I've implemented and troubleshoot the IOS firewall (CBAC) on Cisco 800 series routers when I was working at an ISP company a few years ago. This technology is suitable for the Small Office Home Office (SOHO) who wanted network security but don't have the IT budget. It's always been a challenge to configure and troubleshoot an IOS firewall since routing and security configurations are on the same device.
I've read some rants from network and security admins (that includes me) that they don't like configuring a firewall on a Cisco IOS router. They would rather spend on a dedicated firewall or a Unified Threat Management (UTM) appliance. Below is the IOS firewall lab I did which includes the legacy CBAC and the new Zone-Based Firewall (ZBF) approach.
R1(config)#no ip domain-lookup
R1(config)#interface fastethernet0/1
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
*May 31 00:05:12.119: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R1(config-if)#interface serial 0/0/0
R1(config-if)#ip address 10.1.1.1 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#
*May 31 00:05:35.291: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
*May 31 00:05:36.291: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up
R1(config-if)#clock rate 64000
R2(config)#no ip domain-lookup
R2(config)#interface serial0/0/0
R2(config-if)#ip address 10.1.1.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#do ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R2(config-if)#interface serial0/0/1
R2(config-if)#ip address 10.2.2.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#
*May 31 00:06:35.435: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*May 31 00:06:36.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
R2(config-if)#clock rate 64000
R3(config)#no ip domain-lookup
R3(config)#interface fastethernet0/1
R3(config-if)#ip address 192.168.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#
*May 31 00:09:59.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R3(config-if)#interface serial0/0/1
R3(config-if)#ip address 10.2.2.1 255.255.255.252
R3(config-if)#no shutdown
R1(config)#router eigrp 101
R1(config-router)#network 192.168.1.0 0.0.0.255
R1(config-router)#network 10.1.1.0 0.0.0.3
R1(config-router)#no auto-summary
R2(config)#router eigrp 101
R2(config-router)#network 10.1.1.0 0.0.0.3
*May 31 00:12:33.539: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.1.1.1 (Serial0/0/0) is up: new adjacency
R2(config-router)#network 10.2.2.0 0.0.0.3
R2(config-router)#no auto-summary
R2(config-router)#
*May 31 00:12:46.223: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.1.1.1 (Serial0/0/0) is resync: summary configured
R3(config)#router eigrp 101
R3(config-router)#network 192.168.3.0 0.0.0.255
R3(config-router)#network 10.2.2.0 0.0.0.3
*May 31 00:14:39.403: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.2.2.2 (Serial0/0/1) is up: new adjacenc
R3(config-router)#no auto-summary
R3(config-router)#
*May 31 00:14:44.471: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.2.2.2 (Serial0/0/1) is resync: summary configured
R1#ping 192.168.3.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/55/56 ms
R1(config)#security passwords min-length 10
R1(config)#line console 0
R1(config-line)#password ciscoconpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R1(config-line)#logging synchronous
R1(config-line)#line aux 0
R1(config-line)#password ciscoauxpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R1(config-line)#line vty 0 4
R1(config-line)#password ciscovtypass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R2(config)#line console 0
R2(config-line)#password ciscoconpass
R2(config-line)#exec-timeout 5 0
R2(config-line)#login
R2(config-line)#logging synchronous
R2(config-line)#line aux 0
R2(config-line)#password ciscoauxpass
R2(config-line)#exec-timeout 5 0
R2(config-line)#login
R2(config-line)#line vty 0 4
R2(config-line)#password ciscovtypass
R2(config-line)#exec-timeout 5 0
R2(config-line)#login
R3(config)#line console 0
R3(config-line)#password ciscoconpass
R3(config-line)#exec-timeout 5 0
R3(config-line)#login
R3(config-line)#logging synchronous
R3(config-line)#line aux 0
R3(config-line)#password ciscoauxpass
R3(config-line)#exec-timeout 5 0
R3(config-line)#login
R3(config-line)#line vty 0 4
R3(config-line)#password ciscovtypass
R3(config-line)#exec-timeout 5 0
R3(config-line)#login
R1(config)#ip http server
R1(config)#service password-encryption
R1(config)#do show run
Building configuration...
Current configuration : 1367 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
/line
filtering...
line con 0
exec-timeout 5 0
password 7 094F471A1A0A141D051C053938
logging synchronous
login
line aux 0
exec-timeout 5 0
password 7 0822455D0A1604020A1B0D1739
login
line vty 0 4
exec-timeout 5 0
password 7 121A0C0411041A10333B253B20
login
!
scheduler allocate 20000 1000
end
R2(config)#service password-encryption
R3(config)#service password-encryption
R2#ping 10.1.1.1 // PING R1 SERIAL INTERFACE
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
R2#ping 192.168.1.3 // PING TO PC-A
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
R1#show run
Building configuration...
