[nsp] RE: IOS Firewall Issues

Pete Templin pete.templin at texlink.com
Tue Apr 8 15:44:01 EDT 2003


It does stateful packet inspection.

You'll view the state tables with "sh ip inspect session"

Assuming that you configure CBAC on the "inside" (i.e. your Ethernet, if you have a T1 to the outside world and an Ethernet to your LAN), you'll put an access list on outbound traffic leaving the Ethernet.  In it, you'll permit everything you want to allow inbound, and after you configure "ip inspect <somename> in" on your Ethernet, your access list will get new temporary entries (if you do "sh access-list ###") at the beginning that allow the replies to outbound traffic.

Sample relevant config:

ip inspect name servers ftp
ip inspect name servers realaudio
ip inspect name servers tcp
ip inspect name servers udp
!
interface FastEthernet0/0
 ip address BLAH BLAH
 ip access-group 121 out
 ip inspect servers in
!
access-list 121 permit icmp any any
access-list 121 permit <your.allowed.inbound.services>
access-list 121 deny ip any any

rtr# sh access-list 121
    permit tcp host 12.5.136.100 eq www host 172.16.0.75 eq 3998 (44 matches)
    permit tcp host 12.5.136.100 eq www host 172.16.0.75 eq 3995 (70 matches)
    permit tcp host 63.209.48.137 eq www host 172.16.0.50 eq 2499 (7 matches)
    permit tcp host 64.236.43.71 eq www host 172.16.0.77 eq 1178 (30 matches)
    permit tcp host 64.236.43.71 eq www host 172.16.0.77 eq 1177 (24 matches)
    permit icmp any any (198 matches)

Those first few entries (abbreviated for your reading pleasure from the mile-long list on my local router) correspond to "sh ip inspect sess" entries such as these:

Session 823B6A04 (172.16.0.18:4052)=>(207.235.16.2:53) udp SIS_OPEN
 Session 8238C95C (172.16.0.18:4050)=>(207.235.16.2:53) udp SIS_OPEN
 Session 8229D228 (172.16.0.18:4051)=>(207.235.16.2:53) udp SIS_OPEN
 Session 823897FC (172.16.0.18:4048)=>(207.235.16.2:53) udp SIS_OPEN
 Session 823B25A4 (172.16.0.18:4049)=>(207.235.16.2:53) udp SIS_OPEN

ICMP cannot be inspected, so you'll need to allow it in some form.  

The IOS Security Configuration Guide under the IOS docs will help you out, more specifically http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfcbac.htm

Hope this helps,

Pete Templin
IP Network Engineer
TexLink Communications
(210) 892-4183
pete.templin at texlink.com

-----Original Message-----
From: Wilson, Dan [mailto:Dan.Wilson at transamerica.com]
Sent: Tuesday, April 08, 2003 12:33 PM
To: Wilson, Dan; 'cisco-nsp at puck.nether.net'
Subject: [nsp] RE: IOS Firewall Issues


Ok, I'm assuming I will need to employ CBAC.  How would one employ this,
i.e. does anyone have a link to a sample config?  Rob Thomas maybe??

I have a couple of questions regarding IOS Firewall.

Am I correct in assuming it *does* stateful?

How would I view the state tables?

How would I determine what traffic is allowed inbound??

And

How, exactly, would I set rules on what would be allowed inbound?

I'm running 7140, 7206, 3640 and 2621's all running 12.2(8)T, which I
Switched to in order to run encrypted traffic over GRE tunnels, so
That I could change routes if tunnel connections weren't working.

Any ideas would be appreciated.

Thanks.


Dan

  dan.wilson at transamerica.com
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list