I think its trying to say that it will dynamically create the line you have indicated. If you think about, you would normally create your own ACL that would allow traffic from any port to port 23. Then its saying the CBAC will then dynamically create a rule to allow the return traffic back out to the host.
Its very similar to a statful firewall, pretty much the same function as a pix for example, you specify a rule to allow traffic out and the return traffic is allowed back in.
That means we do not need to create the ACL that is mentioned manually, it will be created automatically. That means he mentioned it in the slide only for explanation purpose ?
Thats what i beleive, yes. You need to allow some form of traffic however the return traffic will be automatically allowed to return since CBAC will handle this as it knows its part of the communications.
Second , why does CBAC create that specific ACL (i.e eq 23) only ? Can't it create other (eq 80, eq 21, etc) ?
It can if you allow a rule to allow traffic in the first place. I think its only used as an example and you will need to ensure that the port 23 traffic is allowed first before the return traffic will be allowed to travel back. Without this manual rule, the dynamic rules will not be created.
Third why does "TCP" word in the command line come in the upper case (as we know cisco convention with keyword is lower case not upper case,,,,,,upper case for naming) ? Is it typo ?
I think this is an exception. Not done much with CBAC however from configs i have seen, they have been in uppercase. I'm sure someone who does this in their day to day job can confirm
Thats correct, however to secure things more you would generally have an access-list restricting the outgoing traffic. In this you would therefore need to then create the rule to allow the telnet traffic out in the first place. Then the CBAC will automatically generate the 102 access rule to allow the return traffic while the session is active.
Doesn't seem very secure if you do not restrict the outgoing traffic since it leaves your company open to abuse from inside the network. Remember, you are responsible for the link so if a massive DDoS attack happened that was sourced from within your network, you would be help responsible.
Thats why i generally create rules to restrict incoming traffic from the internet (that goes without saying) but also i restrict all outgoin traffic fall inline with our security policies.