Configure Inspection Rules | Cisco Systems 520 series specification

Chapter 8 Configuring a Simple Firewall

Configure Inspection Rules

Configure Inspection Rules

Perform these steps to configure firewall inspection rules for all TCP and UDP traffic, as well as specific application protocols as defined by the security policy, beginning in global configuration mode:

	Command or Action	Purpose
Step 1
Step 1	ip inspect name inspection-name protocol	Defines an inspection rule for a particular
		protocol.
	Example:
	Router(config)# ip inspect name firewall tcp
	Router(config)#
Step 2
Step 2	ip inspect name inspection-name protocol	Repeat this command for each inspection rule
		that you wish to use.
	Example:
	Router(config)# ip inspect name firewall rtsp
	Router(config)# ip inspect name firewall h323
	Router(config)# ip inspect name firewall
	netshow
	Router(config)# ip inspect name firewall ftp
	Router(config)# ip inspect name firewall
	sqlnet
	Router(config)#

Apply Access Lists and Inspection Rules to Interfaces

Perform these steps to apply the ACLs and inspection rules to the network interfaces, beginning in global configuration mode:

				Command	Purpose
			Step 1
			Step 1	interface type number	Enters interface configuration mode for the
					inside network interface on your router.
				Example:
				Router(config)# interface vlan 1
				Router(config-if)#
			Step 2
			Step 2	ip inspect inspection-name {in out}	Assigns the set of firewall inspection rules to the
					inside interface on the router.
				Example:
				Router(config-if)#ip inspect firewall in
				Router(config-if)#
			Step 3
			Step 3	exit	Returns to global configuration mode.
				Example:
				Router(config-if)# exit
				Router(config)#

			Cisco Secure Router 520 Series Software Configuration Guide
			Cisco Secure Router 520 Series Software Configuration Guide

	8-4				OL-14210-01
	8-4				OL-14210-01

Image 92

Cisco Systems 520 series manual Configure Inspection Rules, Apply Access Lists and Inspection Rules to Interfaces

