Example: dental hygienist

Configuring a Simple Firewall - Cisco

CHAPTERBETA DRAFT - Cisco CONFIDENTIAL8-1 Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration GuideOL-6426-028 Configuring a Simple FirewallThe Cisco 1800 integrated services routers support network traffic filtering by means of access lists. The router also supports packet inspection and dynamic temporary access lists by means of Context-Based Access Control (CBAC).Basic traffic filtering is limited to configured access list implementations that examine packets at the network layer or, at most, the transport layer, permitting or denying the passage of each packet through the Firewall . However, the use of inspection rules in CBAC allows the creation and use of dynamic temporary access lists. These dynamic lists allow temporary openings in the configured access lists at Firewall interfaces. These openings are created when traffic for a specified user session exits the internal network through the Firewall .

Chapter 8 Configuring a Simple Firewall Configuration Example Configuration Example A telecommuter is granted secure access to a corporat e network, using IPSec tunneling. Security to the home network is accomplished through firewall inspection. The protocols that are allowed are all TCP, UDP, RTSP, H.323, NetShow, FTP, and SQLNet.

Fullscreen Download

Tags:

  Cisco, Spices, Configuring

Information

Domain:

Source:

Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Transcription of Configuring a Simple Firewall - Cisco

1 CHAPTERBETA DRAFT - Cisco CONFIDENTIAL8-1 Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration GuideOL-6426-028 Configuring a Simple FirewallThe Cisco 1800 integrated services routers support network traffic filtering by means of access lists. The router also supports packet inspection and dynamic temporary access lists by means of Context-Based Access Control (CBAC).Basic traffic filtering is limited to configured access list implementations that examine packets at the network layer or, at most, the transport layer, permitting or denying the passage of each packet through the Firewall . However, the use of inspection rules in CBAC allows the creation and use of dynamic temporary access lists. These dynamic lists allow temporary openings in the configured access lists at Firewall interfaces. These openings are created when traffic for a specified user session exits the internal network through the Firewall .

2 The openings allow returning traffic for the specified session (that would normally be blocked) back through the the Cisco IOS Security Configuration Guide, Release , for more detailed information on traffic filtering and 8-1 shows a network deployment using PPPoE or PPPoA with NAT and a 8-1 Router with Firewall Configured1217812375614 BETA DRAFT - Cisco CONFIDENTIAL8-2 Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration GuideOL-6426-02 Chapter 8 Configuring a Simple Firewall In the configuration example that follows, the Firewall is applied to the outside WAN interface (FE0) on the Cisco 1811 or Cisco 1812 and protects the Fast Ethernet LAN on FE2 by filtering and inspecting all traffic entering the router on the Fast Ethernet WAN interface FE1. Note that in this example, the network traffic originating from the corporate network, network address , is considered safe traffic and is not TasksPerform the following tasks to configure this network scenario: Configure Access Lists Configure Inspection Rules Apply Access Lists and Inspection Rules to InterfacesAn example showing the results of these configuration tasks is shown in the section Configuration Example.

3 NoteThe procedures in this chapter assume that you have already configured basic router features as well as PPPoE or PPPoA with NAT. If you have not performed these configurations tasks, see Chapter 1, Basic Router Configuration, Chapter 3, Configuring PPP over Ethernet with NAT, and Chapter 4, Configuring PPP over ATM with NAT, as appropriate for your router. You may have also configured DHCP, VLANs, and secure networked devices Desktops, laptop PCs, switches2 Fast Ethernet LAN interface (the inside interface for NAT)3 PPPoE or PPPoA client and Firewall implementation Cisco 1811/1812 or Cisco 1801/1802/1803 series integrated services router, respectively4 Point at which NAT occurs5 Protected network6 Unprotected network7 Fast Ethernet or ATM WAN interface (the outside interface for NAT)BETA DRAFT - Cisco CONFIDENTIAL8-3 Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration GuideOL-6426-02 Chapter 8 Configuring a Simple Firewall Configure Access ListsConfigure Access ListsPerform these steps to create access lists for use by the Firewall , beginning in global configuration mode.