Current configuration : 1367 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.252
no fair-queue
clock rate 64000
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/1/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/1/1
no ip address
shutdown
clock rate 2000000
!
router eigrp 101
network 10.1.1.0 0.0.0.3
network 192.168.1.0
no auto-summary
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 5 0
password 7 094F471A1A0A141D051C053938
logging synchronous
login
line aux 0
exec-timeout 5 0
password 7 0822455D0A1604020A1B0D1739
login
line vty 0 4
exec-timeout 5 0
password 7 121A0C0411041A10333B253B20
login
!
scheduler allocate 20000 1000
end
R1#auto secure
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***
AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
Is this router connected to internet? [no]: yes
Enter the number of interfaces facing the internet [1]: 1
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
FastEthernet0/1 192.168.1.1 YES manual up up
Serial0/0/0 10.1.1.1 YES manual up up
Serial0/0/1 unassigned YES unset administratively down down
Serial0/1/0 unassigned YES unset administratively down down
Serial0/1/1 unassigned YES unset administratively down down
Enter the interface name that is facing the internet: serial0/0/0
Securing Management plane services...
Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp
Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.
Authorized Access only
This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action.
Enter the security banner {Put the banner between
k and k, where k is any character}:
$ Unauthorized Access Prohibited $
Enable secret is either not configured or
is the same as enable password
Enter the new enable secret: <cisco12345>
Confirm the enable secret : <cisco12345>
Enter the new enable password: <cisco67890>
Confirm the enable password: <cisco67890>
Configuration of local user database
Enter the username: admin
Enter the password: <cisco12345>
Confirm the password: <cisco12345>
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Securing device against Login Attacks
Configure the following parameters
Blocking Period when Login Attack detected: 60
Maximum Login failures with the device: 2
Maximum time period for crossing the failed login attempts: 30
Configure SSH server? [yes]: no
Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
Disabling mop on Ethernet interfaces
Securing Forwarding plane services...
Enabling unicast rpf on all interfaces connected
to internet
Configure CBAC Firewall feature? [yes/no]: yes // AUTO SECURE GENERATES CBAC; CCP GENERATES ZBF
This is the configuration generated:
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
banner motd ^C Unauthorized Access Prohibited ^C
security authentication failure rate 10 log
enable secret 5 $1$NVLg$tnPQZvEIENzUemrBZK6xh1
enable password 7 14141B180F0B7C7C7C7163
username admin password 7 104D000A061843595F507F
aaa new-model
aaa authentication login local_auth local
line con 0
login authentication local_auth
exec-timeout 5 0
transport output telnet
line aux 0
login authentication local_auth
exec-timeout 10 0
transport output telnet
line vty 0 4
login authentication local_auth
transport input telnet
line tty 1
login authentication local_auth
exec-timeout 15 0
login block-for 60 attempts 2 within 30
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
interface FastEthernet0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface FastEthernet0/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface Serial0/0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
interface Serial0/0/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
interface Serial0/1/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
interface Serial0/1/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
access-list 100 permit udp any any eq bootpc
interface Serial0/0/0
ip verify unicast source reachable-via rx allow-default 100
ip inspect audit-trail
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect udp idle-time 1800
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
deny ip any any
interface Serial0/0/0
ip inspect autosec_inspect out
ip access-group autosec_firewall_acl in
!
end
Apply this configuration to running-config? [yes]: yes
Applying the config generated to running-config
R1#
000042: *May 31 00:56:02.159 UTC: %AUTOSEC-1-MODIFIED: AutoSecure configuration has been Modified on this device
R1#show run
Building configuration...
Current configuration : 3412 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 10
logging message-counter syslog
logging buffered 4096
logging console critical
enable secret 5 $1$NVLg$tnPQZvEIENzUemrBZK6xh1
enable password 7 14141B180F0B7C7C7C7163
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
aaa session-id common
dot11 syslog
no ip source-route
no ip gratuitous-arps
!
!
!
