ip inspect name Firewall-Out ftp alert on
ip inspect name Firewall-Out smtp alert on
ip inspect name Firewall-Out tcp alert on
ip inspect name Firewall-Out udp alert on
!
ip inspect name Firewall-In ftp alert on
ip inspect name Firewall-In http alert on
!
interface Ethernet0
ip address x.x.x.x x.x.x.x
ip access-group Open-CBAC in
ip nat inside
!
interface Dialer1
ip address negotiated
ip access-group Inbound-Internet in
ip nat outside
ip inspect Firewall-In in
ip inspect Firewall-Out out
!
ip access-list extended Inbound-Internet
permit tcp any any eq ftp
permit tcp any any eq ftp-data
permit udp any any eq ntp
permit gre any any
permit tcp any any eq 1723
deny tcp any any
deny udp any any
permit icmp any any administratively-prohibited
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any unreachable
!
ip access-list extended Open-CBAC
permit tcp any any
permit udp any any
permit ip any any
!
Not sure how much you can use but I have inbound FTP (I was toying around with a HTTP server). All outbound is statefully inspected by the ip inspect list. I allow ICMP, NTP as the router gets its clock from an SNTP server, GRE (and TCP 1723) is allowed as I was playing around with PPTP.
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.