Support User Manuals

Cisco Systems OL-6426-02 Saw User Manual

Open as PDF

of 196

BETA DRAFT - CISCO CONFIDENTIAL

8-5

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

Chapter 8 Configuring a Simple Firewall

Configuration Example

Configuration Example

A telecommuter is granted secure access to a corporate network, using IPSec tunneling. Security to the

home network is accomplished through firewall inspection. The protocols that are allowed are all TCP,

UDP, RTSP, H.323, NetShow, FTP, and SQLNet. There are no servers on the home network; therefore,

no traffic is allowed that is initiated from outside. IPSec tunneling secures the connection from the Home

LAN to the corporate network.

Like the Internet Firewall Policy, HTTP need not be specified because Java blocking is not necessary.

Specifying TCP inspection allows for single-channel protocols such as Telnet and HTTP. UDP is

specified for DNS.

The following configuration example shows a portion of the configuration file for the simple firewall

scenario described in the preceding sections.

! Firewall inspection is setup for all tcp and udp traffic as well as specific application

protocols as defined by the security policy.

ip inspect name firewall tcp

ip inspect name firewall udp

ip inspect name firewall rtsp

ip inspect name firewall h323

ip inspect name firewall netshow

ip inspect name firewall ftp

ip inspect name firewall sqlnet

!

interface vlan 1! This is the internal home network

ip inspect firewall in ! inspection examines outbound traffic

no cdp enable

!

interface fastethernet 0! FE0 is the outside or internet exposed interface.

ip access-group 103 in ! acl 103 permits ipsec traffic from the corp. router as well as

denies internet initiated traffic inbound.

ip nat outside

no cdp enable

!

! acl 103 defines traffic allowed from the peer for the ipsec tunnel.

access-list 103 permit udp host 200.1.1.1 any eq isakmp

access-list 103 permit udp host 200.1.1.1 eq isakmp any

access-list 103 permit esp host 200.1.1.1 any

access-list 103 permit icmp any any ! allow icmp for debugging but should be disabled due

to security implications.

access-list 103 deny ip any any ! prevents internet initiated traffic inbound.

no cdp run

!

previous next