!
ip cef
no ip bootp server
no ip domain lookup
ip inspect audit-trail // CBAC DOES STATEFUL PACKET INSPECTION; ALLOW RETURN TRAFFIC INITIATED FROM INSIDE HOST
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
login block-for 60 attempts 2 within 30
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
username admin password 7 104D000A061843595F507F
archive
log config
logging enable
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no mop enabled
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.252
ip access-group autosec_firewall_acl in
ip verify unicast source reachable-via rx allow-default 100
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect autosec_inspect out
snmp trap ip verify drop-rate
no fair-queue
clock rate 64000
!
interface Serial0/0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
clock rate 2000000
!
interface Serial0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
clock rate 2000000
!
interface Serial0/1/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
clock rate 2000000
!
router eigrp 101
network 10.1.1.0 0.0.0.3
network 192.168.1.0
no auto-summary
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
deny ip any any
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
no cdp run
!
!
!
!
!
!
!
control-plane
!
!
banner motd ^C Unauthorized Access Prohibited ^C
!
line con 0
exec-timeout 5 0
password 7 094F471A1A0A141D051C053938
logging synchronous
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
password 7 0822455D0A1604020A1B0D1739
login authentication local_auth
transport output telnet
line vty 0 4
exec-timeout 5 0
password 7 121A0C0411041A10333B253B20
login authentication local_auth
transport input telnet
!
scheduler allocate 20000 1000
end
R1#show access-list autosec_firewall_acl // AUTOSECURE CBAC FIREWALL BLOCKED EIGRP TRAFFIC BY DEFAULT
Extended IP access list autosec_firewall_acl
10 permit udp any any eq bootpc
20 deny ip any any (61 matches)
R1(config)#ip access-list extended autosec_firewall_acl
R1(config-ext-nacl)#15 permit ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
object-group Service object group
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol
R1(config-ext-nacl)#15 permit eigrp any any
R1(config-ext-nacl)#do show access-list autosec_firewall_acl
Extended IP access list autosec_firewall_acl
10 permit udp any any eq bootpc
15 permit eigrp any any (10 matches)
20 deny ip any any (102 matches)
R1#
000043: *May 31 00:56:14.275 UTC: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.1.1.2 (Serial0/0/0) is down: holding time expired
000044: *May 31 01:00:01.675 UTC: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.1.1.2 (Serial0/0/0) is up: new adjacency
000045: *May 31 01:05:17.379 UTC: %SYS-5-CONFIG_I: Configured from console by console
R1(config)#ip inspect ?
L2-transparent Transparent Mode commands
WAAS Firewall and Cisco WAE interoperability configuration
alert-off Disable alert
audit-trail Enable the logging of session information (addresses and
bytes)
dns-timeout Specify timeout for DNS
hashtable-size Specify size of hashtable
log Inspect packet logging
max-incomplete Specify maximum number of incomplete connections before
clamping
name Specify an inspection rule
one-minute Specify one-minute-sample watermarks for clamping
redundancy Redundancy settings for firewall sessions
tcp Config timeout values for tcp connections
udp Config timeout values for udp flows
<cr>
R1(config)#ip inspect name ?
WORD Name of inspection defined (16 characters max)
R1(config)#ip inspect name autosec_inspect ?
802-11-iapp IEEE 802.11 WLANs WG IAPP
ace-svr ACE Server/Propagation
appfw Application Firewall
appleqtc Apple QuickTime
bgp Border Gateway Protocol
biff Bliff mail notification
bittorrent bittorrent
bootpc Bootstrap Protocol Client
bootps Bootstrap Protocol Server
cddbp CD Database Protocol
cifs CIFS
cisco-fna Cisco FNATIVE
cisco-net-mgmt cisco-net-mgmt
cisco-svcs cisco license/perf/GDP/X.25/ident svcs
cisco-sys Cisco SYSMAINT
cisco-tdp Cisco TDP
cisco-tna Cisco TNATIVE
citrix Citrix IMA/ADMIN/RTMP
citriximaclient Citrix IMA Client
clp Cisco Line Protocol
creativepartnr Creative Partnr
creativeserver Creative Server
cuseeme CUSeeMe Protocol
daytime Daytime (RFC 867)
dbase dBASE Unix
dbcontrol_agent Oracle dbControl Agent po
ddns-v3 Dynamic DNS Version 3
dhcp-failover DHCP Failover
directconnect Direct Connect Version 2.0
