From: khalid.ameen@xxxxxxxxxxx
Date: Mon Jul 08 2002 - 09:35:10 GMT-3
Hello,
to do the firewall you should use the inspect instead of the access-list
the main difference between both, is the access-list is one way access
which means if you allow the traffice from inside to ouside and deny the
reverse traffic, the replay wont come to inside your network, but with the
inspect rule it allow to open dynamic access-list with the replayed traffic
so you can open to the traffic from inside to the outside and the dynamic
access-list will be temperarly opened for the replayed traffic,
Regards,
khalid ameen
Original Message:
-----------------
From: Tom Young gitsyoung@yahoo.co.jp
Date: Mon, 8 Jul 2002 20:47:02 +0900 (JST)
To: saridder@attbi.com, ccielab@groupstudy.com
Subject: RE: Firewall feature
Hi, Steven:
Thank you for your sample, it is very helpful. And some
thing I still couldn't understand, would you plz answer me
for it?
In your F0 interface. You worte STOP too more and GO is
too little. You don't want to some common protocol out ?
For example, ftp, h323...
Second, In the WAN side, you just put a access-list,
Why? Why you don't make a INSPECT IN? If you want to tell
me you had already worte the IN in the LAN side, but why
you write the access-list ? It is meanless?
Third, How about the diffirece between the access-list
and inspect? I don't know. My I use the access-list to do
a firewall?
Thanks again
Tom
--- "Steven A. Ridder" <saridder@attbi.com> $B$+$i$N%a%C(B
$B%;!<%8!'(B
> Here's one I did a few months ago on a 1750:
>
> Current configuration : 5110 bytes
> !
> version 12.2
> no parser cache
> no service single-slot-reload-enable
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname (DELETED)
> !
> logging buffered 4096 debugging
> logging rate-limit console 10 except errors
> no logging console
> enable secret 5 $1$EZSH$UJkNhmVVFU34XgZwDISek.
> !
> memory-size iomem 15
> mmi polling-interval 60
> no mmi auto-configure
> no mmi pvc
> mmi snmp-timeout 180
> ip subnet-zero
> no ip source-route
> !
> !
> no ip domain-lookup
> !
> no ip bootp server
> ip inspect name STOP smtp
> ip inspect name STOP tcp
> ip inspect name STOP udp
> ip inspect name STOP cuseeme
> ip inspect name STOP ftp
> ip inspect name STOP h323
> ip inspect name STOP rcmd
> ip inspect name STOP realaudio
> ip inspect name STOP streamworks
> ip inspect name STOP vdolive
> ip inspect name STOP sqlnet
> ip inspect name STOP tftp
> ip inspect name GO smtp
> ip inspect name GO tcp
> ip inspect name GO udp
> ip audit notify log
> ip audit po max-events 100
> ip ssh time-out 120
> ip ssh authentication-retries 3
> no ip dhcp-client network-discovery
> !
> crypto isakmp policy 1
> hash md5
> authentication pre-share
> crypto isakmp key (DELETED) address 0.0.0.0 0.0.0.0
> crypto isakmp client configuration address-pool
> local VPNpool
> !
> !
> crypto ipsec transform-set Strong esp-des
> esp-md5-hmac
> crypto mib ipsec flowmib history tunnel size 200
> crypto mib ipsec flowmib history failure size 200
> !
> crypto dynamic-map dynVPNmap 10
> set transform-set Strong
> !
> !
> crypto map modecfg client configuration address
> initiate
> crypto map modecfg client configuration address
> respond
> crypto map modecfg 10 ipsec-isakmp dynamic dynVPNmap
> !
> !
> !
> !
> interface Ethernet0
> ip address 255.21.220.202 255.255.255.252
> ip access-group 101 in
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat outside
> no ip route-cache
> ip policy route-map nonat
> no ip mroute-cache
> half-duplex
> no cdp enable
> crypto map modecfg
> !
> interface FastEthernet0
> ip address 192.168.1.1 255.255.255.0
> ip nat inside
> ip inspect STOP in
> ip inspect GO out
> speed auto
> no cdp enable
> !
> ip local pool VPNpool 192.168.100.50 192.168.100.55
> ip default-gateway 255.21.220.201
> ip nat pool IntNATpool 255.21.220.202 255.21.220.202
> netmask
> 255.255.255.252
> ip nat inside source route-map rmap pool IntNATpool
> overload
> ip nat inside source static tcp 192.168.1.100 25
> 255.21.220.202 25
> extendable
> ip nat inside source static tcp 192.168.1.100 110
> 255.21.220.202 110
> extendable
> ip classless
> ip route 0.0.0.0 0.0.0.0 255.21.220.201
> no ip http server
> !
> access-list 101 permit tcp any any established
> access-list 101 permit tcp any host 255.21.220.202
> eq telnet
> access-list 101 permit icmp any any echo
> access-list 101 permit icmp any any echo-reply
> access-list 101 permit icmp any any packet-too-big
> access-list 101 permit icmp any any time-exceeded
> access-list 101 permit icmp any any traceroute
> access-list 101 permit ahp any any
> access-list 101 permit esp any any
> access-list 101 permit udp any any eq isakmp
> access-list 101 permit tcp any host 255.21.220.202
> eq pop3
> access-list 101 permit tcp any host 255.21.220.202
> eq smtp
> access-list 101 permit ip host 192.168.100.50 any
> access-list 101 permit ip host 192.168.100.51 any
> access-list 101 permit ip host 192.168.100.52 any
> access-list 101 permit ip host 192.168.100.53 any
> access-list 101 permit ip host 192.168.100.54 any
> access-list 101 permit ip host 192.168.100.55 any
> access-list 110 deny ip 192.168.1.0 0.0.0.255
> 192.168.100.0 0.0.0.255
> access-list 110 permit ip 192.168.1.0 0.0.0.255 any
> access-list 120 permit ip 192.168.1.0 0.0.0.255
> 192.168.100.0 0.0.0.255
> no cdp run
> !
> !
> route-map rmap permit 10
> match ip address 110
> !
> route-map nonat permit 10
> match ip address 120
> !
> route-map nonat permit 20
> !
> banner motd ^C
>
************************************************************************
> ***
> NOTICE TO USERS
>
> This is a private computer system and is the
> property of (DELETED)
> Associates. It is for authorized use only. Users
> (authorized or
> unauthorized) have no explicit or implicit
> expectation of privacy.
>
> Any or all uses of this system and all files on this
> system may be
> intercepted, monitored, recorded, copied, audited,
> inspected, and
> disclosed
> to authorized site, and law enforcement personnel,
> as well as authorized
> officials of other agencies, both domestic and
> foreign.
> By using this system, the user consents to such
> interception,
> monitoring,
> recording, copying, auditing, inspection, and
> disclosure at the
> discretion
> of authorized site or Department of Energy
> personnel.
>
> Unauthorized or improper use of this system may
> result in administrative
> disciplinary action and civil and criminal
> penalties. By continuing to
> use
> this system you indicate your awareness of and
> consent to these terms
> and
> conditions of use. LOG OFF IMMEDIATELY if you do not
> agree to the
> conditions
> stated in this warning.
>
>
************************************************************************
> *****^C
> !
> line con 0
> exec-timeout 5 0
>
=== message truncated ===
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:36:21 GMT-3