Example Two Interface Firewall

Outbound

• Allow all general TCP and UDP traffic •Allow all ICMP traffic

• Deny everything else

Outbound

• Allow all general TCP and UDP traffic •Allow all ICMP traffic

• Deny everything else

Inbound

• Allow all ICMP and HTTP traffic only to 10.0.0.3

• Deny everything else

©2000, Cisco Systems, Inc.

Inbound

• Allow all ICMP and HTTP traffic only to 10.0.0.3

• Deny everything else

©2000, Cisco Systems, Inc.

CSPFA 1.01-8-35

As an example, configure the router to be a firewall between two networks: inside and outside. The security policy to implement is as follows: allow all general TCP and UDP traffic initiated on the inside (outbound) from network 10.0.0.0 to access the Internet. ICMP traffic will also be allowed from the same network. Other networks on the inside, which are not defined, must be denied. For traffic initiated on the outside (inbound), allow everyone to only access ICMP and HTTP to host 10.0.0.3. Any other traffic must be denied.

Outbound Traffic

Inside J Outside eO/O - 'i'I'I'I'I' eO/1

Router(config)' ip inspect name OUTBOUND tcp Router(config)' ip inspect name OUTBOUND udp

• Configure CBAC to inspect TCP and UDP traffic

Router(config)' access-list 101 permit ip 10.0.0.0

0.0.0.255 any Router(config)' access-list 101 deny ip any any

• Permit inside-initiated traffic from the 1O.O.O.O network

Router(config-if)' ip inspect OUTBOUND in

Router(config-if)' ip access-group 101 in

• Apply an ACL and inspection rule to the inside interface in an inward direction

©2000, Cisco Systems, Inc. WWW.cisco.co CSPFA 1.01 -8-36

To implement the security policy of the previous example, do the following for outbound traffic:

Step 1 Write a rule to inspect TCP and UDP traffic:

Router(config)# ip inspect name OUTBOUND tap Router(config)# ip inspect name OUTBOUND udp

Step 2 Write an ACL that permits IP traffic from the 10.0.0.0 network to any destination:

Router(config)# access-list 101 permit ip 10.0.0.0 0.0.0.255 any Router(config)# access-list 101 deny ip any any

Step 3 Apply the inspection rule and ACL to the inside interface on the inward direction:

Router(config)# interface e0/0

Router(config-if)# ip inspect OUTBOUND in

Router(config-if)# ip access-group 101 in

0 0

Post a comment