Cisco Systems OL-6426-02 instruction

Chapter 8 Configuring a Simple Firewall

Configuration Example

BETA DRAFT - CISCO CONFIDENTIAL

Configuration Example

A telecommuter is granted secure access to a corporate network, using IPSec tunneling. Security to the home network is accomplished through firewall inspection. The protocols that are allowed are all TCP, UDP, RTSP, H.323, NetShow, FTP, and SQLNet. There are no servers on the home network; therefore, no traffic is allowed that is initiated from outside. IPSec tunneling secures the connection from the Home LAN to the corporate network.

Like the Internet Firewall Policy, HTTP need not be specified because Java blocking is not necessary. Specifying TCP inspection allows for single-channel protocols such as Telnet and HTTP. UDP is specified for DNS.

The following configuration example shows a portion of the configuration file for the simple firewall scenario described in the preceding sections.

!Firewall inspection is setup for all tcp and udp traffic as well as specific application protocols as defined by the security policy.

ip inspect name firewall tcp ip inspect name firewall udp

ip inspect name firewall rtsp ip inspect name firewall h323

ip inspect name firewall netshow ip inspect name firewall ftp

ip inspect name firewall sqlnet

interface vlan 1! This is the internal home network

ip inspect firewall in ! inspection examines outbound traffic no cdp enable

interface fastethernet 0! FE0 is the outside or internet exposed interface.

ip access-group 103 in ! acl 103 permits ipsec traffic from the corp. router as well as denies internet initiated traffic inbound.

ip nat outside no cdp enable

!acl 103 defines traffic allowed from the peer for the ipsec tunnel.

access-list	103	permit udp host	200.1.1.1 any eq isakmp
access-list	103	permit udp host	200.1.1.1 eq isakmp any
access-list	103	permit esp host	200.1.1.1 any
access-list	103	permit icmp any	any ! allow icmp for debugging but should be disabled due
to security	implications.
access-list	103	deny ip any any	! prevents internet initiated traffic inbound.
no cdp run
!

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

	OL-6426-02	8-5

Image 101

Cisco Systems OL-6426-02 manual Configuring a Simple Firewall Configuration Example