4 Configure Inspection RulesPerform these steps to configure Firewall inspection rules for all TCP and UDP traffic, as well as specific application protocols as defined by the security policy, beginning in global configuration mode:CommandPurposeStep 1access-list access-list-number {deny | permit} protocol source source-wildcard [operator [port]] destinationExample:Router(config)# access-list 103 permit host eq isakmp anyRouter(config)# Creates an access list which prevents Internet- initiated traffic from reaching the local (inside) network of the router, and which compares source and destination the Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services for details about this 2access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcardExample:Router(confi g)# access-list 105 permit ip (config)# Creates an access list that allows network traffic to pass freely between the corporate network and the local networks through the configured VPN or ActionPurposeStep 1ip inspect name inspection-name protocol Example:Router(config)# ip inspect name Firewall tcpRouter(config)# Defines an inspection rule for a particular 2ip inspect name inspection-name protocol Example.

5 Router(config)# ip inspect name Firewall rtspRouter(config)# ip inspect name Firewall h323 Router(config)# ip inspect name Firewall netshowRouter(config)# ip inspect name Firewall ftpRouter(config)# ip inspect name Firewall sqlnetRouter(config)# Repeat this command for each inspection rule that you wish to DRAFT - Cisco CONFIDENTIAL8-4 Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration GuideOL-6426-02 Chapter 8 Configuring a Simple Firewall Apply Access Lists and Inspection Rules to InterfacesApply Access Lists and Inspection Rules to InterfacesPerform these steps to apply the ACLs and inspection rules to the network interfaces, beginning in global configuration mode:CommandPurposeStep 1interface type numberExample:Router(config)# interface vlan 1 Router(config-if)# Enters interface configuration mode for the inside network interface on your 2ip inspect inspection-name {in | out}Example:Router(config-if)# ip inspect Firewall inRouter(config-if)# Assigns the set of Firewall inspection rules to the inside interface on the 3exitExample:Router(config-if)# exitRouter(config)# Returns to global configuration 4interface type numberExample:Router(config)# interface fastethernet 0 Router(config-if)# Enters interface configuration mode for the outside network interface on your 5ip access-group {access-list-number | access-list-name} {in | out} Example:Router(config-if)# ip access-group 103 inRouter(config-if)# Assigns the defined ACLs to the outside interface on the 6exitExample.

6 Router(config-if)# exitRouter(config)# Returns to global configuration DRAFT - Cisco CONFIDENTIAL8-5 Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration GuideOL-6426-02 Chapter 8 Configuring a Simple Firewall Configuration ExampleConfiguration ExampleA telecommuter is granted secure access to a corporate network, using IPSec tunneling. Security to the home network is accomplished through Firewall inspection. The protocols that are allowed are all TCP, UDP, RTSP, , NetShow, FTP, and SQLNet. There are no servers on the home network; therefore, no traffic is allowed that is initiated from outside. IPSec tunneling secures the connection from the Home LAN to the corporate the Internet Firewall Policy, HTTP need not be specified because Java blocking is not necessary. Specifying TCP inspection allows for single-channel protocols such as Telnet and HTTP.

7 UDP is specified for following configuration example shows a portion of the configuration file for the Simple Firewall scenario described in the preceding sections.! Firewall inspection is setup for all tcp and udp traffic as well as specific application protocols as defined by the security inspect name Firewall tcpip inspect name Firewall udpip inspect name Firewall rtspip inspect name Firewall h323ip inspect name Firewall netshowip inspect name Firewall ftpip inspect name Firewall sqlnet!interface vlan 1! This is the internal home networkip inspect Firewall in ! inspection examines outbound trafficno cdp enable!interface fastethernet 0! FE0 is the outside or internet exposed access-group 103 in ! acl 103 permits ipsec traffic from the corp. router as well as denies internet initiated traffic nat outsideno cdp enable!! acl 103 defines traffic allowed from the peer for the ipsec 103 permit udp host any eq isakmpaccess-list 103 permit udp host eq isakmp anyaccess-list 103 permit esp host anyaccess-list 103 permit icmp any any !

8 Allow icmp for debugging but should be disabled due to security 103 deny ip any any ! prevents internet initiated traffic cdp run!BETA DRAFT - Cisco CONFIDENTIAL8-6 Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration GuideOL-6426-02 Chapter 8 Configuring a Simple Firewall Configuration Exampl

Show more

Documents from same domain

Miercom Report: Dual-Band Wave 2 Access Points ...

