Limitations of CBAC
Before implementing CBAC, it is important to weigh the limitations of CBAC against the business and engineering requirements of the organization. Administrators should also understand features that are not supported by the CBAC:
Protocol supportCBAC inspects only TCP and UDP packets. No other protocol is inspected.
ICMP supportCBAC discards all forms of ICMP packets.
RedundancyCBAC doesn't provide stateful redundancy. If a router fails or traffic is routed around, all the CBAC session information is lost.
AsymmetryTraffic patterns that do not take that same path in return are dropped by the CBAC inspection rule. These asymmetric traffic patterns are not supported by the IOS firewall.
FTPCBAC allows FTP data channels with destination port range of 1,024 to 65,535. Also, CBAC does not permit third-party FTP connections.
SMTPEXPN and VRFY commands on SMTP connections are permitted in CBAC, even though they are considered dangerous by some administrators.
IPSec supportIPSec packets are not inspected by CBAC because CBAC inspects only TCP or UDP packets. IPSec can be used on a router running CBAC by applying the CBAC inspection rule on the interface that is different than the one being used for encrypting or decrypting IPSec traffic.
CBAC doesn't support Websense, reflexive access lists, or TCP Intercept.