbound traffic on external interfaces whose source address matches any address on the protected network.
Deny broadcast messages sourced from 255.255.255.255 to prevent broadcast attacks.
The implicit deny at the end of every ACL blocks all unmatched traffic. Optionally make this explicit to enable logging of denied packets.

Define Inspection Rules

Inspection rules specify which Application Layer protocols CBAC monitors at an interface. Typically one rule is sufficient; a second rule is only needed when enabling the firewall engine in two directions on a single interface.

Each rule is a series of statements sharing the same rule name, one per protocol. Generic TCP/UDP inspection dynamically permits return traffic; ICMP inspection allows echo-reply packets in response to previously seen echo requests.

Router(config)# ip inspect name inspection_name protocol [alert {on | off}] [audit-trail {on | off}] [timeout seconds]

Example 1 — Inspect SMTP and FTP with alerting and audit trails, 300s timeout:

ip inspect name FWRULE smtp alert on audit-trail on timeout 300
ip inspect name FWRULE ftp alert on audit-trail on timeout 300

Example 2 — Allow Java applet downloads only for hosts in the 10.224.10.0/24 subnet:

ip inspect name PERMIT_JAVA http java-list 10
access-list 10 permit 10.224.10.0 0.0.0.255

Example 3 — Inspect multiple protocols with a 12-hour TCP idle timeout:

ip inspect name in2out rcmd
ip inspect name in2out ftp
ip inspect name in2out tftp
ip inspect name in2out tcp timeout 43200
ip inspect name in2out http
ip inspect name in2out udp

Apply an Inspection Rule to an Interface

Router(config-if)# ip inspect inspection_name {in | out}

Two guiding principles for applying rules and ACLs:

On the initiating interface, apply an inbound ACL permitting wanted traffic and an inbound inspection rule for that traffic.
On all other interfaces, apply an inbound ACL denying all traffic except uninspected types such as GRE or non-echo ICMP.

Full Example — Inside users initiate TCP/UDP/ICMP to any external destination; external clients may only reach the DMZ SMTP server (209.165.201.1) and HTTP server (209.165.201.2):

! Internal ACL — permit outbound TCP, UDP, ICMP from inside network
access-list 101 permit tcp 10.10.10.0 0.0.0.255 any
access-list 101 permit udp 10.10.10.0 0.0.0.255 any
access-list 101 permit icmp 10.10.10.0 0.0.0.255 any
access-list 101 deny ip any any

interface Fa0/0
 ip access-group 101 in

! External ACL — permit only SMTP/HTTP to DMZ and select ICMP types
access-list 102 permit tcp any 209.165.201.1 0.0.0.0 eq 80
access-list 102 permit tcp any 209.165.201.2 0.0.0.0 eq smtp
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any unreachable
access-list 102 permit icmp any any administratively-prohibited
access-list 102 permit icmp any any packet-too-big
access-list 102 permit icmp any any echo
access-list 102 permit icmp any any time-exceeded
access-list 102 deny ip any any

interface S0/0/0
 ip access-group 102 in

! Inspection rules — applied inbound on internal interface
ip inspect name MYSITE tcp
ip inspect name MYSITE udp

interface Fa0/0
 ip inspect MYSITE in

CBAC automatically inserts temporary ACL entries on the external interface to permit TCP/UDP return traffic for sessions initiated from inside.

To remove all CBAC configuration, state table entries, dynamic ACL entries, and reset all timeouts to factory defaults:

Router(config)# no ip inspect

Troubleshooting CBAC

CBAC supports two logging functions: alerts and audits.