discard Discard port
dns Domain Name Server
dnsix DNSIX Securit Attribute Token Map
echo Echo port
edonkey eDonkey
entrust-svc-hdlr Entrust KM/Admin Service Handler
entrust-svcs Entrust sps/aaas/aams
esmtp Extended SMTP
exec Remote Process Execution
fasttrack FastTrack Traffic - KaZaA, Morpheus, Gro
fcip-port FCIP
finger Finger
fragment IP fragment inspection
ftp File Transfer Protocol
ftps FTP over TLS/SSL
gdoi GDOI
giop Oracle GIOP/SSL
gnutella Gnutella Version2 Traffic - BearShare, S
gopher Gopher
gtpv0 GPRS Tunneling Protocol Version 0
gtpv1 GPRS Tunneling Protocol Version 1
h323 H.323 Protocol (e.g, MS NetMeeting, Intel Video Phone)
h323-annexe H.323 Protocol AnnexE (e.g, MS NetMeetin
h323-nxg H.323 Protocol AnnexG
hp-alarm-mgr HP Performance data alarm manager
hp-collector HP Performance data collector
hp-managed-node HP Performance data managed node
hsrp Hot Standby Router Protocol
http HTTP Protocol
https Secure Hypertext Transfer Protocol
ica ica (Citrix)
icabrowser icabrowser (Citrix)
icmp ICMP Protocol
ident Authentication Service
igmpv3lite IGMP over UDP for SSM
imap IMAP Protocol
imap3 Interactive Mail Access Protocol 3
imaps IMAP over TLS/SSL
ipass IPASS
ipsec-msft Microsoft IPsec NAT-T
ipx IPX
irc Internet Relay Chat Protocol
irc-serv IRC-SERV
ircs IRC over TLS/SSL
ircu IRCU
isakmp ISAKMP
iscsi iSCSI
iscsi-target iSCSI port
kazaa2 Kazaa Version 2
kerberos Kerberos
kermit kermit
l2tp L2TP/L2F
ldap Lightweight Directory Access Protocol
ldap-admin LDAP admin server port
ldaps LDAP over TLS/SSL
login Remote login
lotusmtap Lotus Mail Tracking Agent Protocol
lotusnote Lotus Note
microsoft-ds Microsoft-DS
ms-cluster-net MS Cluster Net
ms-dotnetster Microsoft .NETster Port
ms-sna Microsoft SNA Server/Base
ms-sql Microsoft SQL
ms-sql-m Microsoft SQL Monitor
msexch-routing Microsoft Exchange Routing
mysql MySQL
n2h2server N2H2 Filter Service Port
ncp NCP (Novell)
net8-cman Oracle Net8 Cman/Admin
netbios-dgm NETBIOS Datagram Service
netbios-ns NETBIOS Name Service
netbios-ssn NETBIOS Session Service
netshow Microsoft NetShow Protocol
netstat Variant of systat
nfs Network File System
nntp Network News Transport Protocol
ntp Network Time Protocol
oem-agent OEM Agent (Oracle)
oracle Oracle
oracle-em-vp Oracle EM/VP
oraclenames Oracle Names
orasrv Oracle SQL*Net v1/v2
parameter Specify inspection parameters
pcanywheredata pcANYWHEREdata
pcanywherestat pcANYWHEREstat
pop3 POP3 Protocol
pop3s POP3 over TLS/SSL
pptp PPTP
pwdgen Password Generator Protocol
qmtp Quick Mail Transfer Protocol
r-winsock remote-winsock
radius RADIUS & Accounting
rcmd R commands (r-exec, r-login, r-sh)
rdb-dbs-disp Oracle RDB
realaudio Real Audio Protocol
realsecure ISS Real Secure Console Service Port
router Local Routing Process
rpc Remote Prodedure Call Protocol
rsvd RSVD
rsvp-encap RSVP ENCAPSULATION-1/2
rsvp_tunnel RSVP Tunnel
rtc-pm-port Oracle RTC-PM port
rtelnet Remote Telnet Service
rtsp Real Time Streaming Protocol
send SEND
shell Remote command
sip SIP Protocol
sip-tls SIP-TLS
skinny Skinny Client Control Protocol
sms SMS RCINFO/XFER/CHAT
smtp Simple Mail Transfer Protocol
snmp Simple Network Management Protocol
snmptrap SNMP Trap
socks Socks
sqlnet SQL Net Protocol
sqlserv SQL Services
sqlsrv SQL Service
ssh SSH Remote Login Protocol
sshell SSLshell
ssp State Sync Protocol
streamworks StreamWorks Protocol
stun cisco STUN
syslog SysLog Service
syslog-conn Reliable Syslog Service
tacacs Login Host Protocol (TACACS)
tacacs-ds TACACS-Database Service
tarantella Tarantella
tcp Transmission Control Protocol
telnet Telnet
telnets Telnet over TLS/SSL
tftp TFTP Protocol
time Time
timed Time server
tr-rsrb cisco RSRB
ttc Oracle TTC/SSL
udp User Datagram Protocol
uucp UUCPD/UUCP-RLOGIN
vdolive VDOLive Protocol
vqp VQP
webster Network Disctionary
who Who's service
winmx WinMx file-sharing application
wins Microsoft WINS
x11 X Window System
xdmcp XDM Control Protocol
C:\Users\PC-A>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Users\PC-A>ping 192.168.1.1 // PING R1 LAN GATEWAY
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=2ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms
C:\Users\John Lloyd>ping 10.1.1.2 // PING R2 SERIAL0/0/0 INTERFACE; NO ICMP INSPECT CONFIGURED ON CBAC IOS FIREWALL
Pinging 10.1.1.2 with 32 bytes of data:
Reply from 192.168.1.3: Destination host unreachable.
