Now that inspection rules and how to configure them have been discussed, it
is important to understand how they are applied to interfaces on the router.
Remember, no inspection rule or ACL can become effective until it is applied to
a router interface. Use the ip inspect interface
configuration command to apply a set of inspection rules to an interface. Use
the no form of this command to remove the set of rules from
the interface. The syntax for the ip inspect command is
shown in Figure
.
General Rules
For the Cisco IOS Firewall to be effective, both
inspection rules and ACLs must be strategically applied to all of the
interfaces on the router. The following is the general rule of thumb for
applying inspection rules and ACLs on the router:
- On the interface where traffic initiates:
- Apply the ACL on the inward direction that only permits wanted
traffic.
- Apply the rule on the inward direction that inspects wanted traffic.
- On all other interfaces apply the ACL on the inward direction that denies
all traffic, except traffic that is not inspected by CBAC, such as ICMP.
Two Interface Firewall
Having configured one interface with
inspection rules, it is time to learn how to configure multiple interfaces like
this
. As an
example, configure the router to be an IOS Firewall between two networks,
inside and outside.
Implementing the following security policy will allow
all general TCP and UDP outbound traffic initiated on the inside, from network
10.0.0.0 to access the Internet
. ICMP traffic
will also be allowed from the same network. Other networks on the inside, which
are not defined, must be denied. For inbound traffic initiated on the outside,
allow everyone to access only ICMP and HTTP to host 10.0.0.3
. Any other
traffic must be denied.
Utilize the demonstration activity to implement a
security policy on outbound and inbound traffic.
Three Interface
Firewall
Multiple interfaces can be configured
. As an example,
configure the router to act as an IOS Firewall between three networks, inside,
outside, and DMZ. Implement by a security policy allowing all general TCP and
UDP outbound traffic initiated on the inside from network 10.0.0.0 to access
the Internet and the DMZ host 172.16.0.2. ICMP traffic will also be allowed
from the same network to the Internet and the DMZ host. Other networks on the
inside, which are not defined, must be denied. For inbound traffic initiated on
the outside, allow everyone to only access ICMP and HTTP to DMZ host
172.16.0.2. Any other traffic must be denied
,
,
.
Utilize
the demonstration activity to implement the security policy of the inbound,
outbound, and DMZ bound traffic.