Alerts

Alerts report CBAC events such as DoS attacks, insufficient resources, and protocol violations. They are enabled by default and display on the console. To globally disable alerts (not recommended):

Router(config)# ip inspect alert-off

Example alert for an invalid SMTP command:

%FW-4-SMTP_INVALID_COMMAND: Invalid SMTP command from initiator (209.165.201.5:49387)

CBAC also detects other SMTP attacks, including pipe characters in To/From fields, :decode@ in headers, legacy wiz/debug commands, and Majordomo exploit attempts:

02:04:55: %FW-4-TCP_MAJORDOMO_EXEC_BUG: Sig:3107:
 Majordomo Execute Attack - from 209.165.201.5 to 192.168.1.1

Audits

Audit trails log all inspected connections — both valid and invalid — including state table additions and removals with basic session statistics. Disabled by default; enable with:

Router(config)# ip inspect audit-trail

Example audit entry for a Telnet session:

%FW-6-SESS_AUDIT_TRAIL: tcp session
 initiator (192.168.1.2:32782) sent 22 bytes
 responder (209.165.201.1:23) sent 200 bytes

By default, alerts and audits output to the console but can be redirected to the router's internal buffer or an external syslog server.

Show Commands

Router# show ip inspect [parameter]

Example — view a named inspection rule:

Router# show ip inspect name inspect_outbound

Inspection name inspect_outbound
 cuseeme   alert is on  audit-trail is on  timeout 3600
 ftp       alert is on  audit-trail is on  timeout 3600
 http      alert is on  audit-trail is on  timeout 3600
 rcmd      alert is on  audit-trail is on  timeout 3600
 realaudio alert is on  audit-trail is on  timeout 3600
 smtp      alert is on  audit-trail is on  timeout 3600
 tftp      alert is on  audit-trail is on  timeout 30
 udp       alert is on  audit-trail is on  timeout 15
 tcp       alert is on  audit-trail is on  timeout 3600

Example — view active sessions and their dynamic ACL entries. The FTP control session was initiated from inside (192.168.1.2); CBAC dynamically opened the FTP data channel back from the server (209.165.201.1):

Router# show ip inspect sessions

Established Sessions
 Session 25A3378 (209.165.201.1:20)=>(192.168.1.2:32704) ftp-data SIS_OPEN
 Session 25A5AC2 (192.168.1.2:32703)=>(209.165.201.1:21) ftp SIS_OPEN

Router# show ip access-list

Extended IP access list 100
 permit tcp host 209.165.201.1 eq 21 host 192.168.1.2 eq 32703 (24 matches)
 permit tcp host 209.165.201.1 eq 20 host 192.168.1.2 eq 32704 (88 matches)

Debug Commands

For real-time troubleshooting, use debug ip inspect to observe CBAC operation as it happens:

Router# debug ip inspect protocol parameter

Supported application names: cuseeme, dns, ftp-cmd, ftp-token, h323, http, netshow, rcmd, realaudio, rpc, rtsp, sip, skinny, smtp, sqlnet, streamworks, tftp, vdolive.

Use debug ip inspect timers to monitor idle timeout events:

Router# debug ip inspect timers

*Mar 2 01:20:43: CBAC* sis 25A3604 pak 2541C58 TCP P ack 4223720032 seq 4200176225(22)
(10.0.0.1:46409) => (10.1.0.1:21)
*Mar 2 01:20:43: CBAC* sis 25A3604 ftp L7 inspect result: PROCESS-SWITCH packet
*Mar 2 01:20:43: CBAC sis 25A3604 pak 2541C58 TCP P ack 4223720032 seq 4200176225(22)
(10.0.0.1:46409) => (10.1.0.1:21)
*Mar 2 01:20:43: CBAC sis 25A3604 ftp L7 inspect result: PASS packet
*Mar 2 01:20:43: CBAC* sis 25A3604 pak 2544374 TCP P ack 4200176247 seq 4223720032(30)
(10.0.0.1:46409) <= (10.1.0.1:21)
*Mar 2 01:20:43: CBAC* sis 25A3604 ftp L7 inspect result: PASS packet
*Mar 2 01:20:43: CBAC* sis 25C1CC4 pak 2544734 TCP S seq 4226992037(0) (10.1.0.1:20) =>
(10.0.0.1:46411)
*Mar 2 01:20:43: CBAC* sis 25C1CC4 pak 2541E38 TCP S ack 4226992038 seq 4203405054(0)
(10.1.0.1:20) <= (10.0.0.1:46411)

Beginning with Cisco IOS Release 12.4(20)T, debug policy-firewall replaces debug ip inspect.