Reply from 192.168.1.3: Destination host unreachable.
Reply from 192.168.1.3: Destination host unreachable.
Reply from 192.168.1.3: Destination host unreachable.
Ping statistics for 10.1.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
R1(config)#ip inspect name autosec_inspect icmp timeout 5 // DIDN'T WORK INITIALLY; HAD TO REMOVE AND RE-APPLY CBAC ON INTERFFACE SERIAL0/0/0
C:\Users\John Lloyd>ping 10.1.1.2
Pinging 10.1.1.2 with 32 bytes of data:
Reply from 10.1.1.2: bytes=32 time=19ms TTL=254
Reply from 10.1.1.2: bytes=32 time=18ms TTL=254
Reply from 10.1.1.2: bytes=32 time=18ms TTL=254
Reply from 10.1.1.2: bytes=32 time=18ms TTL=254
Ping statistics for 10.1.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 18ms, Maximum = 19ms, Average = 18ms
R1#show ip inspect sessions detail
Established Sessions
Session 65EC96E8 (192.168.1.3:8)=>(10.1.1.2:0) icmp SIS_OPEN
Created 00:00:30, Last heard 00:00:00
ECHO request
Bytes sent (initiator:responder) [928:928]
In SID 10.1.1.2[0:0]=>192.168.1.3[0:0] on ACL autosec_firewall_acl (29 matches)
In SID 0.0.0.0[0:0]=>192.168.1.3[3:3] on ACL autosec_firewall_acl
In SID 0.0.0.0[0:0]=>192.168.1.3[11:11] on ACL autosec_firewall_acl
R1#show ip inspect all
Session audit trail is enabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 14400 sec -- udp idle-time is 1800 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 7 sec
Inspection Rule Configuration
Inspection name autosec_inspect
cuseeme alert is on audit-trail is on timeout 3600
ftp alert is on audit-trail is on timeout 3600
http alert is on audit-trail is on timeout 3600
rcmd alert is on audit-trail is on timeout 3600
realaudio alert is on audit-trail is on timeout 3600
smtp max-data 20000000 alert is on audit-trail is on timeout 3600
tftp alert is on audit-trail is on timeout 30
udp alert is on audit-trail is on timeout 15
tcp alert is on audit-trail is on timeout 3600
icmp alert is on audit-trail is on timeout 5
Interface Configuration
Interface Serial0/0/0
Inbound inspection rule is not set
Outgoing inspection rule is autosec_inspect
cuseeme alert is on audit-trail is on timeout 3600
ftp alert is on audit-trail is on timeout 3600
http alert is on audit-trail is on timeout 3600
rcmd alert is on audit-trail is on timeout 3600
realaudio alert is on audit-trail is on timeout 3600
smtp max-data 20000000 alert is on audit-trail is on timeout 3600
tftp alert is on audit-trail is on timeout 30
udp alert is on audit-trail is on timeout 15
tcp alert is on audit-trail is on timeout 3600
icmp alert is on audit-trail is on timeout 5
Inbound access list is autosec_firewall_acl
Outgoing access list is not set
Established Sessions
Session 65EC96E8 (192.168.1.3:8)=>(10.1.1.2:0) icmp SIS_OPEN
R1#show access-list autosec_firewall_acl
Extended IP access list autosec_firewall_acl
10 permit udp any any eq bootpc
15 permit eigrp any any (588 matches)
20 deny ip any any (136 matches)
R2#telnet 10.1.1.1
Trying 10.1.1.1 ...
