Configuring Cisco Ios Firewall; Zone-Based Policy Firewall - Cisco 1941W Configuration Manual
Cisco 3900 series, cisco 2900 series,
cisco 1900 series
Hide thumbs
Also See for 1941W:
- Hardware installation manual (102 pages) ,
- Installing and upgrading (24 pages)
Table of Contents
Advertisement
Configuring Cisco IOS Firewall
For information on configuring and managing access groups, see the
IP Options, TCP Flags, Noncontiguous Ports, or TTL Values"
section of
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/12_4t/
sec_data_plane_12_4t_book.html.
Configuring Cisco IOS Firewall
The Cisco IOS Firewall lets you configure a stateful firewall where packets are inspected internally and
the state of network connections is monitored. Stateful firewall is superior to static access lists because
access lists can only permit or deny traffic based on individual packets, not based on streams of packets.
Also, because the Cisco IOS Firewall inspects the packets, decisions to permit or deny traffic can be
made by examining application layer data, which static access lists cannot examine.
To configure a Cisco IOS Firewall, specify which protocols to examine by using the following command
in interface configuration mode:
ip inspect name inspection-name protocol timeout seconds
When inspection detects that the specified protocol is passing through the firewall, a dynamic access list
is created to allow the passage of return traffic. The timeout parameter specifies the length of time that
the dynamic access list remains active without return traffic passing through the router. When the
timeout value is reached, the dynamic access list is removed, and subsequent packets (possibly valid
ones) are not permitted.
Use the same inspection name in multiple statements to group them into one set of rules. This set of rules
can be activated elsewhere in the configuration by using the ip inspect inspection-name { in | out }
command when you configure an interface at the firewall.
For additional information about configuring a Cisco IOS Firewall, see
at: http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_ios_firewall_ov.html.
The Cisco IOS Firewall may also be configured to provide voice security in Session Initiated Protocol
(SIP) applications. SIP inspection provides basic inspection functionality (SIP packet inspection and
detection of pinhole openings), as well protocol conformance and application security. For more
information, see
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_sip_alg_aic.html.
Zone-Based Policy Firewall
The Cisco IOS Zone-Based Policy Firewall can be used to deploy security policies by assigning
interfaces to different zones and configuring a policy to inspect the traffic moving between these zones.
The policy specifies a set of actions to be applied on the defined traffic class.
For additional information about configuring zone-based policy firewall, see the
Firewall"
at:
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/12_4t/
sec_data_plane_12_4t_book.html.
Cisco 3900 Series, Cisco 2900 Series, and Cisco 1900 Series Integrated Services Routers Generation 2 Software Configuration Guide
130
Cisco IOS Security Configuration Guide: Securing the Data Plane, Release 12.4T
"Cisco IOS Firewall: SIP Enhancements: ALG and AIC"
section of
Cisco IOS Security Configuration Guide: Securing the Data Plane, Release 12.4T
Chapter
Configuring Security Features
"Creating an IP Access List to Filter
section of the
"Access Control Lists"
"Cisco IOS Firewall Overview"
at:
"Zone-Based Policy
at:
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
