|
Home > Archive > alt.certification.cisco > September 2003 > IOS Firewall
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
|
| Hi,
I am currently studying for CCNA, and have bought a couple of routers and a
switch for a Home Lab. I would like to use one of the routers as my main
connection to the internet, and enable 3 PC's to share my cable broadband
connection.
The router in question is a 2611 (ver 12.2.17) with Cisco IOS Firewall
installed (a bargain on ebay!)
I have been sharing my broadband connection for 2 years using a Netgear
FR314, which was virtually plug-in and go. It has kept us safe from all the
worms and intrusions. (and crucially I trust it).
My studies have not yet reached ACL's, and CCNA does not cover the IOS
Firewall.
Therefore, does anybody have a typical setup script I could use to setup the
particular 'internet facing' interface.
I would like absolutely no traffic allowed 'in', and if possible, I would
like to block certain URL's or keywords in URL's from browsing (so the kids
cannot get at certain sites)
I can then de-commission the Netgear FR314.
Regards
Chris
| |
| Fibre Optic 2003-09-19, 4:24 pm |
| Chris wrote:
> Hi,
>
> I am currently studying for CCNA, and have bought a couple of routers and
> a
> switch for a Home Lab. I would like to use one of the routers as my main
> connection to the internet, and enable 3 PC's to share my cable broadband
> connection.
> The router in question is a 2611 (ver 12.2.17) with Cisco IOS Firewall
> installed (a bargain on ebay!)
> I have been sharing my broadband connection for 2 years using a Netgear
> FR314, which was virtually plug-in and go. It has kept us safe from all
> the
> worms and intrusions. (and crucially I trust it).
> My studies have not yet reached ACL's, and CCNA does not cover the IOS
> Firewall.
> Therefore, does anybody have a typical setup script I could use to setup
> the particular 'internet facing' interface.
> I would like absolutely no traffic allowed 'in', and if possible, I would
> like to block certain URL's or keywords in URL's from browsing (so the
> kids cannot get at certain sites)
> I can then de-commission the Netgear FR314.
>
> Regards
>
> Chris
Hello Chris,
try this link : http://nsa2.www.conxion.com/
there are many documentations about security for example about cisco's
router.
Thanks,
Fibre Optic
| |
| Richard Deal 2003-09-19, 4:24 pm |
| Chris,
If you're running 12.3, you can use the new AutoSecure feature, which is
similar to the System Configuration Dialog--it sets up secure configuration
on your router automagically.
It's pretty cool and a long time in coming to the consumer.
And as another person posted, there are a lot of web pages out there that
give you the basics of securing your router.
I'm actually working on a book right now with Cisco Press which discusses
IOS Security, specifically using a router as a firewall, and cover this kind
of stuff, along with how to use some cool tools like NBAR, CAR, and others
to help prevent a lot of different kinds of attacks.
Unfortunately, it won't be out until early spring...I'm only finishing
chapter 4, and I have 20 more to go, probably making the book around 900+
pages.
Cheers!
Richard A. Deal
Visit my home page at http://home.cfl.rr.com/dealgroup/
Author of CCNA Cisco Certified Network Associate Study Guide (640-801),
Cisco PIX Firewalls, CCNA Secrets Revealed!, CCNP Remote Access Exam Prep,
CCNP Switching Exam Cram, and CCNP Cisco LAN Switch Configuration Exam Cram
Cisco Test Prep author for QuizWare, providing the most comprehensive Cisco
exams on the market.
"Fibre Optic" <fibre_optic@go2.pl> wrote in message
news:bkflk9$7u4$1@atlantis.news.tpi.pl...
> Chris wrote:
>
> > Hi,
> >
> > I am currently studying for CCNA, and have bought a couple of routers
and
> > a
> > switch for a Home Lab. I would like to use one of the routers as my
main
> > connection to the internet, and enable 3 PC's to share my cable
broadband
> > connection.
> > The router in question is a 2611 (ver 12.2.17) with Cisco IOS Firewall
> > installed (a bargain on ebay!)
> > I have been sharing my broadband connection for 2 years using a Netgear
> > FR314, which was virtually plug-in and go. It has kept us safe from all
> > the
> > worms and intrusions. (and crucially I trust it).
> > My studies have not yet reached ACL's, and CCNA does not cover the IOS
> > Firewall.
> > Therefore, does anybody have a typical setup script I could use to setup
> > the particular 'internet facing' interface.
