130
Cisco 3900 Series, Cisco 2900 Series, and Cisco 1900 Series Integrated Services Routers Generation 2 Software Configuration Guide
Chapter Configuring Security Features
Configuring Cisco IOS Firewall
For information on configuring and managing access groups, see the “Creating an IP Access List to Filter
IP Options, TCP Flags, Noncontiguous Ports, or TTL Values” section of the “Access Control Lists”
section of Cisco IOS Security Configuration Guide: Securing the Data Plane, Release 12.4T at:
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/12_4t/
sec_data_plane_12_4t_book.html.
Configuring Cisco IOS Firewall
The Cisco IOS Firewall lets you configure a stateful firewall where packets are inspected internally and
the state of network connections is monitored. Stateful firewall is superior to static access lists because
access lists can only permit or deny traffic based on individual packets, not based on streams of packets.
Also, because the Cisco IOS Firewall inspects the packets, decisions to permit or deny traffic can be
made by examining application layer data, which static access lists cannot examine.
To configure a Cisco IOS Firewall, specify which protocols to examine by using the following command
in interface configuration mode:
ip inspect name inspection-name protocol timeout seconds
When inspection detects that the specified protocol is passing through the firewall, a dynamic access list
is created to allow the passage of return traffic. The timeout parameter specifies the length of time that
the dynamic access list remains active without return traffic passing through the router. When the
timeout value is reached, the dynamic access list is removed, and subsequent packets (possibly valid
ones) are not permitted.
Use the same inspection name in multiple statements to group them into one set of rules. This set of rules
can be activated elsewhere in the configuration by using the ip inspect inspection-name { in | out }
command when you configure an interface at the firewall.
For additional information about configuring a Cisco IOS Firewall, see “Cisco IOS Firewall Overview”
at: http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_ios_firewall_ov.html.
The Cisco IOS Firewall may also be configured to provide voice security in Session Initiated Protocol
(SIP) applications. SIP inspection provides basic inspection functionality (SIP packet inspection and
detection of pinhole openings), as well protocol conformance and application security. For more
information, see “Cisco IOS Firewall: SIP Enhancements: ALG and AIC” at:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_sip_alg_aic.html.
Zone-Based Policy Firewall
The Cisco IOS Zone-Based Policy Firewall can be used to deploy security policies by assigning
interfaces to different zones and configuring a policy to inspect the traffic moving between these zones.
The policy specifies a set of actions to be applied on the defined traffic class.
For additional information about configuring zone-based policy firewall, see the “Zone-Based Policy
Firewall” section of Cisco IOS Security Configuration Guide: Securing the Data Plane, Release 12.4T
at:
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/12_4t/
sec_data_plane_12_4t_book.html.
To Next Page
Loading...
