Least complex Cisco IOS SPI configuration tasks:
- Configure ACLs to block traffic from the unsecure network.
- Be sure ACLs permit legitimate traffic connections from the secure network to the unsecure network.
- Create inspection rules. Apply the rules inbound to the secure-side interface or outbound to the unsecure-side interface.
- Verify firewall function.
Let's dive in
Gateway(config)#access-list 100 deny tcp any any
Gateway(config)#access-list 100 deny udp any any
Gateway(config)#access-list 100 permit icmp any any echo-reply
Gateway(config)#access-list 100 permit icmp any any time-exceeded
Gateway(config)#access-list 100 permit icmp any any traceroute
Gateway(config)#access-list 100 permit icmp any any unreachable
Gateway(config)#access-list 100 deny ip any any
Gateway(config)#access-list 100 remark Block All Traffice Comes From Internet
//Don't use only "Deny Ip any any". CBCA only support TCP,UDP and common-type ICMP. If you only "Deny ip any any" you will block the traffic that CBCA doesn't support.
Gateway(config)#int dialer 1
Gateway(config-if)#ip access-group 100 in
Gateway(config-if)#exit
Gateway(config)#ip inspect name ServerFarmVlan110 dns
Gateway(config)#int fa0/1.110
Gateway(config-subif)#ip inspect ServerFarmVlan110 in
Gateway(config-subif)#exit
Inspect Rule for HTTP
Gateway(config)#ip inspect name UserInspect https
Gateway(config)#ip inspect name UserInspect http
Monitoring
show ip inspect sessions
No comments:
Post a Comment