Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
IP INSPECT ON 801 Cisco Router
- Thread starter DAVIDSAR
- Start date
Andyleates
Technical User
What exactly do you need to know?
Andy Leates MCSE CCNA MCP+I
Andy Leates MCSE CCNA MCP+I
- Thread starter
- #3
My current config on an 827 ADSL router:
ip inspect name Firewall-Out ftp alert on
ip inspect name Firewall-Out smtp alert on
ip inspect name Firewall-Out tcp alert on
ip inspect name Firewall-Out udp alert on
!
ip inspect name Firewall-In ftp alert on
ip inspect name Firewall-In http alert on
!
interface Ethernet0
ip address x.x.x.x x.x.x.x
ip access-group Open-CBAC in
ip nat inside
!
interface Dialer1
ip address negotiated
ip access-group Inbound-Internet in
ip nat outside
ip inspect Firewall-In in
ip inspect Firewall-Out out
!
ip access-list extended Inbound-Internet
permit tcp any any eq ftp
permit tcp any any eq ftp-data
permit udp any any eq ntp
permit gre any any
permit tcp any any eq 1723
deny tcp any any
deny udp any any
permit icmp any any administratively-prohibited
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any unreachable
!
ip access-list extended Open-CBAC
permit tcp any any
permit udp any any
permit ip any any
!
Not sure how much you can use but I have inbound FTP (I was toying around with a HTTP server). All outbound is statefully inspected by the ip inspect list. I allow ICMP, NTP as the router gets its clock from an SNTP server, GRE (and TCP 1723) is allowed as I was playing around with PPTP.
Hope this helps you.
Andy
ip inspect name Firewall-Out ftp alert on
ip inspect name Firewall-Out smtp alert on
ip inspect name Firewall-Out tcp alert on
ip inspect name Firewall-Out udp alert on
!
ip inspect name Firewall-In ftp alert on
ip inspect name Firewall-In http alert on
!
interface Ethernet0
ip address x.x.x.x x.x.x.x
ip access-group Open-CBAC in
ip nat inside
!
interface Dialer1
ip address negotiated
ip access-group Inbound-Internet in
ip nat outside
ip inspect Firewall-In in
ip inspect Firewall-Out out
!
ip access-list extended Inbound-Internet
permit tcp any any eq ftp
permit tcp any any eq ftp-data
permit udp any any eq ntp
permit gre any any
permit tcp any any eq 1723
deny tcp any any
deny udp any any
permit icmp any any administratively-prohibited
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any unreachable
!
ip access-list extended Open-CBAC
permit tcp any any
permit udp any any
permit ip any any
!
Not sure how much you can use but I have inbound FTP (I was toying around with a HTTP server). All outbound is statefully inspected by the ip inspect list. I allow ICMP, NTP as the router gets its clock from an SNTP server, GRE (and TCP 1723) is allowed as I was playing around with PPTP.
Hope this helps you.
Andy
- Thread starter
- #5
- Status
