Configure Access Lists | Cisco Systems 520 series instruction

Chapter 8 Configuring a Simple Firewall

Configure Access Lists

Note The procedures in this chapter assume that you have already configured basic router features as well as PPPoE or PPPoA with NAT. If you have not performed these configurations tasks, see Chapter 1, “Basic Router Configuration,” Chapter 3, “Configuring PPP over Ethernet with NAT,” and Chapter 4, “Configuring PPP over ATM with NAT,” as appropriate for your router. You may have also configured DHCP, VLANs, and secure tunnels.

Configure Access Lists

Perform these steps to create access lists for use by the firewall, beginning in global configuration mode:

	Command			Purpose
Step 1
Step 1	access-list access-list-number{deny permit}			Creates an access list which prevents Internet-
	protocol source source-wildcard [operator [port]]			initiated traffic from reaching the local (inside)
	destination			network of the router, and which compares
				source and destination ports.
	Example:			See the Cisco IOS IP Command Reference,
				See the Cisco IOS IP Command Reference,
	Router(config)# access-list 103 deny ip any			Volume 1 of 4: Addressing and Services for
	any			details about this command.
	Router(config)# access-list 103 permit host			details about this command.
	Router(config)# access-list 103 permit host
	200.1.1.1 eq isakmp any
	Router(config)#
Step 2
Step 2	access-list access-list-number{deny permit}			Creates an access list that allows network traffic
	protocol source source-wildcard destination			to pass freely between the corporate network
	destination-wildcard			and the local networks through the configured
				VPN tunnel.
	Example:
	Router(config)# access-list 105 permit ip
	10.1.1.0 0.0.0.255	192.168.0.0	0.0.255.255
	Router(config)#

Cisco Secure Router 520 Series Software Configuration Guide

	OL-14210-01	8-3

Image 91

Cisco Systems 520 series manual Configure Access Lists, Creates an access list which prevents Internet

