Cisco IOS Firewall Caveats(limitations)

• Caveats are powerful as CBAC is for dynamic inspection and filtering.
• it has also some limitations.
• CBAC comes after Access-list filters are applied to an interface.
• if an access list blocks a particular type of traffic on an interface,
• where you are using CBAC to inspect inbound traffic,
• that traffic will be denied before CBAC sees it.
• CBAC cannot protect against attacks that originate inside your network.
• CBAC works only on protocols that you specified,
• leaving all other traffic to access lists & other filtering methods.
• To inspect traffic other than TCP & UDP transported traffic,
• you must configure a named inspection rule.
• CBAC does not inspect traffic destined to or  originated from the firewall router itself,
• only that traverses the firewall router.
• CBAC has restrictions on handling encrypted traffic.