Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Simple firewall implementation

Hello,

 

I'm pretty new to the cisco product and want to setup a simple firewall.

I found some exampels but can't get it to work.

 

For now we are using Cisco routers 88x and 89x series.

When I activate te script I the remote connection to the router is lost, although I have put an permit rule for ssh.

 

The script is the following:

ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall rtsp
ip inspect name Firewall h323
ip inspect name Firewall netshow
ip inspect name Firewall ftp
ip inspect name Firewall ssh
!
ip access-list extended Allow-IN
 permit eigrp any any
 permit icmp any 192.168.2.0 0.0.0.255 echo-reply
 permit icmp any 192.168.2.0 0.0.0.255 unreachable
 permit icmp any 192.168.2.0 0.0.0.255 administratively-prohibited
 permit icmp any 192.168.2.0 0.0.0.255 packet-too-big
 permit icmp any 192.168.2.0 0.0.0.255 echo
 permit icmp any 192.168.2.0 0.0.0.255 time-exceeded
 permit tcp any 192.168.2.0 0.0.0.255 eq 22
 deny ip any any
!
interface Vlan1
 ip inspect Firewall in
!
interface Dialer1
 ip access-group Allow-IN in
!

 

Can anyone tell me what I'm doing wrong here?

And a second question, can I use for the ip inspect also port numbers or must I always use a service name?

 

Thank you,

 

//Edwin

2 REPLIES
Cisco Employee

Hi,I think as the SSH is to

Hi,

I think as the SSH is to the router itself , you would need the "router-traffic" keyword.

For your 2nd Query , this will help:-

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i2.html#wp2665953023

Thanks and Regards,

Vibhor Amrodia

New Member

Hello, I have tested this.I

Hello,

 

I have tested this.

I couldn't add the router-traffic to the ip inspect rule for ssh but could add it to the ip inspect rule with tcp.

I tested this option but unfortunatly the connection was closed again as soon the rules were applied to the interfaces.

 

Maybe I did it wrong or it doesn't work.

 

//Edwin

40
Views
0
Helpful
2
Replies
CreatePlease login to create content