% Connection timed out; remote host not responding
R1#show access-list autosec_firewall_acl
Extended IP access list autosec_firewall_acl
10 permit udp any any eq bootpc
15 permit eigrp any any (603 matches)
20 deny ip any any (140 matches)
R1(config)#ip access-list extended autosec_firewall_acl
R1(config-ext-nacl)#18 permit tcp any any eq 23
R2#telnet 10.1.1.1
Trying 10.1.1.1 ... Open
Unauthorized Access Prohibited
User Access Verification
Username: admin
Password: <cisco12345>
R1>enable
Password: <cisco12345>
R1#show access-list autosec_firewall_acl
Extended IP access list autosec_firewall_acl
10 permit udp any any eq bootpc
15 permit eigrp any any (668 matches)
18 permit tcp any any eq telnet (135 matches)
20 deny ip any any (150 matches)
C:\Users\John Lloyd>telnet 10.1.1.2
User Access Verification
Password:
R2>
R1#show ip inspect all
Session audit trail is enabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 14400 sec -- udp idle-time is 1800 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 7 sec
Inspection Rule Configuration
Inspection name autosec_inspect
cuseeme alert is on audit-trail is on timeout 3600
ftp alert is on audit-trail is on timeout 3600
http alert is on audit-trail is on timeout 3600
rcmd alert is on audit-trail is on timeout 3600
realaudio alert is on audit-trail is on timeout 3600
smtp max-data 20000000 alert is on audit-trail is on timeout 3600
tftp alert is on audit-trail is on timeout 30
udp alert is on audit-trail is on timeout 15
tcp alert is on audit-trail is on timeout 3600
icmp alert is on audit-trail is on timeout 5
Interface Configuration
Interface Serial0/0/0
Inbound inspection rule is not set
Outgoing inspection rule is autosec_inspect
cuseeme alert is on audit-trail is on timeout 3600
ftp alert is on audit-trail is on timeout 3600
http alert is on audit-trail is on timeout 3600
rcmd alert is on audit-trail is on timeout 3600
realaudio alert is on audit-trail is on timeout 3600
smtp max-data 20000000 alert is on audit-trail is on timeout 3600
tftp alert is on audit-trail is on timeout 30
udp alert is on audit-trail is on timeout 15
tcp alert is on audit-trail is on timeout 3600
icmp alert is on audit-trail is on timeout 5
Inbound access list is autosec_firewall_acl
Outgoing access list is not set
Established Sessions
Session 65EC96E8 (192.168.1.3:7985)=>(10.1.1.2:23) tcp SIS_OPEN
R1#show ip inspect sessions detail
Established Sessions
Session 65EC96E8 (192.168.1.3:8062)=>(10.1.1.2:23) tcp SIS_OPEN
Created 00:00:19, Last heard 00:00:15
Bytes sent (initiator:responder) [45:65]
In SID 10.1.1.2[23:23]=>192.168.1.3[8062:8062] on ACL autosec_firewall_acl (16 matches)
R2#ping 10.2.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R2#ping 192.168.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R3#show run
Building configuration...
Current configuration : 1181 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Serial0/0/1
ip address 10.2.2.1 255.255.255.252
!
router eigrp 101
network 10.2.2.0 0.0.0.3
network 192.168.3.0
no auto-summary
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 5 0
password 7 0822455D0A1606181C1B0D1739
logging synchronous
login
line aux 0
exec-timeout 5 0
password 7 00071A1507540A1317314D5D1A
login
line vty 0 4
exec-timeout 5 0
password 7 094F471A1A0A0106121C053938
login
!
scheduler allocate 20000 1000
end
R3(config)#enable secret cisco12345
R3(config)#ip http server // ENABLE WEB SERVER
R3(config)#username admin privilege 15 secret cisco12345
R3(config)#ip http authentication local // CCP TO USE LOCAL ROUTER DATABASE
class-map type inspect match-all ccp-invalid-src
match access-group 100
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 10.2.2.0 0.0.0.3 any
class-map type inspect match-any SDM_EIGRP
match access-group name SDM_EIGRP
class-map type inspect match-any SDM_EIGRP_TRAFFIC
match class-map SDM_EIGRP
class-map type inspect match-all SDM_EIGRP_PT
match class-map SDM_EIGRP_TRAFFIC
policy-map type inspect ccp-permit
class type inspect SDM_EIGRP_PT
pass
class class-default
drop
ip access-list extended SDM_EIGRP
remark CCP_ACL Category=1
permit eigrp any any
R3#show run
Building configuration...
Current configuration : 4383 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$ypyC$Vgw4aKTh9ldDPDP4hm3gv.
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
username admin privilege 15 secret 5 $1$iPbz$1Jkudbr.B0fC6vShWsrWU0
archive
log config
hidekeys
!
