1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Lesson 1 - 871W Configured as SPI Firewall

Discussion in 'Other Cisco Equipment' started by DocLarge, Jun 17, 2007.

Thread Status:
Not open for further replies.
  1. DocLarge

    DocLarge Super Moderator Staff Member Member

    A round of thanks goes out to Eric_Stewart for laying out this CISCO IOS tutorial...

    --------------------------------------------------------------------------------

    Note that this configuration will perform general inspection of TCP, UDP and ICMP traffic. It does NOT inspect FTP, SIP, IM, etc. That will be another "lesson" but suffice it to say this configuration will "break" these protocols from progressing properly across the firewall
    ! ================================================== =================================
    ! Lesson I -- How to turn your 871W into a Stateful Packet Inspection (SPI) Firewall!
    ! ================================================== =================================
    !
    ! Step (1) configures CBAC to inspect TCP, UDP and ICMP taffic
    ip inspect name OUTBOUND tcp
    ip inspect name OUTBOUND udp
    ip inspect name OUTBOUND icmp
    !
    ! Step (2) permits inside-initiated traffic FROM the 172.16.32.0/24 network (ie: inside hosts)
    ! to any host on the outside
    ! Note: These are extended access lists, meaning that they are filtering on both source & destination
    ! addresses and (optionally) port numbers....
    access-list 101 permit ip 172.16.32.0 0.0.0.255 any
    access-list 101 deny ip any any
    !
    ! applies the ACL and inspection rule to the inside interface in an inward direction
    ! (remember "inward" direction is with respect to the interface). In effect, this
    ! will inspect all outbound traffic (from a security level perspective)
    ! Your (now) stateful packet inspection firewall will only allow packets in to your network
    ! that match up as "replies" to the traffic that was allowed out.
    !
    ! This is your Bridge Virtual Interface which comprises your WLAN and LAN interfaces:
    interface BVI1
    ip inspect OUTBOUND in
    ip access-group 101 in
    !
    !
    !
    !
    ! Now you have an SPI firewall. It will block all unsolicited inbound packets, while allowing
    ! you to browse the Internet from any inside host.
     
Thread Status:
Not open for further replies.

Share This Page