Filter
Top Products
9-3
Cisco 819 Series Integrated Services Routers Software Configuration Guide
OL-23590-02
Chapter 9 Configuring Security Features
Configuring Cisco IOS Firewall
To create, refine, and manage access lists, see Security Configuration Guide: Access Control Lists, Cisco
IOS Release 12.4T.
Access Groups
An access group is a sequence of access list definitions bound together with a common name or number.
An access group is enabled for an interface during interface configuration. Use the following guidelines
when creating access groups.
• The order of access list definitions is significant. A packet is compared against the first access list
in the sequence. If there is no match (that is, if neither a permit nor a deny occurs), the packet is
compared with the next access list and so on.
• All parameters must match the access list before the packet is permitted or denied.
• There is an implicit “deny all” at the end of all sequences.
For information on configuring and managing access groups, see Securing the Data Plane Configuration
Guide Library, Cisco IOS Release 12.4.
Configuring Cisco IOS Firewall
The Cisco IOS Firewall lets you configure a stateful firewall where packets are inspected internally and
the state of network connections is monitored. Stateful firewall is superior to static access lists because
access lists can only permit or deny traffic based on individual packets, not based on streams of packets.
Also, because Cisco
IOS Firewall inspects the packets, decisions to permit or deny traffic can be made
by examining application layer data, which static access lists cannot examine.
To configure a Cisco IOS Firewall, specify which protocols to examine by using the following command
in interface configuration mode:
ip inspect name inspection-name protocol timeout seconds
When inspection detects that the specified protocol is passing through the firewall, a dynamic access list
is created to allow the passage of return traffic. The timeout parameter specifies the length of time the
dynamic access list remains active without return traffic passing through the router. When the timeout
value is reached, the dynamic access list is removed, and subsequent packets (possibly valid ones) are
not permitted.
Use the same inspection name in multiple statements to group them into one set of rules. This set of rules
can be activated elsewhere in the configuration by using the ip inspect inspection-name in | out
command when you configure an interface at the firewall.
For additional information about configuring a Cisco IOS Firewall, see Securing the Data Plane
Configuration Guide Library, Cisco IOS Release 12.4.
The Cisco IOS Firewall may also be configured to provide voice security in Session Initiated Protocol
(SIP) applications. SIP inspection provides basic inspect functionality (SIP packet inspection and
detection of pin-hole openings), as well as protocol conformance and application security. For more
information, see
Cisco IOS Firewall: SIP Enhancements: ALG and AIC.