Miercom Report: Dual-Band Wave 2 Access Points ...

www.cisco.com

Dual-Band Wave 2 Access Points Comparative Performance: Cisco Aironet 2800 and 3800 Aruba AP-335 DR160830 September 2016 Miercom www.miercom.com

  Cisco

Cisco ASA with FirePOWER Services At-a-Glance

Cisco ASA with FirePOWER Services At-a-Glance

www.cisco.com

At a glance Cisco public Next steps To learn more about the Cisco ASA Firewall with FirePOWER Services, visit www.cisco. com/go/asafps. Meet the industry’s first adaptive, threat-focused next-generation firewall (NGFW) designed for a new

  Cisco, Cisco asa

Architecting the Network for the Cloud - cisco.com

Architecting the Network for the Cloud - cisco.com

www.cisco.com

WHITE PAPER Architecting the Network for the Cloud Sponsored by: Cisco Systems Lucinda Borovick Rohit Mehra January 2011 EXECUTIVE SUMMARY Cloud computing is now one of the prevailing IT trends as we head into the new

  Network, Cisco

Cisco Identity Services Engine Ordering Guide

Cisco Identity Services Engine Ordering Guide

www.cisco.com

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 22 Cisco Identity Services Engine

  Services, Guide

TERMS OF SALE AND SOFTWARE LICENSE …

TERMS OF SALE AND SOFTWARE LICENSE …

www.cisco.com

TERMS OF SALE AND SOFTWARE LICENSE AGREEMENT-US 3 CISCO CONFIDENTIAL SALES_TERMS_OF_SALE.docx June 2017 Terms of Sale. Customer shall pay any taxes related to Products and Services provided

  Services, Customer

Cisco Industrial Ethernet 4010 Series Switches Data …

Cisco Industrial Ethernet 4010 Series Switches Data

www.cisco.com

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 11 Data Sheet Cisco Industrial Ethernet 4010 Series Switches

  Data, Ethernet

Help Partners Increase Deal Sizes and Customer …

Help Partners Increase Deal Sizes and Customer

www.cisco.com

Help Partners Increase Deal Sizes and Customer Satisfaction Cisco Solution Support 101 Service and Promotion Overview for Partner Sales Teams Greg Suhayda

  Customer

Cisco IP Phone Portfolio Brochure

Cisco IP Phone Portfolio Brochure

www.cisco.com

Brochure 3 © 2018 Cisco and/or its affiliates. All rights reserved. Introduction Leading the Way in Collaboration Cisco® IP Phones empower your business with a new collaboration experience

  Collaboration

Data Center Power and Cooling White Paper - …

Data Center Power and Cooling White Paper - …

www.cisco.com

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 22 White Paper Cisco Unified Computing System

  Cisco

Cisco Certification and Confidentiality Agreement …

Cisco Certification and Confidentiality Agreement …

www.cisco.com

Cisco Confidential Cisco Certifications and Confidentiality Agreement - Version 22 If you have been convicted of a crime that Cisco deems, in its sole discretion, in any way

  Confidentiality

Related documents

Configuring IPsec and ISAKMP - Cisco

Configuring IPsec and ISAKMP - Cisco

www.cisco.com

Chapter 27 Configuring IPsec and ISAKMP Configuring ISAKMP † A Hashed Message Authentication Codes (HMAC) meth od to ensure the identity of the sender, and to ensure that the message has not been modified in transit. † A Diffie-Hellman group to determine the strength of the encryption-key-determination algorithm.

  Cisco, Spices, Configuring, Configuring ipsec and isakmp, Isakmp, Configuring ipsec and isakmp configuring isakmp

Selecting and Hardening Remote Access VPN Solutions

Selecting and Hardening Remote Access VPN Solutions

media.defense.gov

Sep 28, 2021 · Configure the VPN to use IKE/IPsec and disable SSL/TLS VPN functionality and fallback options if feasible. For IKE/IPsec VPNs, CNSSP 15-compliant cryptographic algorithms are required for IKE and Internet Security Association and Key Management Protocol (ISAKMP) for NSS [9], [10]. CNSSP 15 requirements are

  Spices, Isakmp

Related search queries

Configuring IPsec and ISAKMP, Cisco, Configuring IPsec and ISAKMP Configuring ISAKMP, IPsec, ISAKMP