Contents

Cisco Systems, Inc Page N T E N T S Configuring Your Router for Ethernet and DSL Access 802.1x Authentication Configure the IPSec Crypto Method and Parameters Configuring Backup Interfaces Chap Configuration Register C-6 OL-6426-02 Audience Preface VPN OrganizationChapter Title Description Conventions Command ConventionsConvention Description Boldface Cisco.com Related DocumentsObtaining Documentation Cisco Product Security Overview Documentation FeedbackDocumentation DVD Ordering Documentation Obtaining Technical Assistance Reporting Security Problems in Cisco ProductsCisco Technical Support Website An emergency, you can also reach Psirt by telephone 877 408 Definitions of Service Request Severity Submitting a Service Request Obtaining Additional Publications and Information Getting Started Page Router Interface Port Label Basic Router ConfigurationInterface Port Labels ADSLoISDN Viewing the Default ConfigurationATM WAN Shdsl USB Modem Example 1-1 Cisco 1812 Default Configuration on Startup Information Needed for Configuration To configure the router, perform one or more of these tasks Configuring Basic Parameters Configure Fast Ethernet LAN Interfaces Configure Global ParametersCommand Purpose Example Configure the Fast Ethernet WAN Interface Configure WAN Interfaces Mode atm Exit Configure the ATM WAN InterfaceController dsl No shutdown Configuration Example Configure the Wireless InterfaceConfiguring a Loopback Interface Verifying Your Configuration Configuring Command-Line Access to the RouterPassword password Line aux console tty vty line-number End LoginExec-timeout minutes seconds Exits router configuration mode, and enters Configuring Static RoutesPrivileged Exec mode Parameters that can be set, see the Cisco IOS IP Verifying Your Configuration Configuring Dynamic RoutesConfiguration Example Command Task Configuring RIPRouter rip Version 1 Enters router configuration mode, and enables Configuring Enhanced IgrpEigrp on the router. The autonomous-system Number identifies the route to other Eigrp routers Specifies a list of networks on which Eigrp is to Be applied, using the IP address of the networkRouterconfig# network Configuring Your Router for Ethernet and DSL Access Page For DSL-Based Network Deployments Sample Network DeploymentsFor Ethernet-Based Network Deployments OL-6426-02 Configuring PPP over Ethernet with NAT Command or Action Purpose Configuration TasksVpdn enable PPPoE Request-dialin Configure the Fast Ethernet WAN InterfacesInitiate to ip ip-address Protocol l2f l2tp pppoe any These steps to configure one or both of them Cisco 1800 integrated services routers haveConfigures the PPPoE client and specifies Enables the Fast Ethernet interface Configure the Dialer Interface Exits the dialer 0 interface configuration Using a dialer group controls access toAssigns the dialer interface to a dialer group Your router Configure Network Address Translation Source source-wildcard Access-list access-list-number deny permitIp nat inside outside Configuration Example Router# show ip nat statistics PPP over ATM with NAT Configuring PPP over ATM with NAT PPPoA Authentication Protocol Chap Sets the PPP authentication methodSpecifies that the IP address for the dialer Interface is obtained through PPP/IPCP IP Command Reference, Volume 1 of 4 Routing Configure the ATM WAN Interface Attribute Description Default Value Configure DSL Signaling ProtocolConfiguring Adsl Dsl lom integer Dsl enable-training-log Configuring ShdslVerify the Configuration Ignore-error-duration number Line-mode 4-wire enhanced 4-wire standardWire Configure Network Address Translation About enabling static translation, see the Cisco Enables the configuration changes just made toFE2-FE9 reside to be the inside interface For NAT Exits configuration mode for the ATM interface Static translation, see the Cisco IOS IP CommandDefines a standard access list permitting addresses Identifies the specified WAN interface as the NAT ATM0 VLANs Configuring a LAN with Dhcp and VLANsVlan Configure Dhcp Import all Default-router address address2 ...address8Dns-server address address2 ...address8 Domain-name domain Ip dhcp pool Verify Your Dhcp ConfigurationRouter# show ip dhcp import Verify Your Vlan Configuration Configure VLANsVlan ? Example Vlan Router# show vlan-switch Switch Port Configurations Vlan Trunking Protocol VTP 802.1x Authentication Switched Port Analyzer Span Maximum Switched Virtual Interfaces SVIsIP Multicast Switching Layer 2 Interfaces Fallback Bridging Per-Port Storm ControlSeparate Voice and Data Subnets Igmp Snooping Internet Configuring a VPN Using Easy VPN and an IPSec Tunnel Cisco Easy VPN Configure the IKE Policy Crypto isakmp client configuration group Configure Group Policy InformationGroup-name default Key name Ip local pool default poolname Apply Mode Configuration to the Crypto Map Configure IPSec Transforms and Protocols Enable Policy Lookup Configure the IPSec Crypto Method and Parameters Reverse-route Apply the Crypto Map to the Physical InterfaceCrypto map map-name seq-num ipsec-isakmp Dynamic dynamic-map-name discover Crypto map map-name Create an Easy VPN Remote Configuration Crypto ipsec client ezvpn name outside inside Verifying Your Easy VPN Configuration Crypto ipsec client ezvpn ezvpnclient connect auto Beta Draft Cisco Confidential Site-to-Site VPN Using an IPSec Tunnel and GRE VPNs GRE Tunnels Configure the IKE Policy Configure a VPNAlso enters Internet Security Association Key Example uses 168-bit Data Encryption Lifetime seconds Configure Group Policy InformationGroup 1 2 Exits IKE group policy configuration mode, Enable Policy LookupEnters global configuration mode Specifies group domain membership Method used to do so Configure IPSec Transforms and ProtocolsSpecifies global lifetime values used when Negotiating IPSec security associations Creates a dynamic crypto map entry, and enters Configure the IPSec Crypto Method and ParametersCreates source proxy information for the crypto Map entry Apply the Crypto