> > I would like absolutely no traffic allowed 'in', and if possible, I
would
> > like to block certain URL's or keywords in URL's from browsing (so the
> > kids cannot get at certain sites)
> > I can then de-commission the Netgear FR314.
> >
> > Regards
> >
> > Chris
>
> Hello Chris,
>
> try this link : http://nsa2.www.conxion.com/
> there are many documentations about security for example about cisco's
> router.
>
> Thanks,
> Fibre Optic
>
| |
|
| Hi Chris,
to enable the firewall, you must "inspect" your application and transport
layer protocols. you must then create an extended access-list
You can deny all in your access-list, but it must be applied to your
interface, but you may want to log while troubleshooting. a good document
can be found if you do a search for "configuring CBAC" on www.Cisco .com
access-list 101 deny ip any any log
ip inspect name fwout cuseeme
ip inspect name fwout fragment
ip inspect name fwout ftp
ip inspect name fwout h323
ip inspect name fwout http
ip inspect name fwout netshow
ip inspect name fwout rcmd
ip inspect name fwout realaudio
ip inspect name fwout rtsp
ip inspect name fwout smtp
ip inspect name fwout sqlnet
ip inspect name fwout streamworks
ip inspect name fwout tcp
ip inspect name fwout tftp
ip inspect name fwout udp
ip inspect name fwout vdolive
interface ??
description internet access
ip inspect fwout out
ip access-group 101 in
Claude
"Chris" <clord@blueyonder.co.uk> wrote in message
news:GTHab.102$f_4.1020077@news-text.cableinet.net...
> Hi,
>
> I am currently studying for CCNA, and have bought a couple of routers and
a
> switch for a Home Lab. I would like to use one of the routers as my main
> connection to the internet, and enable 3 PC's to share my cable broadband
> connection.
> The router in question is a 2611 (ver 12.2.17) with Cisco IOS Firewall
> installed (a bargain on ebay!)
> I have been sharing my broadband connection for 2 years using a Netgear
> FR314, which was virtually plug-in and go. It has kept us safe from all
the
> worms and intrusions. (and crucially I trust it).
> My studies have not yet reached ACL's, and CCNA does not cover the IOS
> Firewall.
> Therefore, does anybody have a typical setup script I could use to setup
the
> particular 'internet facing' interface.
> I would like absolutely no traffic allowed 'in', and if possible, I would
> like to block certain URL's or keywords in URL's from browsing (so the
kids
> cannot get at certain sites)
> I can then de-commission the Netgear FR314.
>
> Regards
>
> Chris
>
>
| |
|
| Claude (and the other people),
Thanks for the info.
It seems every document I look at is about 500 pages ! :-)
I have had to configure NAT (inside and out), and have installed the IP
inspect rules below, but it seems to working ok.
Just one more question, and then I will leave it alone:
The rules below do not seem to allow ping replies (echoes) to get back in.
How do I enable these echoes, but keep all the other stuff out.
regards
Chris
<lefortcl@nbnet.nb.ca> wrote in message
news:NTWab.12699$Ej.1862143@ursa-nb00s0.nbnet.nb.ca...
> Hi Chris,
> to enable the firewall, you must "inspect" your application and transport
> layer protocols. you must then create an extended access-list
> You can deny all in your access-list, but it must be applied to your
> interface, but you may want to log while troubleshooting. a good document
> can be found if you do a search for "configuring CBAC" on www.Cisco .com
>
>
> access-list 101 deny ip any any log
>
> ip inspect name fwout cuseeme
> ip inspect name fwout fragment
> ip inspect name fwout ftp
> ip inspect name fwout h323
> ip inspect name fwout http
> ip inspect name fwout netshow
> ip inspect name fwout rcmd
> ip inspect name fwout realaudio
> ip inspect name fwout rtsp
> ip inspect name fwout smtp
> ip inspect name fwout sqlnet
> ip inspect name fwout streamworks
> ip inspect name fwout tcp
> ip inspect name fwout tftp
> ip inspect name fwout udp
> ip inspect name fwout vdolive
>
> interface ??
> description internet access
> ip inspect fwout out
> ip access-group 101 in
>
> Claude
>
> "Chris" <clord@blueyonder.co.uk> wrote in message
> news:GTHab.102$f_4.1020077@news-text.cableinet.net...
> > Hi,
> >
> > I am currently studying for CCNA, and have bought a couple of routers
and
> a
> > switch for a Home Lab. I would like to use one of the routers as my
main
> > connection to the internet, and enable 3 PC's to share my cable
broadband
> > connection.
