[nsp] RE: IOS Firewall Issues

Nicholas R. Ianelli xtreme at erie.net
Tue Apr 8 15:24:47 EDT 2003


Dan -

You will need to download the Cisco IOS Firewall Feature set for each
router you wish to configure it on (IP/FW/IDS). You should be able to
locate sample configs by searching for CBAC on Cisco's site.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note
09186a0080094e8b.shtml


In addition, you will want to limit the amount of traffic you inspect.
If you inspect to much, you can actually trick the router to thinking it
is under attack and it will deny that traffic access.

Nick

Nicholas Ianelli - CCNA 
Network Operations Engineer 
Stargate Industries 
412.316.7875 (V)

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Wilson, Dan
Sent: Tuesday, April 08, 2003 1:33 PM
To: Wilson, Dan; 'cisco-nsp at puck.nether.net'
Subject: [nsp] RE: IOS Firewall Issues


Ok, I'm assuming I will need to employ CBAC.  How would one employ this,
i.e. does anyone have a link to a sample config?  Rob Thomas maybe??

I have a couple of questions regarding IOS Firewall.

Am I correct in assuming it *does* stateful?

How would I view the state tables?

How would I determine what traffic is allowed inbound??

And

How, exactly, would I set rules on what would be allowed inbound?

I'm running 7140, 7206, 3640 and 2621's all running 12.2(8)T, which I 
Switched to in order to run encrypted traffic over GRE tunnels, so
That I could change routes if tunnel connections weren't working.

Any ideas would be appreciated.

Thanks.


Dan

  dan.wilson at transamerica.com
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list