Map to the Physical Interface Configure a GRE TunnelMap Applies the crypto map to the interface Exits interface configuration mode, and returns to Tunnel interface must be configured toEnters ACL configuration mode for the named Access-list-name ACL that is used by the crypto map Configuration Example Ip nat outside no cdp enable Beta Draft Cisco Confidential Router with Firewall Configured Configuring a Simple Firewall Fast Ethernet LAN interface the inside interface for NAT Series integrated services router, respectivelyProtected network Unprotected network Configure Inspection Rules Configure Access ListsCreates an access list which prevents Internet Details about this command Inside interface on the router Apply Access Lists and Inspection Rules to InterfacesAssigns the set of firewall inspection rules to Configuring a Simple Firewall Configuration Example Beta Draft Cisco Confidential 1shows a wireless network deployment Configuring a Wireless LAN Connection Configuring a Wireless LAN Connection Configure the Root Radio Station User attempting access to the wireless LAN Sets the permitted authentication methods for aExits Ssid configuration mode, and enters Interface configuration mode for the wireless Station-role repeater root Configure Bridging on VLANsBridge number crb irb mac-address-table Bridge-group number Specified subinterface Configure Radio Station SubinterfacesEnables Ieee 802.1q encapsulation on Assigns a bridge group to the subinterface Exits subinterface configuration mode, No bridge-group 3 unicast-flooding Interface Vlan1 10-1 Sample ConfigurationRouter# show running-config Ip dhcp pool vlan3 10-2 10-3 10-4 10-5 10-6 11-1 Additional Configuration Options 11-2 Configuring Additional Features and Troubleshooting Page 12-1 Configuring Security FeaturesAuthentication, Authorization, and Accounting Configuring Access Lists Configuring AutoSecureConfiguration Commands ACL Type Access Groups Configuring a Cbac FirewallGuidelines for Creating Access Groups Ip access-group number name in out 12-4 Configuring Cisco IOS Firewall IDSConfiguring VPNs Dial Backup Feature Activation Methods Configuring Dial Backup and Remote ManagementBackup Interfaces 13-1 13-2 Configuring Backup InterfacesFloating Static Routes 13-3 Configuring Floating Static RoutesEnables RIP routing Dialer Watch Configuring Dialer WatchSpecifies the group number for the watch list 13-4 13-5 Dial Backup Feature LimitationsDial Backup Type Possible? Dial Backup Method Limitations 13-6 13-7 13-8 Example 13-3 Configuring Dial Backup Using Dialer Watch 13-9 Configure Isdn Settings 13-10 Ip address negotiated Access-groupDialer pool number Dialer-group group-number 13-12 Configure the Aggregator and Isdn Peer RouterFor your Cisco router during the ATM network downtime 13-13 Asynchronous Interface Configuration 13-14 13-15 Line Configuration 13-16 Getting Started TroubleshootingBefore Contacting Cisco or Your Reseller 14-1 Shdsl Troubleshooting Adsl TroubleshootingPortFast Troubleshooting 14-2 Ping atm interface Command ATM Troubleshooting CommandsShow interface Command 14-3 14-4 Shutdown commandOutput Cause Router# show atm interface atm Show atm interface Command14-5 Guidelines for Using Debug Commands Debug atm CommandsDebug atm errors Command Field Description Router# debug atm errors ATM errors debugging is on Router# Debug atm events Command14-7 Router# debug atm events Router# Where the keywords are defined as follows Debug atm packet CommandOptional ATM interface or subinterface number Example 14-7shows a sample output Recovering a Lost Password Software Upgrade MethodsATM0 14-9 Router# show version Change the Configuration Register14-10 Router# show startup-config Reset the RouterPress Return. The following prompt appears Prompt changes to the privileged Exec prompt 14-12 Reset the Password and Save Your ChangesReset the Configuration Register Value 14-13 Managing Your Router with SDM 14-14 Reference Information Page One of the configuration topic chapters in this guide Configuring the Router from a PCCisco IOS Software Basic Skills PC Operating System Software Understanding Command Modes Ctrl-Z ExecAs interface atm Getting Help Configuration mode Routing protocol AppropriateRouter Enter one of the router Router rip, from You can now make changes to your router configuration Enable Secret Passwords and Enable PasswordsEntering Global Configuration Mode Abbreviating Commands Using CommandsUndoing Commands Command-Line Error Messages Summary Saving Configuration ChangesWhere to Go Next OL-6426-02 Adsl Concepts Routing Protocol Options Network Protocols Protocol Ideal Topology Metric Routing Updates PPP Authentication ProtocolsEnhanced Igrp RIP PAP Ethernet Network Interfaces Dialer Interface Dial BackupBackup Interface NAT Easy IP Phase PPP Fragmentation and Interleaving QoSIP Precedence Low Latency Queuing Cbwfq Access Lists OL-6426-02 Config-reg EnableResets the configuration register ROM Monitor Exits global configuration mode ROM Monitor CommandsReload Descriptions section in this appendix Disaster Recovery with Tftp Download Command DescriptionsTftp Download Command Variables Command Description Optional Variables Variable CommandRequired Variables TFTPTIMEOUT= time Using the Tftp Download CommandTFTPCHECKSUM= setting Retrytimes Changing the Configuration Register Manually Configuration RegisterChanging the Configuration Register Using Prompts Rommon 1 confreg Console Download Command Description Error Reporting Debug CommandsContext-Displays processor context for example Frame-Displays an individual stack frame Exiting the ROM Monitor OL-6426-02 Port Keyword Description Common Port Assignments NETBIOS-DGM NETBIOS-NSNETBIOS-SSN Finger See AAL See ARPSee ATM IN-1 IN-2 See ChapSee CAR IN-3 Dhcp See also examples Experience, user Extended access list Overview B-11Ethernet B-5 Events, ATM, displaying GRE IN-5 See LCPSee NCP See PVC See PAPSee PPP See Ipcp IN-7 See RIPSee NAT IN-8 Upgrading software, methods for 14-9User Datagram ProtocolSee UDP