> > The router in question is a 2611 (ver 12.2.17) with Cisco IOS Firewall
> > installed (a bargain on ebay!)
> > I have been sharing my broadband connection for 2 years using a Netgear
> > FR314, which was virtually plug-in and go. It has kept us safe from all
> the
> > worms and intrusions. (and crucially I trust it).
> > My studies have not yet reached ACL's, and CCNA does not cover the IOS
> > Firewall.
> > Therefore, does anybody have a typical setup script I could use to setup
> the
> > particular 'internet facing' interface.
> > I would like absolutely no traffic allowed 'in', and if possible, I
would
> > like to block certain URL's or keywords in URL's from browsing (so the
> kids
> > cannot get at certain sites)
> > I can then de-commission the Netgear FR314.
> >
> > Regards
> >
> > Chris
> >
> >
>
>
| |
|
| Change your access-list 101. ICMP is not inspected by CBAC until version
12.3.
access-list 101 permit icmp any any echo-reply
access-list 101 deny ip any any log-input
12.3 - Scroll down to the section on ICMP inspection.
http://www.cisco.com/en/US/products...84.html#1083731
12.2 - The section under Restrictions specifically says ICMP is not
inspected.
http://www.cisco.com/en/US/products...c5.html#1001140
"Chris" <clord@blueyonder.co.uk> wrote in message
news:%uobb.1492$l65.14843110@news-text.cableinet.net...
> Claude (and the other people),
>
> Thanks for the info.
> It seems every document I look at is about 500 pages ! :-)
> I have had to configure NAT (inside and out), and have installed the IP
> inspect rules below, but it seems to working ok.
> Just one more question, and then I will leave it alone:
>
> The rules below do not seem to allow ping replies (echoes) to get back in.
> How do I enable these echoes, but keep all the other stuff out.
>
> regards
>
> Chris
>
>
>
> <lefortcl@nbnet.nb.ca> wrote in message
> news:NTWab.12699$Ej.1862143@ursa-nb00s0.nbnet.nb.ca...
> > Hi Chris,
> > to enable the firewall, you must "inspect" your application and
transport
> > layer protocols. you must then create an extended access-list
> > You can deny all in your access-list, but it must be applied to your
> > interface, but you may want to log while troubleshooting. a good
document
> > can be found if you do a search for "configuring CBAC" on www.Cisco .com
> >
> >
> > access-list 101 deny ip any any log
> >
> > ip inspect name fwout cuseeme
> > ip inspect name fwout fragment
> > ip inspect name fwout ftp
> > ip inspect name fwout h323
> > ip inspect name fwout http
> > ip inspect name fwout netshow
> > ip inspect name fwout rcmd
> > ip inspect name fwout realaudio
> > ip inspect name fwout rtsp
> > ip inspect name fwout smtp
> > ip inspect name fwout sqlnet
> > ip inspect name fwout streamworks
> > ip inspect name fwout tcp
> > ip inspect name fwout tftp
> > ip inspect name fwout udp
> > ip inspect name fwout vdolive
> >
> > interface ??
> > description internet access
> > ip inspect fwout out
> > ip access-group 101 in
> >
> > Claude
> >
> > "Chris" <clord@blueyonder.co.uk> wrote in message
> > news:GTHab.102$f_4.1020077@news-text.cableinet.net...
> > > Hi,
> > >
> > > I am currently studying for CCNA, and have bought a couple of routers
> and
> > a
> > > switch for a Home Lab. I would like to use one of the routers as my
> main
> > > connection to the internet, and enable 3 PC's to share my cable
> broadband
> > > connection.
> > > The router in question is a 2611 (ver 12.2.17) with Cisco IOS Firewall
> > > installed (a bargain on ebay!)
> > > I have been sharing my broadband connection for 2 years using a
Netgear
> > > FR314, which was virtually plug-in and go. It has kept us safe from
all
> > the
> > > worms and intrusions. (and crucially I trust it).
> > > My studies have not yet reached ACL's, and CCNA does not cover the IOS
> > > Firewall.
> > > Therefore, does anybody have a typical setup script I could use to
setup
> > the
> > > particular 'internet facing' interface.
> > > I would like absolutely no traffic allowed 'in', and if possible, I
> would
> > > like to block certain URL's or keywords in URL's from browsing (so the
> > kids
> > > cannot get at certain sites)
> > > I can then de-commission the Netgear FR314.
> > >
> > > Regards
> > >
> > > Chris
> > >
> > >
> >
> >
>
>
|
|
|
|
|