Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

firewall on 857 not working?

Hi folks,

I'm trying to secure a router by using "ip inspect". The router takes all the commands but from a PC behind the router I cannot access the Internet. However if I remove the access list inbound on the external interface it works fine. I was under the impression that ip inspect should add a line to this access list allowing inbound access to an already established internal outbound session?

Can you please help?

I've attached...

sh run

sh ver

sh ip inspect all

sh access-lists

thanks

Dave

4 REPLIES

Re: firewall on 857 not working?

New Member

Re: firewall on 857 not working?

I've tried inbound on the VLAN Interface and external interface but it still doesn't work. The details of ip inspect can be found here where it states that ip inspect can be inbound on the internal interface but outbound on the external interface.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfcbac.htm

rgds

Dave

New Member

Re: firewall on 857 not working?

Looks like if I use the following statements it works ok...

ip inspect name firewall tcp router-traffic

ip inspect name firewall udp router-traffic

ip inspect name firewall icmp router-traffic

so I imagine it's looking at the NAT'd address instead of the source IP? can someone please confirm?

thanks

Dave

Re: firewall on 857 not working?

ah.....NAT'ting.

While configuring CBAC and NAT on a router, the NAT order of operation plays an important role.

For inside-to-outside traffic, perform these steps:

1. Check input ACL.

2. Perform NAT inside to outside.

3. Check output ACL.

For outside-to-inside traffic, perform these steps:

1. Check input ACL.

2. Perform NAT outside to inside.

3. Check output ACL.

For filtering inside-to-outside traffic on the inside interface, the inside hosts should be specified by their actual IP addresses.

Similarly, for filtering outside-to-inside traffic on the outside interface, the inside hosts should be specified by their translated addresses (inside global).

http://www.cisco.com/en/US/customer/products/sw/secursw/ps1018/products_configuration_example09186a008009445f.shtml

Hope that helps.

98
Views
0
Helpful
4
Replies
CreatePlease to create content