!
!
!
!
!
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any SDM_EIGRP
match access-group name SDM_EIGRP
class-map type inspect match-any SDM_EIGRP_TRAFFIC
match class-map SDM_EIGRP
class-map type inspect match-all SDM_EIGRP_PT
match class-map SDM_EIGRP_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_EIGRP_PT
pass
class class-default
drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
description $FW_INSIDE$
ip address 192.168.3.1 255.255.255.0
zone-member security in-zone
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Serial0/0/1
description $FW_OUTSIDE$
ip address 10.2.2.1 255.255.255.252
zone-member security out-zone
!
router eigrp 101
network 10.2.2.0 0.0.0.3
network 192.168.3.0
no auto-summary
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
!
!
ip access-list extended SDM_EIGRP
remark CCP_ACL Category=1
permit eigrp any any
!
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 10.2.2.0 0.0.0.3 any
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 5 0
password 7 0822455D0A1606181C1B0D1739
logging synchronous
login
line aux 0
exec-timeout 5 0
password 7 00071A1507540A1317314D5D1A
login
line vty 0 4
exec-timeout 5 0
password 7 094F471A1A0A0106121C053938
login
!
scheduler allocate 20000 1000
end
R3#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/30 is subnetted, 2 subnets
C 10.2.2.0 is directly connected, Serial0/0/1
D 10.1.1.0 [90/2681856] via 10.2.2.2, 00:40:27, Serial0/0/1
D 192.168.1.0/24 [90/2684416] via 10.2.2.2, 00:39:36, Serial0/0/1
C 192.168.3.0/24 is directly connected, FastEthernet0/1
C:\Users\PC-C>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.3.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.3.1
C:\Users\John Lloyd>ping 10.2.2.2
Pinging 10.2.2.2 with 32 bytes of data:
Reply from 10.2.2.2: bytes=32 time=18ms TTL=254
Reply from 10.2.2.2: bytes=32 time=18ms TTL=254
Reply from 10.2.2.2: bytes=32 time=18ms TTL=254
Reply from 10.2.2.2: bytes=32 time=18ms TTL=254
Ping statistics for 10.2.2.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 18ms, Maximum = 18ms, Average = 18ms
R2#ping 192.168.3.3 // ZBF POLICY ALLOW PING FROM R3 TO ANY IP
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
R2#telnet 10.2.2.1 // TELNET TRAFFIC UNDER DEFAULT CLASS FROM OUTSIDE TO R3 IS DROPED
Trying 10.2.2.1 ...
% Connection timed out; remote host not responding
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_EIGRP_PT
pass
class class-default
drop
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
C:\Users\PC-C>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.3.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.3.1
C:\Users\John Lloyd>telnet 10.2.2.2
User Access Verification
Password: <ciscovtypass>
R2>
R3#show policy-map ?
WORD policy-map name
apn Show APN related policy information
control-plane Show Control Plane policy
interface Show Qos Policy Interface
session Show session Qos Policy
type type of the policy-map
| Output modifiers
<cr>
R3#show policy-map type ?
NAT NAT Policymap
access-control access-control specific policy-map
control Control policy-maps
inspect Firewall Policy-map
logging Control-plane packet logging
port-filter Control-plane tcp/udp port filtering
queue-threshold Control-plane protocol queue limiting
R3#show policy-map type inspect ?
WORD Policy-map name
condition-debugging Condition Debugging Settings
h323 H323
http HTTP
im IM
imap IMAP
p2p P2P
pop3 POP3
sip SIP
smtp SMTP
sunrpc RPC
urlfilter URLF
zone-pair Security zone-pair
| Output modifiers
<cr>
R3#show policy-map type inspect zone-pair ?
