trail logging and real-time alerts globally to
provide a record of network access through the firewall,
including illegitimate access attempts and inbound and outbound
services: Step 1 Turn on logging to your syslog host
using standard logging commands. Set the syslog server IP
address with the logging host command. Step 2
Turn on Cisco IOS Firewall audit trail messages using the ip
inspect audit-trail command in global configuration mode.
Step 3 The Cisco IOS Firewall real-time alerts are off
by default (the command ip inspect alert-off is active
by default). To enable real-time alerts, the no version of the
command is needed; use the no ip inspect alert-off
command in global configuration mode. You can configure audit
trails on a per-application basis as will be discussed in the
next topic.
Content 6.2 Configuring
Cisco IOS Firewall from the CLI 6.2.5
Inspection Rules for Application Protocols You must define
inspection rules to specify which IP traffic (that is, which
application layer protocols) Cisco IOS Firewall will inspect at
an interface. Figure shows the Cisco IOS commands that you use
to configure what application protocols to inspect. Normally,
you define only one inspection rule. The only exception occurs
if you want to enable the firewall engine in two directions at
a single firewall interface. In this case you must configure
two rules, one for each direction. An inspection rule should
specify each desired application layer protocol that the Cisco
IOS Firewall will inspect, as well as generic TCP, UDP, or
Internet Control Message Protocol (ICMP), if desired.
Note
Generic TCP and UDP inspection dynamically
permits return traffic of active sessions. ICMP inspection
allows ICMP echo reply packets forwarded as a response to
previously seen ICMP echo messages. The inspection rule
consists of a series of statements, each listing a protocol and
specifying the same inspection rule name. Inspection rules
include options for controlling alert and audit trail messages
and for checking IP packet fragmentation. In the example, the
IP inspection rule has the name FWRULE. FWRULE inspects the
extended Simple Mail Transfer Protocol (SMTP) and FTP
protocols with alert and audit trails enabled. FWRULE has an
idle timeout of 300 seconds. Use the ip inspect name
command in global configuration mode to define a set of
inspection rules. Use the no form of this command to
remove the inspection rule for a protocol or to remove the
entire set of inspection rules. ip inspect name
inspection-name protocol [alert {on |
off}] [audit-trail {on | off}]
[timeout seconds] See the ip inspect name
Parameters as shown in Figure . Figure shows some examples:
- In the first example, the ip inspect name
command sets up the rule PERMIT_JAVA to allow all users
permitted by standard access list 10 to download Java
applets.
- The second example shows a list of protocols
Cisco IOS Firewall will inspect.
Content
6.2 Configuring Cisco IOS Firewall from the
CLI 6.2.6 Apply an Inspection Rule to an
Interface Next, apply an inspection rule to an interface.
Figure shows the Cisco IOS commands that you use to apply an
inspection rule to an interface. Use the ip inspect
interface configuration command, described in the ip inspect
Parameters table to apply a set of inspection rules to an
interface in either the inbound or outbound direction. ip
inspect inspection-name {in | out}
Guidelines for Applying Inspection Rules and ACLs to
Interfaces
For the Cisco IOS Firewall to be effective,
both inspection rules and ACLs must be strategically applied to
all the router interfaces. Figure lists guidelines for applying
inspection rules and ACLs to interfaces. There are two guiding
principles for applying inspection rules and ACLs on the
router: - On the interface where traffic
initiates:
- Apply the ACL in the inward direction that
permits only wanted traffic.
- Apply the rule in the
inward direction that inspects wanted traffic.
- On all other interfaces, apply the ACL in the inward
direction that denies all traffic, except traffic that has not
been inspected by the firewall, such as generic routing
encapsulation (GRE) and ICMP that is not related to echo and
echo reply messages.
Example: Two-Interface
Firewall
Figure shows a simple, two-interface Cisco IOS
Firewall configuration example. The simplest, clearest, and
easiest-to-verify configuration results when both an ACL and an
inspection rule are applied inbound on an interface. Because
such configurations are easy to verify, the chance of leaving
backdoors is minimized. In this example, the inspection rule
OUTBOUND performs generic TCP, UDP, and ICMP traffic
inspection. The access list OUTSIDEACL is applied to the
outside interface and blocks all incoming traffic except ICMP
unreachable “packet-too-big” messages that support maximum
transmission unit (MTU) path discovery. The access list
INSIDEACL, applied to the inside interface in the inbound
direction, permits all TCP, UDP, and ICMP traffic that
initiated from the inside network. The inspection rule
OUTBOUND, applied to the inside interface in the inbound
direction, inspects the outbound packets and automatically
allows the corresponding return traffic. Example:
Three-Interface Firewall
Figure shows a Cisco IOS
Firewall configuration example with three interfaces. In this
example, inside users are permitted to browse the Internet.
Outbound HTTP sessions are allowed by the ACL INSIDEACL that
applies to the inside interface in the inbound direction.
Further, outside clients are allowed to communicate with the
SMTP server (200.1.2.1) and HTTP server (200.1.2.2) that are
located in the enterprise DMZ. Inbound SMTP and HTTP are
permitted by the ACL OUTSIDEACL that applies to the outside
interface in the inbound direction. Additionally, ICMP
unreachable “packet-too-big” messages are accepted on all
interfaces to support MTU path discovery. The inspection rules
include the generic TCP inspection and apply to inbound
connections on the outside interface and to outbound sessions
on the inside interface. The TCP inspection automatically
allows return traffic of the outbound HTTP sessions and allows
return traffic of the inbound SMTP and HTTP sessions.
Content 6.2 Configuring Cisco IOS Firewall
from the CLI 6.2.7 Verifying Cisco IOS
Firewall Figure shows the Cisco IOS CLI commands that
verify the configuration and inspected sessions of Cisco IOS
Firewall. Use the show ip inspect EXEC command to
display information about various components of Cisco IOS
Firewall. In this example, three TCP sessions have been
established from host 10.0.0.3 to the host 172.30.0.50 and
inspected by the Cisco IOS Firewall. The output of the command
includes the respective port numbers that are involved in the
TCP communications. The show ip inspect command syntax
is: show ip inspect {name inspection-name
| config | interfaces | statistics |
session [detail] | all} Figure presents a
table featuring the show ip inspect command parameters.
Content 6.2 Configuring Cisco IOS
Firewall from the CLI 6.2.8 Troubleshooting
Cisco IOS Firewall Figure shows the Cisco IOS CLI commands
that assist in troubleshooting Cisco IOS Firewall. Use the
debug ip inspect EXEC command to display messages about
firewall events. The debug ip inspect command syntax
is: debug ip inspect {function-trace |
object-creation | object-deletion |
events | timers | protocol |
detailed} Figure presents a table featuring the debug
ip inspect command parameters.
Content
6.3 Basic and Advanced Firewall