trail logging and real-time alerts globally to provide a record of network access through the firewall, including illegitimate access attempts and inbound and outbound services: Step 1 Turn on logging to your syslog host using standard logging commands. Set the syslog server IP address with the logging host command. Step 2 Turn on Cisco IOS Firewall audit trail messages using the ip inspect audit-trail command in global configuration mode. Step 3 The Cisco IOS Firewall real-time alerts are off by default (the command ip inspect alert-off is active by default). To enable real-time alerts, the no version of the command is needed; use the no ip inspect alert-off command in global configuration mode. You can configure audit trails on a per-application basis as will be discussed in the next topic.
Content 6.2 Configuring Cisco IOS Firewall from the CLI 6.2.5 Inspection Rules for Application Protocols You must define inspection rules to specify which IP traffic (that is, which application layer protocols) Cisco IOS Firewall will inspect at an interface. Figure shows the Cisco IOS commands that you use to configure what application protocols to inspect. Normally, you define only one inspection rule. The only exception occurs if you want to enable the firewall engine in two directions at a single firewall interface. In this case you must configure two rules, one for each direction. An inspection rule should specify each desired application layer protocol that the Cisco IOS Firewall will inspect, as well as generic TCP, UDP, or Internet Control Message Protocol (ICMP), if desired. Note
Generic TCP and UDP inspection dynamically permits return traffic of active sessions. ICMP inspection allows ICMP echo reply packets forwarded as a response to previously seen ICMP echo messages. The inspection rule consists of a series of statements, each listing a protocol and specifying the same inspection rule name. Inspection rules include options for controlling alert and audit trail messages and for checking IP packet fragmentation. In the example, the IP inspection rule has the name FWRULE. FWRULE inspects the extended Simple Mail Transfer Protocol (SMTP) and FTP protocols with alert and audit trails enabled. FWRULE has an idle timeout of 300 seconds. Use the ip inspect name command in global configuration mode to define a set of inspection rules. Use the no form of this command to remove the inspection rule for a protocol or to remove the entire set of inspection rules. ip inspect name inspection-name protocol [alert {on | off}] [audit-trail {on | off}] [timeout seconds] See the ip inspect name Parameters as shown in Figure . Figure shows some examples:
Content 6.2 Configuring Cisco IOS Firewall from the CLI 6.2.6 Apply an Inspection Rule to an Interface Next, apply an inspection rule to an interface. Figure shows the Cisco IOS commands that you use to apply an inspection rule to an interface. Use the ip inspect interface configuration command, described in the ip inspect Parameters table to apply a set of inspection rules to an interface in either the inbound or outbound direction. ip inspect inspection-name {in | out} Guidelines for Applying Inspection Rules and ACLs to Interfaces
For the Cisco IOS Firewall to be effective, both inspection rules and ACLs must be strategically applied to all the router interfaces. Figure lists guidelines for applying inspection rules and ACLs to interfaces. There are two guiding principles for applying inspection rules and ACLs on the router: Example: Two-Interface Firewall
Figure shows a simple, two-interface Cisco IOS Firewall configuration example. The simplest, clearest, and easiest-to-verify configuration results when both an ACL and an inspection rule are applied inbound on an interface. Because such configurations are easy to verify, the chance of leaving backdoors is minimized. In this example, the inspection rule OUTBOUND performs generic TCP, UDP, and ICMP traffic inspection. The access list OUTSIDEACL is applied to the outside interface and blocks all incoming traffic except ICMP unreachable “packet-too-big” messages that support maximum transmission unit (MTU) path discovery. The access list INSIDEACL, applied to the inside interface in the inbound direction, permits all TCP, UDP, and ICMP traffic that initiated from the inside network. The inspection rule OUTBOUND, applied to the inside interface in the inbound direction, inspects the outbound packets and automatically allows the corresponding return traffic. Example: Three-Interface Firewall
Figure shows a Cisco IOS Firewall configuration example with three interfaces. In this example, inside users are permitted to browse the Internet. Outbound HTTP sessions are allowed by the ACL INSIDEACL that applies to the inside interface in the inbound direction. Further, outside clients are allowed to communicate with the SMTP server (200.1.2.1) and HTTP server (200.1.2.2) that are located in the enterprise DMZ. Inbound SMTP and HTTP are permitted by the ACL OUTSIDEACL that applies to the outside interface in the inbound direction. Additionally, ICMP unreachable “packet-too-big” messages are accepted on all interfaces to support MTU path discovery. The inspection rules include the generic TCP inspection and apply to inbound connections on the outside interface and to outbound sessions on the inside interface. The TCP inspection automatically allows return traffic of the outbound HTTP sessions and allows return traffic of the inbound SMTP and HTTP sessions.
Content 6.2 Configuring Cisco IOS Firewall from the CLI 6.2.7 Verifying Cisco IOS Firewall Figure shows the Cisco IOS CLI commands that verify the configuration and inspected sessions of Cisco IOS Firewall. Use the show ip inspect EXEC command to display information about various components of Cisco IOS Firewall. In this example, three TCP sessions have been established from host 10.0.0.3 to the host 172.30.0.50 and inspected by the Cisco IOS Firewall. The output of the command includes the respective port numbers that are involved in the TCP communications. The show ip inspect command syntax is: show ip inspect {name inspection-name | config | interfaces | statistics | session [detail] | all} Figure presents a table featuring the show ip inspect command parameters.
Content 6.2 Configuring Cisco IOS Firewall from the CLI 6.2.8 Troubleshooting Cisco IOS Firewall Figure shows the Cisco IOS CLI commands that assist in troubleshooting Cisco IOS Firewall. Use the debug ip inspect EXEC command to display messages about firewall events. The debug ip inspect command syntax is: debug ip inspect {function-trace | object-creation | object-deletion | events | timers | protocol | detailed} Figure presents a table featuring the debug ip inspect command parameters.
Content 6.3 Basic and Advanced Firewall