Chapter 22: Implementing Cisco IOS Firewalls

Cisco IOS Firewall Configuration

Step 1: Choose an interface to inspect

Apply ACL and inspection rules in the inbound direction on untrusted interfaces.

Step 2: Configure an ACL

Example to allow SMTP and HTTP inbound to their respective servers:

ip access-list extended FROM_OUTSIDE
 permit tcp any host 10.0.24.89 eq 25
 permit tcp any host 10.0.22.103 eq 80
 deny ip any any log

Step 3: Define the inspection rules

Router(config)# ip inspect name <name> <protocol> [alert {on | off}]
 [audit-trail {on | off}] [timeout <seconds>]

The default timeout between alerts is 10 seconds.

Step 4: Apply the ACL and inspection rule

Enable audit trail tracking via syslog:

Router(config)# ip inspect audit-trail
Router(config)# logging on

To turn on real-time alerts (default):

Router(config)# no ip inspect alert-off

Apply the ACL and inspect rule:

Router(config)# ip access-group FROM_OUTSIDE in
Router(config)# ip inspect SMTP-AND-HTTP in

Step 5: Verify the configuration

• show ip inspect [name <name> | config | interface | session | statistics | all]
• debug ip inspect ...