Chapter 9 Configuring Security Features
Configuring Cisco IOS Firewall
To create, refine, and manage access lists, see Security Configuration Guide: Access Control Lists, Cisco IOS Release 12.4T.
Access Groups
An access group is a sequence of access list definitions bound together with a common name or number. An access group is enabled for an interface during interface configuration. Use the following guidelines when creating access groups.
•The order of access list definitions is significant. A packet is compared against the first access list in the sequence. If there is no match (that is, if neither a permit nor a deny occurs), the packet is compared with the next access list and so on.
•All parameters must match the access list before the packet is permitted or denied.
•There is an implicit “deny all” at the end of all sequences.
For information on configuring and managing access groups, see Securing the Data Plane Configuration Guide Library, Cisco IOS Release 12.4.
Configuring Cisco IOS Firewall
The Cisco IOS Firewall lets you configure a stateful firewall where packets are inspected internally and the state of network connections is monitored. Stateful firewall is superior to static access lists because access lists can only permit or deny traffic based on individual packets, not based on streams of packets. Also, because Cisco IOS Firewall inspects the packets, decisions to permit or deny traffic can be made by examining application layer data, which static access lists cannot examine.
To configure a Cisco IOS Firewall, specify which protocols to examine by using the following command in interface configuration mode:
ip inspect name inspection-name protocol timeout seconds
When inspection detects that the specified protocol is passing through the firewall, a dynamic access list is created to allow the passage of return traffic. The timeout parameter specifies the length of time the dynamic access list remains active without return traffic passing through the router. When the timeout value is reached, the dynamic access list is removed, and subsequent packets (possibly valid ones) are not permitted.
Use the same inspection name in multiple statements to group them into one set of rules. This set of rules can be activated elsewhere in the configuration by using the ip inspect
For additional information about configuring a Cisco IOS Firewall, see Securing the Data Plane Configuration Guide Library, Cisco IOS Release 12.4.
The Cisco IOS Firewall may also be configured to provide voice security in Session Initiated Protocol (SIP) applications. SIP inspection provides basic inspect functionality (SIP packet inspection and detection of
Cisco 819 Series Integrated Services Routers Software Configuration Guide
|
| ||
|
|