Configure Cisco IOS Firewall Context-Based Access Control
Apply inspection rules and ACLs to interfaces

Now that inspection rules and how to configure them have been discussed, it is important to understand how they are applied to interfaces on the router. Remember, no inspection rule or ACL can become effective until it is applied to a router interface. Use the ip inspect interface configuration command to apply a set of inspection rules to an interface. Use the no form of this command to remove the set of rules from the interface. The syntax for the ip inspect command is shown in Figure .

General Rules

For the Cisco IOS Firewall to be effective, both inspection rules and ACLs must be strategically applied to all of the interfaces on the router. The following is the general rule of thumb for applying inspection rules and ACLs on the router:

  • On the interface where traffic initiates:
    • Apply the ACL on the inward direction that only permits wanted traffic.
    • Apply the rule on the inward direction that inspects wanted traffic.
  • On all other interfaces apply the ACL on the inward direction that denies all traffic, except traffic that is not inspected by CBAC, such as ICMP.

Two Interface Firewall
Having configured one interface with inspection rules, it is time to learn how to configure multiple interfaces like this . As an example, configure the router to be an IOS Firewall between two networks, inside and outside.

Implementing the following security policy will allow all general TCP and UDP outbound traffic initiated on the inside, from network 10.0.0.0 to access the Internet . ICMP traffic will also be allowed from the same network. Other networks on the inside, which are not defined, must be denied. For inbound traffic initiated on the outside, allow everyone to access only ICMP and HTTP to host 10.0.0.3 . Any other traffic must be denied.

Utilize the demonstration activity to implement a security policy on outbound and inbound traffic.

Three Interface Firewall
Multiple interfaces can be configured . As an example, configure the router to act as an IOS Firewall between three networks, inside, outside, and DMZ. Implement by a security policy allowing all general TCP and UDP outbound traffic initiated on the inside from network 10.0.0.0 to access the Internet and the DMZ host 172.16.0.2. ICMP traffic will also be allowed from the same network to the Internet and the DMZ host. Other networks on the inside, which are not defined, must be denied. For inbound traffic initiated on the outside, allow everyone to only access ICMP and HTTP to DMZ host 172.16.0.2. Any other traffic must be denied , , .

Utilize the demonstration activity to implement the security policy of the inbound, outbound, and DMZ bound traffic.


Lab Activity

e-Lab Activity: Inspection Rules and ACLs Applied to Router Interfaces

In this activity, students will configure the router to allow all general TCP, UDP, and ICMP traffic initiated on the inside from the 10.0.0.0 network.

Interactive Media Activity

Demonstration Activity: Configure Traffic Filtering for a Two Interface Firewall

In this activity, students will learn how to implement a security policy that filters outbound traffic.

Interactive Media Activity

Demonstration Activity: Configure Traffic Filtering for a Three Interface Firewall

In this activity, students will learn how to configure inspection rules for outbound, inbound, and DMZ traffic.