Contents

Cisco Secure Router 520 Series Software Configuration Guide Americas HeadquartersPage N T E N T S Iii Verify the Configuration Additional Configuration Options Reference Information Rsvp Vii Using the Tftp Download Command C-5 Viii Audience PrefaceObjective Part 2 Configuring Your Router for Ethernet and DSL Access Part 3 Configuring Additional Features and TroubleshootingOrganization Part 1 Getting Started Conventions Appendix D, Common Port Assignments Warnung Wichtige Sicherheitshinweise Avvertenza Importanti Istruzioni Sulla SicurezzaAviso Instruções Importantes DE Segurança Xii Guarde Estas Instrucciones Xiii GEM Disse Anvisninger XivPage Cisco Regulatory Compliance and Safety Information Roadmap Cisco Secure Router 520 Series Hardware Installation GuideRelated Documentation Xvi Obtaining Documentation and Submitting a Service Request Xvii Xviii Getting Started Page Basic Router Configuration Viewing the Default Configuration Information Needed for Customizing the Default Parameters Router Interface Port Label Configuring Basic ParametersInterface Port Labels Configure Global Parameters Configure Fast Ethernet LAN InterfacesConfigure WAN Interfaces Command Purpose Routerconfig# interface fastethernet Routerconfig-if# ip address 255.255.255.0Interface type number No shutdown Configure the Wireless Interface Configuring a Loopback InterfaceEnables the ATM 0 interface Exits configuration mode for the ATM interface Exits configuration mode for the loopback Interface and returns to global configuration modeLoopback interface Router# show interface loopback Configuring Command-Line Access to the Router Password passwordLogin Exec-timeoutminutes seconds End Verifying Your Configuration Configuring Static RoutesConfiguration Example Configuring Dynamic Routes Configuring RIPCommand Task Router rip No auto-summary Configuring Your Router for Ethernet and DSL Access Page For DSL-Based Network Deployments Sample Network DeploymentsFor Ethernet-Based Network Deployments Sample Network Deployments Configuring PPP over Ethernet with NAT PPPoE session between the client and a PPPoE server Configuration Tasks Command or Action PurposeVpdn enable PPPoE Configure the Fast Ethernet WAN Interfaces Configures the PPPoE client and specifiesRequest-dialin Protocol l2tp pppoe Configure the Dialer Interface Configure Network Address Translation Ppp authentication protocol1 protocol2Dialer pool number Dialer-group group-number Enables dynamic translation of addresses on By the access list 1 to be translated to onePermitted by access list acl1 to be translated to one Enables the configuration changes just made to Access-list access-list-number deny permit Routerconfig# access-list 1 permitIp nat inside outside Source source-wildcard Configuration Example Router# show ip nat statistics Id 1 access-list 1 interface Dialer0 refcount Queued Packets OL-14210-01 Configuring PPP over ATM with NAT PPP over ATM with NAT PPPoA Sets the PPP authentication method Authentication Protocol ChapUsing a dialer group controls access to Specifies that the IP address for the dialer Command Reference, Volume 1 of 4 Routing Configure the ATM WAN Interface Configure DSL Signaling Protocol Configuring AdslAttribute Description Default Value Dsl lom integer Dsl enable-training-log Pool1 Permitted by access list acl1 to be translated toOne of the addresses specified in the NAT pool Reference, Volume 1 of 4 Addressing 0.255 ATM0 Configuring a LAN with Dhcp and VLANs Dhcp Dotted-decimal domain name Configure DhcpVLANs Enters Dhcp pool configuration mode. The name Exits Dhcp configuration mode, and entersGlobal configuration mode Creates a Dhcp address pool on the router Verify Your Dhcp Configuration Router# show ip dhcp importIp dhcp pool Server statistics Vlan vlan-id media type name vlan-name Configure VLANsVlan database Assign a Switch Port to a Vlan Verify Your Vlan ConfigurationExits interface mode and returns to privileged Exec mode Router# show vlan-switch Vlan Said MTU Configuring a VPN Using Easy VPN and an IPsec Tunnel Remote Access VPN Using IPsec Tunnel Cisco Easy VPN Configure the IKE Policy Configure Group Policy Information Apply Mode Configuration to the Crypto Map Enable Policy Lookup Configure IPsec Transforms and Protocols Configure the IPsec Crypto Method and Parameters Apply the Crypto Map to the Physical Interface Reverse-routeCrypto map map-name seq-num ipsec-isakmp Dynamic dynamic-map-name discover Create an Easy VPN Remote Configuration Crypto map map-name Verifying Your Easy VPN Configuration Crypto ipsec client ezvpn name outside insideEzvpn ezvpnclient outside Router# show crypto ipsec client ezvpn Crypto ipsec client ezvpn ezvpnclient connect auto OL-14210-01 Site-to-Site VPN Using an IPsec Tunnel and GRE VPNs Configure a VPNGRE Tunnels Configure the IKE Policy Configure Group Policy Information Ip local pool default poolnameDomain name Low-ip-address high-ip-address Enable Policy Lookup Configure IPsec Transforms and Protocols Creates a dynamic crypto map entry, and enters Configure the IPsec Crypto Method and ParametersSpecifies global lifetime values used when Apply the Crypto Map to the Physical Interface Map Configure a GRE Tunnel 192.168.101.1 Tunnel interface must be configured to Exits interface configuration mode, and returns toEnters ACL configuration mode for the named Access-list-name ACL that is used by the crypto map Set transform-set set1 match address No cdp run OL-14210-01 Configuring a Simple Firewall Fast Ethernet LAN interface the inside interface for NAT Configure Access Lists Creates an access list which prevents InternetDetails about this command Creates an access list that allows network traffic Configure Inspection Rules Apply Access Lists and Inspection Rules to Interfaces Routerconfig-if# ip access-group 103 Ip nat outside no cdp enable Configuring a Wireless LAN Connection 1shows a wireless network deployment Configure the Root Radio Station For clientsEquivalent Privacy WEP cannot use Bridges for more details Creates a Service Set ID SSID, the public Name of a wireless networkSets the permitted authentication methods for a User attempting access to the wireless LAN Configure Bridging on VLANs Bridge-group parameter Configure Radio Station SubinterfacesBridge-group number Disables the Cisco Discovery Protocol CDP On the wireless interfaceEnabled, the following commands are Automatically enabled, and cannot be No bridge-group 2 unicast-flooding No ip address bridge-group Configuring Additional Features and Troubleshooting Page Additional Configuration Options 10-1 10-2 11-1 Configuring Security FeaturesAuthentication, Authorization, and Accounting Configuring AutoSecure Configuring Access ListsConfiguration Commands ACL Type Configuring a Cbac Firewall Access GroupsIp access-groupaccess-list-number access-list-nameinout Ip inspect name inspection-name protocol timeout seconds 11-4 Configuring Cisco IOS Firewall IDSConfiguring VPNs Troubleshooting Getting StartedBefore Contacting Cisco or Your Reseller 12-1 Adsl Troubleshooting ATM Troubleshooting CommandsPing atm interface Command 12-2 Show interface Command 12-3 12-4 Shutdown commandOutput Cause Show atm interface Command Debug atm CommandsField Description 12-5 Router# debug atm events Router# Router# debug atm errors ATM errors debugging is on Router#12-6 12-7 Example 12-6 Viewing ATM Interface Processor Events-Failure Router# debug atm packet Router# 012348ATM0O Software Upgrade Methods12-8 Recovering a Lost Password Change the Configuration Register12-9 Router# show version 12-10 Rommon 2 confreg Reset the Password and Save Your Changes Reset the Configuration Register ValueRouter# show startup-config Router# copy running-config startup-config 12-12 Reference Information Page PC Operating System Software Configuring the Router from a PCCisco IOS Software Basic Skills Understanding Command Modes As interface atm Ctrl-Z Router rip, from Enable Secret Passwords and Enable PasswordsGetting Help Entering Global Configuration Mode Using Commands Saving Configuration Changes Abbreviating CommandsUndoing Commands Command-Line Error Messages Where to Go Next Summary OL-14210-01 Concepts Adsl Network Protocols Routing Protocol Options PPP Authentication Protocols PAP ATM for DSL Network InterfacesEthernet Dialer Interface PVC Easy IP Phase PPP Fragmentation and Interleaving QoSIP Precedence Cbwfq Low Latency Queuing Access Lists OL-14210-01 Configure terminal Enters global configuration mode Config-reg Resets the configuration registerROM Monitor Entering the ROM Monitor ROM Monitor Commands Reload Command Description Command DescriptionsDisaster Recovery with Tftp Download Tftp Download Command Variables Variable Command Configuration Register Using the Tftp Download CommandTFTPTIMEOUT= time Retrytimes Rommon 1 confreg Changing the Configuration Register ManuallyChanging the Configuration Register Using Prompts Xmodem -cyrxdestinationfilename Command DescriptionConsole Download Debug Commands Error Reporting Exiting the ROM Monitor Appendix C ROM Monitor Exiting the ROM Monitor OL-14210-01 Common Port Assignments Port Keyword Description Finger See ARP See AdslSee AAL See ATM See CAR IN-2 See Dhcp IN-3 See LCP IN-4 IN-5 IN-6 See RIPSee NAT IN-7 IN-8