While CBAC greatly extends the capability of Cisco routers as stateful firewalls, it does have limitations. Newer technologies build on CBAC's functionality while offering a more structured and intuitive implementation of the Cisco IOS Firewall feature set.

Zone-Based Policy

Introduced in Cisco IOS Release 12.4(6)T (2006), the zone-based policy firewall (ZPF) assigns interfaces to zones and applies inspection policies to traffic moving between them. This allows different inspection policies for multiple host groups on the same interface and enforces a default deny-all policy between zones — a significant departure from CBAC, where traffic was implicitly permitted until explicitly blocked.

ZPF supports the same features as CBAC — stateful packet inspection, application inspection, URL filtering, and DoS mitigation — but uses Cisco Common Classification Policy Language (C3PL), a hierarchical structure that makes policies modular, readable, and easier to troubleshoot.

CBAC Limitations Addressed by ZPF

Multiple ACLs and inspection policies across many interfaces make it difficult to correlate traffic behavior between zones.
Policies cannot be scoped to a host group or subnet — all traffic through an interface is subject to the same inspection.
The model relies too heavily on ACLs.

ZPF Benefits

Not dependent on ACLs.
Default posture is deny-all unless explicitly permitted.
C3PL makes policies easy to read and troubleshoot.
A single policy governs a given traffic flow instead of requiring multiple ACLs and inspection actions.

CBAC and ZPF can run concurrently on the same router, but cannot be combined on a single interface — an interface cannot simultaneously be a zone member and have IP inspection configured.

Designing a Zone-Based Firewall

Determine the zones — Split the infrastructure into zones with distinct security levels (e.g., internal network, DMZ, public internet). Focus on logical separation, not physical implementation.
Establish policies between zones — For each source-destination zone pair, define permitted sessions (TCP, UDP, ICMP). For sessionless traffic like IPsec ESP, define explicit unidirectional flows in each direction.
Design the physical infrastructure — Based on zone definitions and traffic requirements, determine the number of devices, placement, and redundancy between security levels.
Identify zone subsets and merge traffic requirements — For each firewall device, identify which zone subsets connect to each interface and consolidate their traffic policies into a device-specific interzone policy.

Common ZPF designs include LAN-to-Internet firewalls, firewalls with public servers, redundant firewalls, and complex multi-zone firewalls.

Zone-Based Policy Firewall Operation

ZPF supports three actions for traffic between zones:

Inspect — Stateful packet inspection equivalent to CBAC's ip inspect. Automatically permits return traffic and handles multi-session protocols like FTP and H.323.
Drop — Equivalent to an ACL deny. An optional log parameter records rejected packets.
Pass — Equivalent to an ACL permit, but stateless — does not track connections and only allows traffic in one direction. A corresponding policy must be configured in the opposite direction to permit return traffic.

The police option can be combined with inspect or pass to apply rate limiting to a traffic class.

Zone and Interface Rules

A zone must exist before interfaces can be assigned to it.
Each interface must belong to a zone for traffic to flow between all interfaces on a router.
An interface can belong to only one zone.
Traffic flows freely by default between interfaces in the same zone.
Traffic between different zones requires an explicit pass, inspect, or drop policy.
Traffic cannot flow between a zone member interface and an interface with no zone assignment.
Interfaces not assigned to a zone can still use CBAC stateful inspection independently.
If an interface should not participate in ZPF but still needs to pass traffic to another zone, assign it to a zone and configure a pass-all (dummy) policy.

The Self Zone

All IP interfaces on the router are automatically placed in the system-defined self zone when ZPF is configured. The self zone governs traffic destined for the router itself or generated by the router — it does not apply to traffic merely traversing the router.

The self zone is the only exception to the default deny-all policy. All traffic to any router interface is permitted unless explicitly restricted. To control this traffic, a zone-pair policy must be configured between the self zone and any other zone.

