Example Three Interface Firewall

Outbound

• Allow all general TCP and UDP traffic •Allow all ICMP traffic

• Deny everything else

Outbound

• Allow all general TCP and UDP traffic •Allow all ICMP traffic

• Deny everything else

DMZ-Bound

• Allow all ICMP and HTTP traffic only to 172.16.0.2

• Deny everything else

©2000, Cisco Systems, Inc.

CSPFA 1.01-8-38

DMZ-Bound

• Allow all ICMP and HTTP traffic only to 172.16.0.2

• Deny everything else

©2000, Cisco Systems, Inc.

CSPFA 1.01-8-38

As an example, configure the router to be a firewall between three networks: inside, outside, and DMZ. The security policy to implement is as follows: allow all general TCP and UDP traffic initiated on the inside (outbound) from network 10.0.0.0 to access the Internet and the DMZ host 172.16.0.2. ICMP traffic will also be allowed from the same network to the Internet and the DMZ host. Other networks on the inside, which are not defined, must be denied. For traffic initiated on the outside (inbound) allow everyone to only access ICMP and HTTP to DMZ host 172.16.0.2. Any other traffic must be denied.

Outbound Traffic

Inside r r Outside

e0/0 '■■■■■■■■■■■■ e0/1 DMZJ e1/0

Router(config)' ip inspect name OUTBOUND tcp Router(config)' ip inspect name OUTBOUND udp

• Configure CBAC to inspect TCP and UDP traffic

Router(config)' access-list 101 permit ip 10.0.0.0

0.0.0.255 any Router(config)' access-list 101 deny ip any any

• Permit inside-initiated traffic from 10.0.0.0 network

Router(config-if)' ip inspect OUTBOUND in

Router(config-if)' ip access-group 101 in

• Apply an ACL and inspection rule to the inside interface in an inward direction

©2000, Cisco Systems, Inc. WWW.ciscQ.cQ CSPFA 1.01 -8-39

To implement the security policy of the previous example, do the following for outbound traffic:

Step 1 Write a rule to inspect TCP and UDP traffic:

Router(config)# ip inspect name OUTBOUND tap Router(config)# ip inspect name OUTBOUND udp

Step 2 Write an ACL that permits IP traffic from the 10.0.0.0 network to any destination:

Router(config)# access-list 101 permit ip 10.0.0.0 0.0.0.255 any Router(config)# access-list 101 deny ip any any

Step 3 Apply the inspection rule and ACL to the inside interface in the inward direction:

Router(config)# interface e0/0

Router(config-if)# ip inspect OUTBOUND in

Router(config-if)# ip access-group 101 in

Inbound Traffic

Inside _ Outside e0/0 'i'iYi'i1' e0/1 DMZJ e1/0

Router(config)# ip inspect name INBOUND tcp

• Configure CBAC to inspect TCP traffic

Router(config)' access-list 102 permit icmp any host 172.16.0.2

Router(config)' access-list 102 permit tcp any host

172.16.0.2 eq www Router(config)' access-list 102 deny ip any any

• Permit outside-initiated ICMP and HTTP traffic to host 172.16.0.2

Router(config-if)# ip inspect INBOUND in

Router(config-if)' ip access-group 102 in

• Apply an ACL and inspection rule to the outside interface in an inward direction

©2000, Cisco Systems, Inc. www.cisco.co CSPFA 1.01-8-40

To implement the security policy of the previous example, do the following for inbound traffic:

Step 1 Write a rule to inspect TCP traffic:

Router(config)# ip inspect name INBOUND tap

Step 2 Write an ACL that permits ICMP and HTTP-only traffic from the Internet to the 172.16.0.2 host:

Router(config)# access-list 102 permit icnp any host 172.16.0.2 Router(config)# access-list 102 permit tap any host 172.16.0.2 eq www Router(config)# access-list 102 deny ip any any

Step 3 Apply the inspection rule and ACL to the outside interface in the inward direction:

Router(config)# interface e0/l

Router(config-if)# ip inspect INBOUND in

Router(config-if)# ip access-group 102 in

DMZ-Bound Traffic

Inside r r Outside e0/0 '■■■■■■■■■■■■ eO/1 DMZ J e1/0

Router(config)# access-list 103 permit icmp host 172.16.0.2 any Router(config)# access-list 103 deny ip any any

* Permit only ICMP traffic initiated in the DMZ

Router(config)' access-list 104 permit icmp any host 172.16.0.2 Router(config)' access-list 104 permit tcp any host 172.16.0.2 eq www

Router(config)' access-list 104 deny ip any any

* Permit only outward ICMP and HTTP traffic to host 172.16.0.2

Router(config-if)# ip access-group 103 in

Router(config-if)' ip access-group 104 out

* Apply an proper access lists and an inspection rule to the interface

©2000, Cisco Systems, Inc. WWW.CiSCO.CO CSPFA 1.01-8-41

To implement the security policy of the previous example, do the following for inbound traffic:

Step 1 Write an ACL to permit only ICMP traffic to initiate from the DMZ host:

Router(config)# access-list 103 permit icnp host 172.16.0.2 any Router(config)# access-list 103 deny ip any any

Step 2 Write an ACL that permits ICMP and HTTP-only traffic from any network to the 172.16.0.2 host:

Router(config)# access-list 104 permit icnp any host 172.16.0.2 Router(config)# access-list 104 permit tcp any host 172.16.0.2 eq www Router(config)# access-list 104 deny ip any any

Step 3 Apply the ACLs to the DMZ interface:

Router(config)# interface el/0

Router(config-if)# ip access-group 103 in

Router(config-if)# ip access-group 104 out

Test

The syntax for the show ip inspect command is as follows:

show ip inspect name inspection-name | config | interfaces | session [detail] | all

Arguments

Description

inspection-name

Shows the configured inspection rule for inspection-name.

config

Shows the complete CBAC inspection configuration.

interfaces

Shows interface configuration with respect to applied inspection rules and access lists.

session [detail]

Shows existing sessions that are currently being tracked and inspected by CBAC. The optional detail keyword shows additional details about these sessions.

all

Shows the complete CBAC configuration and all existing sessions that are currently being tracked and inspected by CBAC.

0 0

Post a comment