1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Network Router
  5. 851-K9 - 851 Integrated Services Router
  6. Configuration manual

Configuration Example - Cisco CISCO851-K9 - 851 Integrated Services Router Configuration Manual

Access routers
Hide thumbs
Table of Contents

Advertisement

Chapter 8
Configuring a Simple Firewall

Configuration Example

A telecommuter is granted secure access to a corporate network, using IPSec tunneling. Security to the
home network is accomplished through firewall inspection. The protocols that are allowed are all TCP,
UDP, RTSP, H.323, NetShow, FTP, and SQLNet. There are no servers on the home network; therefore,
no traffic is allowed that is initiated from outside. IPSec tunneling secures the connection from the home
LAN to the corporate network.
Like the Internet Firewall Policy, HTTP need not be specified because Java blocking is not necessary.
Specifying TCP inspection allows for single-channel protocols such as Telnet and HTTP. UDP is
specified for DNS.
The following configuration example shows a portion of the configuration file for the simple firewall
scenario described in the preceding sections.
!
! Firewall inspection is set up for all TCP and UDP traffic as well as
! specific application protocols as defined by the security policy.
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
ip inspect name firewall h323
ip inspect name firewall netshow
ip inspect name firewall ftp
ip inspect name firewall sqlnet
!
interface vlan 1! This is the internal home network.
ip inspect firewall in ! Inspection examines outbound traffic.
!
interface fastethernet 4! FE4 is the outside or Internet-exposed interface.
! acl 103 permits IPSec traffic from the corp. router
! as well as denies Internet-initiated traffic inbound.
ip access-group 103 in
!
! acl 103 defines traffic allowed from the peer for the IPSec tunnel.
access-list 103 permit udp host 200.1.1.1 any eq isakmp
access-list 103 permit udp host 200.1.1.1 eq isakmp any
access-list 103 permit esp host 200.1.1.1 any
! Allow ICMP for debugging but should be disabled because of security implications.
access-list 103 permit icmp any any
access-list 103 deny ip any any ! Prevents Internet-initiated traffic inbound.
! acl 105 matches addresses for the ipsec tunnel to or from the corporate network.
access-list 105 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255
no cdp run
!
OL-5332-01
no cdp enable
ip nat outside
no cdp enable
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
Configuration Example
8-5
Show Quick Links

Hide quick links:

Advertisement

Table of Contents
loading

Related Manuals for Cisco CISCO851-K9 - 851 Integrated Services Router

Related Content for Cisco CISCO851-K9 - 851 Integrated Services Router

This manual is also suitable for:

Cisco876-sec-i-k9 - 876 security bundle routerCisco877-k9 - 877 integrated services routerCisco877-sec-k9 - 877 security bundle routerCisco857w-g-a-k9 - 857w integrated services routerCisco878-k9 - 878 g.shdsl sec routerCisco878-k9-rf - 878 integrated services router ... Show all

Table of Contents