Additional rules when the router is in the traffic path:

When an interface is assigned to a zone, all traffic to and from that interface is implicitly blocked — except traffic from other interfaces in the same zone or traffic directed to the router itself.
Traffic to and from the router is permitted by default, but an explicit policy can be configured to restrict it.

Configuring a Zone-Based Policy Firewall with CLI

ZPF configuration follows five steps:

Create zones with zone security.
Define traffic classes with class-map type inspect.
Specify firewall policies with policy-map type inspect.
Apply policies to zone pairs with zone-pair security.
Assign interfaces to zones with zone-member security.

Key considerations before configuring:

Only type inspect policy maps and class maps can be used in zone-pair configurations.
Class map and policy map names must be unique across all types — no name overlap with QoS maps.
A zone must be created with zone security before it can be referenced in zone-member security.
An interface can belong to only one zone. To create a union, define a new zone with its own policy and zone pairs.
Remove ip inspect from an interface before applying zone-member security to it. ZPF and CBAC can coexist on a router, but not on the same interface.
Assigning an interface to a zone always causes a temporary interruption of service.
The default interzone policy drops all traffic unless explicitly permitted in a zone-pair policy.
Traffic between interfaces in the same zone is never filtered.
The zone-member command does not affect traffic to or from the router itself — use self zone pairs for that.
ZPF does not modify ACLs. Review existing ACL usage before applying zone-member.

Step 1 — Create the Zones

Group interfaces with similar security requirements into the same zone.

Router(config)# zone security zone-name
Router(config-sec-zone)# description line-of-description

Step 2 — Define Traffic Classes

Class maps define which traffic to match. Use match-any (default for L3/L4) to match any condition, or match-all to require all conditions. Class maps can be nested for hierarchical policy structures.

! Layer 3/4 class map
Router(config)# class-map type inspect [match-any | match-all] class-map-name

! Match an ACL
Router(config-cmap)# match access-group {access-group | name access-group-name}

! Match a protocol
Router(config-cmap)# match protocol protocol-name

! Nest another class map
Router(config-cmap)# match class-map class-map-name

Step 3 — Specify Firewall Policies

Policy maps bind traffic classes to actions: pass, inspect, drop, or police.

Router(config)# policy-map type inspect policy-map-name
Router(config-pmap)# class type inspect class-name
Router(config-pmap-c)# pass | inspect | drop [log] | police

! Apply to all remaining unmatched traffic
Router(config-pmap)# class class-default

Step 4 — Apply Firewall Policies to Zone Pairs

A zone pair defines a unidirectional traffic path between a source and destination zone. Attach a policy map to the zone pair to define how that traffic is handled.

Router(config)# zone-pair security zone-pair-name source source-zone-name destination destination-zone-name
Router(config-sec-zone-pair)# service-policy type inspect policy-map-name

For deep packet inspection (Layer 7), attach a Layer 7 policy map within the top-level policy map:

Router(config-pmap-c)# service-policy {h323 | http | im | imap | p2p | pop3 | sip | smtp | sunrpc | urlfilter} policy-map-name

Step 5 — Assign Interfaces to Zones

Once an interface is assigned to a zone, all traffic to and from it is dropped by default unless a zone-pair policy explicitly permits it.

Router(config-if)# zone-member security zone-name

Troubleshooting Zone-Based Policy Firewall

A typical two-interface ZPF setup inspects protocols such as HTTP, SMTP, and FTP using a policy map applied to a class map. Two zones (e.g., private and Internet) are created, interfaces are assigned to each, and a zone pair (e.g., priv-to-internet) ties them together with the policy map applied.

SDM Monitoring

In SDM, navigate to Monitor > Firewall Status to view activity per zone pair, including policy name, source zone, and destination zone. Three data collection modes are available:

Real-time — updated every 10 seconds.
60 minutes — polled every 1 minute.
12 hours — polled every 12 minutes.

