Foundation Summary

The "Foundation Summary" is a condensed collection of material for a convenient review of this chapter's key concepts. If you are already comfortable with the topics in this chapter and decided to skip most of the "Foundation Topics" material, the "Foundation Summary" will help you recall a few details. If you just read the "Foundation Topics" section, this review should help further solidify some key facts. If you are doing your final preparation before the exam, the "Foundation Summary" offers a convenient way to do a quick final review.

Table 7-12 Perimeter or Firewall Router Functions

To Protect


Sniffer or snooping capabilities

Control eavesdropping with TCP/IP service and network layer encryption (IPSec).

Control unauthorized access

Use AAA and Cisco Secure. Also, access-list filtering and PIX Firewall.

Controlling session replay

Control what TCP/IP sessions are authorized. Block SNMP, IP source routing, and finger services to outside hosts.

Controlling inbound connections

Filter the internal address as the source from the outside world.

Filter all private addresses.

Filter Bootp, TFTP, and trace route commands.

Allow TCP connections established from the inside network.

Permit inbound traffic to DMZs only.

Controlling outbound connections

Allow only valid IP addresses to the outside world; filter remaining illegal addresses.

Packet filtering

Use predefined access lists that control the transmission of packets from any given interface, control VTY access, and ensure routing updates are authenticated.

Table 7-13 NAT Configuration Steps




Determine the network addresses to be translated.


Configure the inside network with the IOS ip nat inside command.


Configure the outside network with the IOS ip nat outside command.


Define a pool of addresses to be translated with the following IOS command: ip nat pool pool-name start ip address end ip address mask


Define the addresses allowed to access the Internet with the following IOS command: ip nat inside source list access list number pool pool name

Table 7-14 Cisco PIX Model Numbers PIX 501 PIX 506/506E PIX 515/515E

PIX 520 (in current CCIE lab) PIX 525 PIX 535

Table 7-15 PIX Configuration Steps




Name the inside/outside interfaces and security levels.


Identify the hardware interfaces and speed/duplex.


Define the IP address for inside and outside interfaces.


Define NAT/PAT.


Define the global pool.


Define the IP route path.


Define static/conduits or static/access lists (for outside networks to access inside hosts or networks).

Table 7-16 PIX Command Options




Configures the PIX Firewall to interoperate with a Certification Authority (CA).

clear xlate

Clears the contents of the translation slots.

show xlate

Displays NAT translations. The show xlate command displays the contents of only the translation slots.

crypto dynamic-map

Create, view, or delete a dynamic crypto map entry with this command.

failover [active]

Use the failover command without an argument after you connect the optional failover cable between your primary firewall and a secondary firewall.

fixup protocol

The fixup protocol commands let you view, change, enable, or disable the use of a service or protocol through the PIX Firewall.


Terminate a Telnet session. Telnet sessions to the PIX must be enabled and are sent as clear text.

telnet ip_address [netmask] [if_name]

Specify the internal host for PIX Firewall console access through Telnet.

Table 7-17 Cisco IOS Feature Set




Provides internal users secure, per-application-based access control for all traffic across perimeters, such as between private enterprise networks and the Internet. CBAC supports the following:






Java Blocking Oracle SQL RealAudio H.323

Java blocking

Java blocking protects against unidentified, malicious Java applets.

Denial-of-service detection and prevention

Defends and protects router resources against common attacks, checking packet headers and dropping suspicious packets.

Audit trail

Details transactions, recording time stamp, source host, destination host, ports, duration, and total number of bytes transmitted.

Real-time alerts

Log alerts in case of denial-of-service attacks or other preconfigured conditions (intrusion detection).


An Internet firewall or part of an Internet firewall.

Was this article helpful?

0 0

Post a comment