Print page | Print all

CCNP ISCW Notes

1 Apr 2008

Chapter 22: Implementing Cisco IOS Firewalls

Cisco IOS Firewall Configuration

Step 1: Choose an interface to inspect

Apply ACL and inspection rules in the inbound direction on untrusted interfaces.

Step 2: Configure an ACL

Example to allow SMTP and HTTP inbound to their respective servers: 

ip access-list extended FROM_OUTSIDE
 permit tcp any host 10.0.24.89 eq 25
 permit tcp any host 10.0.22.103 eq 80
 deny ip any any log

Step 3: Define the inspection rules

Router(config)# ip inspect name <name> <protocol> [alert {on | off}]
 [audit-trail {on | off}] [timeout <seconds>]

The default timeout between alerts is 10 seconds.

Step 4: Apply the ACL and inspection rule

Enable audit trail tracking via syslog: 

Router(config)# ip inspect audit-trail
Router(config)# logging on

To turn on real-time alerts (default): 

Router(config)# no ip inspect alert-off

Apply the ACL and inspect rule: 

Router(config)# ip access-group FROM_OUTSIDE in
Router(config)# ip inspect SMTP-AND-HTTP in

Step 5: Verify the configuration

  • show ip inspect [name <name> | config | interface | session | statistics | all]
  • debug ip inspect ...
« Chapter 21: Cisco IOS Threat Defense Features
Chapter 23: Implementing Cisco IDS and IPS »
Gerard Metoho-Eke commented on 11 Sep 2008 at 7:24 a.m.

One of the best summary I have seen. It make life easier and time well spent. Good job. Gerard

sam commented on 15 Sep 2008 at 3:18 a.m.

nice work

Leave a comment
(optional, will not be published)
(optional)

Comment Tips

  • You can use Markdown syntax for decoration. (Cheat sheet)
  • Links: [Google](http://google.com) or <http://google.com>
  • Use backticks around commands: `ip address 127.0.0.1`
  • Use indentations (tabs) for preformatted text (code blocks)