Show Commands

Use show policy-map type inspect zone-pair session to view active connections in the ZPF state table:

Router# show policy-map type inspect zone-pair session
 Zone-pair: CNS-PAIR
  Service-policy inspect : HTTP-Policy
   Class-map: HTTP-Class (match-all)
    Match: access-group 110
    Match: protocol http
    Inspect
    Established Sessions
     Session 643BCF88 (10.0.2.12:3364)=>(172.26.26.51:80) http SIS_OPEN
      Created 00:00:10, Last heard 00:00:00
      Bytes sent (initiator:responder) [1268:64324]
     Session 643BB9C8 (10.0.2.12:3361)=>(172.26.26.51:80) http SIS_OPEN
      Created 00:00:16, Last heard 00:00:06
      Bytes sent (initiator:responder) [2734:38447]
     Session 643BD240 (10.0.2.12:3362)=>(172.26.26.51:80) http SIS_OPEN
      Created 00:00:14, Last heard 00:00:07
      Bytes sent (initiator:responder) [2219:39813]
     Session 643BBF38 (10.0.2.12:3363)=>(172.26.26.51:80) http SIS_OPEN
      Created 00:00:14, Last heard 00:00:06
      Bytes sent (initiator:responder) [2106:19895]
   Class-map: class-default (match-any)
    Match: any
    Drop (default action)
     58 packets, 2104 bytes

Unmatched traffic falls through to the class-default entry and is dropped — confirmed by the packet and byte counters shown above.

Firewalls alone cannot provide a complete security solution. Technologies such as network intrusion prevention are also required to close the remaining security gaps in a modern network.

Chapter Summary

This chapter examined Cisco IOS firewall technologies, focusing on Context-Based Access Control (CBAC) and Zone-Based Policy Firewall (ZPF).

CBAC extends traditional ACL filtering by implementing stateful, application-aware inspection at the Application Layer. It maintains a state table of active sessions and dynamically inserts temporary ACL entries to permit return traffic. CBAC handles TCP, UDP, and other IP protocols differently — tracking sequence numbers and flags for TCP, using idle timers for UDP, and handling protocols like GRE statelessly. It also supports dynamic application inspection for multi-channel protocols such as FTP. Configuration involves selecting interfaces, defining ACLs, creating inspection rules, and applying them to interfaces. CBAC provides alerting and audit trail logging, and includes DoS protection through configurable half-open session thresholds.

ZPF, introduced in Cisco IOS 12.4(6)T, offers a more structured alternative using Cisco Common Classification Policy Language (C3PL). Interfaces are assigned to security zones, and policies are applied to zone pairs rather than individual interfaces. The default interzone policy denies all traffic unless explicitly permitted — the opposite of CBAC's implicit allow model. ZPF supports three traffic actions: inspect, pass, and drop. The system-defined self zone controls traffic to and from the router itself. ZPF is configured in five steps: creating zones, defining class maps, building policy maps, applying policies to zone pairs, and assigning interfaces to zones.

Both technologies can coexist on the same router but cannot be applied to the same interface simultaneously. Troubleshooting both CBAC and ZPF relies on show and debug commands to inspect active sessions, dynamic ACL entries, and real-time firewall activity.

Firewall Technologies Quiz

Take Quiz

Chapter Introduction
Access Control Lists
Choosing and Applying Standard vs. Extended ACLs
ACL Direction, Placement, and Verification
Configuring ACLs with Cisco SDM (Legacy) and Modern Alternatives
Dynamic ACLs (Lock-and-Key Access Control)
Configure Time-Based ACLs
Verifying and Troubleshooting ACLs
Using ACLs to Mitigate Network Threats
Introduction to Firewalls and Their Role in Modern Network Security
Types of Firewalls and How They Filter Network Traffic
Understanding DMZ Architecture and Layered Firewall Defense
Understanding Context-Based Access Control (CBAC) in Cisco IOS Firewall
CBAC Operation
Configure CBAC
Troubleshooting CBAC
Zone-Based Policy
Zone-Based Policy Firewall Operation
Configuring a Zone-Based Policy Firewall with CLI
Troubleshooting Zone-Based Policy Firewall
Chapter Summary