Cisco IOS Firewall Configuration on R5 6 Points

Translate the following policy into a working CBAC configuration on R5 (assuming this router's FastEth0/1 is connected to another ISP):

■ Allow all TCP and UDP traffic initiated on the inside from network 144.254.5.0 to access the Internet. ICMP traffic will also be allowed from the same network. Other networks (inside) must be denied. For traffic initiated on the outside, allow everyone to access only HTTP to host 144.254.5.3.

■ All other traffic must be denied.

Cisco IOS Firewall Configuration on R5 Solution

CBAC intelligently filters TCP and UDP packets based on application layer protocol session information. You can configure CBAC to permit specified TCP and UDP traffic through a firewall only when the connection is initiated from within the network you want to protect. CBAC can inspect traffic for sessions that originate from either side of the firewall, and CBAC can be used for intranet, extranet, and Internet perimeters of your network.

To configure CBAC, perform the following tasks:

■ Pick an interface: internal or external (required).

■ Configure IP access lists at the interface (required).

■ Configure global timeouts and thresholds (required).

■ Define an inspection rule (required).

■ Apply the inspection rule to an interface (required).

■ Configure logging and audit trail (required).

■ Follow other guidelines for configuring a firewall (required).

Example 8-85 configures R5 for CBAC outbound connections.

Example 8-85 R5 Outbound Connections

R5(config)#ip inspect name OUTBOUND tcp R5(config)#ip inspect name OUTBOUND udp

R5(config)#access-list 101 permit ip 144.254.5.0 0.0.0.0.31 any R5(config)#interface FastEthernet0/0 R5(config-if)#ip inspect OUTBOUND in R5(config-if)#ip access-group 101 in

Example 8-86 configures R5 for inbound connections.

Example 8-86 Inbound Connections from the Internet

R5(config)#access-list 102 permit icmp any host 144.254.5.3 R5(config)#access-list 102 permit tcp any host 144.254.5.3 eq www R5(config)#interface FastEthernet0/1

R5(config-if)#ip access-group 102 in

Monitoring and Maintaining CBAC

To assist CBAC debugging, you can turn on audit trail messages that will be displayed on the console after each CBAC session closes. The IOS command ip inspect audit-trail turns on CBAC audit trail messages.

Many other debug commands are available, including the following:

■ Generic debug commands

■ Transport-level debug commands

■ Application protocol debug commands For more details on CBAC, visit:

www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/ scfcbac.htm#xtocid21

Was this article helpful?

0 0

Post a comment