Cisco Network Academy. All rights reserved CCNP+ ISCW v1.0Cisco IOS Threat Defense FeaturesImplementing Cisco IOS FirewallsCisco Network Academy. All rights reserved CCNP+ ISCW v1.0Configuring Cisco IOS Firewall from the CLICisco Network Academy. All rights reserved CCNP+ ISCW v1.0Cisco IOS Firewall Configuration Tasks Using the CLI Pick an interface: internal or external. Configure IP ACLs at the interface. Define inspection rules. Apply inspection rules and ACLs to interfaces. Test and verify.Cisco Network Academy. All rights reserved CCNP+ ISCW v1.0Set Audit Trails and AlertsRouter(config)#logging on Router(config)#logging host 10.0.0.3 Router(config)#ip inspect audit-trail Router(config)#no ip inspect alert-off Enables the delivery of audit trail messages using syslogip inspect audit-trailRouter(config)# Enables real-time alertsno ip inspect alert-offRouter(config)# Cisco Network Academy. All rights reserved CCNP+ ISCW v1.0Define Inspection Rules for Application Protocolsip inspect name inspection-name protocol alert on|off audit-trail on|off timeout seconds Defines the application protocols to inspect. Will be applied to an interface: Available protocols are tcp, udp, icmp, smtp, esmtp, cuseeme, ftp, ftps, http, h323, netshow, rcmd, realaudio, rpc, rtsp, sip, skinny, sqlnet, tftp, vdolive, etc. Alert, audit-trail, and timeout are configurable per protocol, and override global settings.Router(config)# Router(config)#ip inspect name FWRULE smtp alert on audit-trail on timeout 300 Router(config)#ip inspect name FWRULE ftp alert on audit-trail on timeout 300Cisco Network Academy. All rights reserved CCNP+ ISCW v1.0Apply an Inspection Rule to an Interfaceip inspect inspection-name in | out Applies the named inspection rule to an interfaceRouter(config-if)# Router(config)#interface e0/0 Router(config-if)#ip inspect FWRULE in Applies the inspection rule to interface e0/0 in inward directionCisco Network Academy. All rights reserved CCNP+ ISCW v1.0Guidelines for Applying Inspection Rules and ACLs to Interfaces On the interface where traffic initiates: Apply ACL on the inward direction that permits only wanted traffic. Apply rule on the inward direction that inspects wanted traffic. On all other interfaces, apply ACL on the inward direction that denies all unwanted traffic.Cisco Network Academy. All rights reserved CCNP+ ISCW v1.0Example: Two-Interface Firewallip inspect name OUTBOUND tcp ip inspect name OUTBOUND udp ip inspect name OUTBOUND icmp ! interface FastEthernet0/0ip access-group OUTSIDEACL in ! interface FastEthernet0/1ip inspect OUTBOUND inip access-group INSIDEACL in ! ip access-list extended OUTSIDEACLpermit icmp any any packet-too-bigdeny ip any any log ! ip access-list extended INSIDEACLpermit tcp any anypermit udp any anypermit icmp any anyCisco Network Academy. All rights reserved CCNP+ ISCW v1.0Example: Three-Interface Firewallinterface FastEthernet0/0ip inspect OUTSIDE inip access-group OUTSIDEACL in ! interface FastEthernet0/1ip inspect INSIDE inip access-group INSIDEACL in ! interface FastEthernet0/2ip access-group DMZACL in ! ip inspect name INSIDE tcp ip inspect name OUTSIDE tcp ! ip access-list extended OUTSIDEACLpermit tcp any host 200.1.2.1 eq 25permit tcp any host 200.1.2.2 eq 80permit icmp any any packet-too-bigdeny ip any any log ! ip access-list extended INSIDEACLpermit tcp any any eq 80permit icmp any any packet-too-bigdeny ip any any log ! ip access-list extended DMZACLperm