Contents

Americas Headquarters Cisco Secure Router 520 Series Software Configuration GuidePage Iii N T E N T S Verify the Configuration Additional Configuration Options Reference Information Vii Rsvp Viii Using the Tftp Download Command C-5 Objective PrefaceAudience Part 1 Getting Started Part 2 Configuring Your Router for Ethernet and DSL AccessPart 3 Configuring Additional Features and Troubleshooting Organization Appendix D, Common Port Assignments Conventions Xii Warnung Wichtige SicherheitshinweiseAvvertenza Importanti Istruzioni Sulla Sicurezza Aviso Instruções Importantes DE Segurança Xiii Guarde Estas Instrucciones Xiv GEM Disse AnvisningerPage Xvi Cisco Regulatory Compliance and Safety Information RoadmapCisco Secure Router 520 Series Hardware Installation Guide Related Documentation Xvii Obtaining Documentation and Submitting a Service Request Xviii Getting Started Page Basic Router Configuration Information Needed for Customizing the Default Parameters Viewing the Default Configuration Interface Port Labels Configuring Basic ParametersRouter Interface Port Label Command Purpose Configure Global ParametersConfigure Fast Ethernet LAN Interfaces Configure WAN Interfaces No shutdown Routerconfig# interface fastethernetRouterconfig-if# ip address 255.255.255.0 Interface type number Exits configuration mode for the ATM interface Configure the Wireless InterfaceConfiguring a Loopback Interface Enables the ATM 0 interface Router# show interface loopback Exits configuration mode for the loopbackInterface and returns to global configuration mode Loopback interface Exec-timeoutminutes seconds Configuring Command-Line Access to the RouterPassword password Login End Configuration Example Configuring Static RoutesVerifying Your Configuration Router rip Configuring Dynamic RoutesConfiguring RIP Command Task No auto-summary Configuring Your Router for Ethernet and DSL Access Page For Ethernet-Based Network Deployments Sample Network DeploymentsFor DSL-Based Network Deployments Sample Network Deployments PPPoE session between the client and a PPPoE server Configuring PPP over Ethernet with NAT PPPoE Configuration TasksCommand or Action Purpose Vpdn enable Protocol l2tp pppoe Configure the Fast Ethernet WAN InterfacesConfigures the PPPoE client and specifies Request-dialin Configure the Dialer Interface Dialer-group group-number Configure Network Address TranslationPpp authentication protocol1 protocol2 Dialer pool number Enables the configuration changes just made to Enables dynamic translation of addresses onBy the access list 1 to be translated to one Permitted by access list acl1 to be translated to one Source source-wildcard Access-list access-list-number deny permitRouterconfig# access-list 1 permit Ip nat inside outside Router# show ip nat statistics Configuration Example Id 1 access-list 1 interface Dialer0 refcount Queued Packets OL-14210-01 PPP over ATM with NAT Configuring PPP over ATM with NAT PPPoA Specifies that the IP address for the dialer Sets the PPP authentication methodAuthentication Protocol Chap Using a dialer group controls access to Command Reference, Volume 1 of 4 Routing Configure the ATM WAN Interface Dsl lom integer Dsl enable-training-log Configure DSL Signaling ProtocolConfiguring Adsl Attribute Description Default Value One of the addresses specified in the NAT pool Permitted by access list acl1 to be translated toPool1 Reference, Volume 1 of 4 Addressing 0.255 ATM0 Dhcp Configuring a LAN with Dhcp and VLANs VLANs Configure DhcpDotted-decimal domain name Creates a Dhcp address pool on the router Enters Dhcp pool configuration mode. The nameExits Dhcp configuration mode, and enters Global configuration mode Server statistics Verify Your Dhcp ConfigurationRouter# show ip dhcp import Ip dhcp pool Vlan database Configure VLANsVlan vlan-id media type name vlan-name Exec mode Assign a Switch Port to a VlanVerify Your Vlan Configuration Exits interface mode and returns to privileged Vlan Router# show vlan-switch Said MTU Remote Access VPN Using IPsec Tunnel Configuring a VPN Using Easy VPN and an IPsec Tunnel Cisco Easy VPN Configure the IKE Policy Configure Group Policy Information Apply Mode Configuration to the Crypto Map Configure IPsec Transforms and Protocols Enable Policy Lookup Configure the IPsec Crypto Method and Parameters Dynamic dynamic-map-name discover Apply the Crypto Map to the Physical InterfaceReverse-route Crypto map map-name seq-num ipsec-isakmp Crypto map map-name Create an Easy VPN Remote Configuration Router# show crypto ipsec client ezvpn Verifying Your Easy VPN ConfigurationCrypto ipsec client ezvpn name outside inside Ezvpn ezvpnclient outside Crypto ipsec client ezvpn ezvpnclient connect auto OL-14210-01 Site-to-Site VPN Using an IPsec Tunnel and GRE GRE Tunnels Configure a VPNVPNs Configure the IKE Policy Low-ip-address high-ip-address Configure Group Policy InformationIp local pool default poolname Domain name Configure IPsec Transforms and Protocols Enable Policy Lookup Specifies global lifetime values used when Configure the IPsec Crypto Method and ParametersCreates a dynamic crypto map entry, and enters Map Apply the Crypto Map to the Physical Interface 192.168.101.1 Configure a GRE Tunnel Access-list-name ACL that is used by the crypto map Tunnel interface must be configured toExits interface configuration mode, and returns to Enters ACL configuration mode for the named Set transform-set set1 match address No cdp run OL-14210-01 Configuring a Simple Firewall Fast Ethernet LAN interface the inside interface for NAT Creates an access list that allows network traffic Configure Access ListsCreates an access list which prevents Internet Details about this command Apply Access Lists and Inspection Rules to Interfaces Configure Inspection Rules Routerconfig-if# ip access-group 103 Ip nat outside no cdp enable 1shows a wireless network deployment Configuring a Wireless LAN Connection Bridges for more details Configure the Root Radio StationFor clients Equivalent Privacy WEP cannot use User attempting access to the wireless LAN Creates a Service Set ID SSID, the publicName of a wireless network Sets the permitted authentication methods for a Configure Bridging on VLANs Bridge-group number Configure Radio Station SubinterfacesBridge-group parameter Automatically enabled, and cannot be Disables the Cisco Discovery Protocol CDPOn the wireless interface Enabled, the following commands are No bridge-group 2 unicast-flooding No ip address bridge-group Configuring Additional Features and Troubleshooting Page 10-1 Additional Configuration Options 10-2 Authentication, Authorization, and Accounting Configuring Security Features11-1 ACL Type Configuring AutoSecureConfiguring Access Lists Configuration Commands Ip inspect name inspection-name protocol timeout seconds Configuring a Cbac FirewallAccess Groups Ip access-groupaccess-list-number access-list-nameinout Configuring VPNs Configuring Cisco IOS Firewall IDS11-4 12-1 TroubleshootingGetting Started Before Contacting Cisco or Your Reseller 12-2 Adsl TroubleshootingATM Troubleshooting Commands Ping atm interface Command 12-3 Show interface Command Output Cause Shutdown command12-4 12-5 Show atm interface CommandDebug atm Commands Field Description 12-6 Router# debug atm errors ATM errors debugging is on Router#Router# debug atm events Router# Example 12-6 Viewing ATM Interface Processor Events-Failure 12-7 12-8 Software Upgrade MethodsRouter# debug atm packet Router# 012348ATM0O Router# show version Recovering a Lost PasswordChange the Configuration Register 12-9 Rommon 2 confreg 12-10 Router# copy running-config startup-config Reset the Password and Save Your ChangesReset the Configuration Register Value Router# show startup-config 12-12 Reference Information Page Cisco IOS Software Basic Skills Configuring the Router from a PCPC Operating System Software Understanding Command Modes Ctrl-Z As interface atm Getting Help Enable Secret Passwords and Enable PasswordsRouter rip, from Using Commands Entering Global Configuration Mode Command-Line Error Messages Saving Configuration ChangesAbbreviating Commands Undoing Commands Summary Where to Go Next OL-14210-01 Adsl Concepts Routing Protocol Options Network Protocols PAP PPP Authentication Protocols Ethernet Network InterfacesATM for DSL PVC Dialer Interface Easy IP Phase IP Precedence QoSPPP Fragmentation and Interleaving Low Latency Queuing Cbwfq Access Lists OL-14210-01 Entering the ROM Monitor Configure terminal Enters global configuration modeConfig-reg Resets the configuration register ROM Monitor Reload ROM Monitor Commands Disaster Recovery with Tftp Download Command DescriptionsCommand Description Variable Command Tftp Download Command Variables Retrytimes Configuration RegisterUsing the Tftp Download Command TFTPTIMEOUT= time Changing the Configuration Register Using Prompts Changing the Configuration Register ManuallyRommon 1 confreg Console Download Command DescriptionXmodem -cyrxdestinationfilename Error Reporting Debug Commands Appendix C ROM Monitor Exiting the ROM Monitor Exiting the ROM Monitor OL-14210-01 Port Keyword Description Common Port Assignments Finger See ATM See ARPSee Adsl See AAL IN-2 See CAR IN-3 See Dhcp IN-4 See LCP IN-5 See NAT See RIPIN-6 IN-7 IN-8