Cisco Systems 520 series manual Routerconfig-if# ip access-group 103

Chapter 8 Configuring a Simple Firewall

Configuration Example

Configuration Example

A telecommuter is granted secure access to a corporate network, using IPsec tunneling. Security to the home network is accomplished through firewall inspection. The protocols that are allowed are all TCP, UDP, RTSP, H.323, NetShow, FTP, and SQLNet. There are no servers on the home network; therefore, no traffic is allowed that is initiated from outside. IPsec tunneling secures the connection from the home LAN to the corporate network.

Like the Internet Firewall Policy, HTTP need not be specified because Java blocking is not necessary. Specifying TCP inspection allows for single-channel protocols such as Telnet and HTTP. UDP is specified for DNS.

The following configuration example shows a portion of the configuration file for the simple firewall scenario described in the preceding sections.

!

!Firewall inspection is set up for all TCP and UDP traffic as well as

!specific application protocols as defined by the security policy.

ip inspect name firewall tcp ip inspect name firewall udp ip inspect name firewall rtsp ip inspect name firewall h323 ip inspect name firewall netshow ip inspect name firewall ftp

ip inspect name firewall sqlnet

!

interface vlan 1! This is the internal home network.

ip inspect firewall in ! Inspection examines outbound traffic. no cdp enable

!

interface fastethernet 4! FE4 is the outside or Internet-exposed interface.

!acl 103 permits IPsec traffic from the corp. router

!as well as denies Internet-initiated traffic inbound. ip access-group 103 in

Cisco Secure Router 520 Series Software Configuration Guide