WORD Security zone-pair name
sessions Inspect sessions information
urlfilter URLFiltering information
| Output modifiers
<cr>
R3#show policy-map type inspect zone-pair sessions
policy exists on zp ccp-zp-self-out
Zone-pair: ccp-zp-self-out
Service-policy inspect : ccp-permit-icmpreply
Class-map: ccp-icmp-access (match-all)
Match: class-map match-any ccp-cls-icmp-access
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: class-default (match-any)
Match: any
Pass
427 packets, 17080 bytes
policy exists on zp ccp-zp-in-out
Zone-pair: ccp-zp-in-out
Service-policy inspect : ccp-inspect
Class-map: ccp-invalid-src (match-all)
Match: access-group 100
Drop
0 packets, 0 bytes
Class-map: ccp-protocol-http (match-all)
Match: protocol http
Inspect
Class-map: ccp-insp-traffic (match-all)
Match: class-map match-any ccp-cls-insp-traffic
Match: protocol cuseeme
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol dns
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ftp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol https
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol imap
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol pop3
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol netshow
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol shell
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol realmedia
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol rtsp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol smtp extended
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol sql-net
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol streamworks
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol tftp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol vdolive
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol tcp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol udp
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Number of Established Sessions = 1
Established Sessions
Session 65B74A00 (192.168.3.3:3724)=>(10.2.2.2:23) tacacs:tcp SIS_OPEN
Created 00:01:09, Last heard 00:01:05
Bytes sent (initiator:responder) [45:65]
Class-map: ccp-sip-inspect (match-any)
Match: protocol sip
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: ccp-h323-inspect (match-any)
Match: protocol h323
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: ccp-h323annexe-inspect (match-any)
Match: protocol h323-annexe
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: ccp-h225ras-inspect (match-any)
Match: protocol h225ras
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: ccp-h323nxg-inspect (match-any)
Match: protocol h323-nxg
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: ccp-skinny-inspect (match-any)
Match: protocol skinny
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
policy exists on zp ccp-zp-out-self
Zone-pair: ccp-zp-out-self
Service-policy inspect : ccp-permit
Class-map: SDM_EIGRP_PT (match-all)
Match: class-map match-any SDM_EIGRP_TRAFFIC
Match: class-map match-any SDM_EIGRP
0 packets, 0 bytes
30 second rate 0 bps
Match: access-group name SDM_EIGRP
0 packets, 0 bytes
30 second rate 0 bps
Pass
862 packets, 34480 bytes
Class-map: class-default (match-any)
Match: any
Drop
8 packets, 256 bytes
I've read some rants from network and security admins (that includes me) that they don't like configuring a firewall on a Cisco IOS router. They would rather spend on a dedicated firewall or a Unified Threat Management (UTM) appliance. Below is the IOS firewall lab I did which includes the legacy CBAC and the new Zone-Based Firewall (ZBF) approach.
R1(config)#interface fastethernet0/1
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
*May 31 00:05:12.119: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R1(config-if)#interface serial 0/0/0
R1(config-if)#ip address 10.1.1.1 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#
*May 31 00:05:35.291: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
*May 31 00:05:36.291: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up
R1(config-if)#clock rate 64000
R2(config)#no ip domain-lookup
R2(config)#interface serial0/0/0
R2(config-if)#ip address 10.1.1.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#do ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R2(config-if)#interface serial0/0/1
R2(config-if)#ip address 10.2.2.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#
*May 31 00:06:35.435: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*May 31 00:06:36.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
R2(config-if)#clock rate 64000
R3(config)#no ip domain-lookup
R3(config)#interface fastethernet0/1
R3(config-if)#ip address 192.168.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#
*May 31 00:09:59.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R3(config-if)#interface serial0/0/1
R3(config-if)#ip address 10.2.2.1 255.255.255.252
R3(config-if)#no shutdown
R1(config)#router eigrp 101
R1(config-router)#network 192.168.1.0 0.0.0.255
R1(config-router)#network 10.1.1.0 0.0.0.3
R1(config-router)#no auto-summary
R2(config)#router eigrp 101
R2(config-router)#network 10.1.1.0 0.0.0.3
*May 31 00:12:33.539: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.1.1.1 (Serial0/0/0) is up: new adjacency
R2(config-router)#network 10.2.2.0 0.0.0.3
R2(config-router)#no auto-summary
R2(config-router)#
*May 31 00:12:46.223: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.1.1.1 (Serial0/0/0) is resync: summary configured
R3(config)#router eigrp 101
R3(config-router)#network 192.168.3.0 0.0.0.255
R3(config-router)#network 10.2.2.0 0.0.0.3
*May 31 00:14:39.403: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.2.2.2 (Serial0/0/1) is up: new adjacenc
R3(config-router)#no auto-summary
R3(config-router)#
*May 31 00:14:44.471: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.2.2.2 (Serial0/0/1) is resync: summary configured
R1#ping 192.168.3.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/55/56 ms
R1(config)#security passwords min-length 10
R1(config)#line console 0
R1(config-line)#password ciscoconpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R1(config-line)#logging synchronous
R1(config-line)#line aux 0
R1(config-line)#password ciscoauxpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R1(config-line)#line vty 0 4
R1(config-line)#password ciscovtypass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R2(config)#line console 0
R2(config-line)#password ciscoconpass
R2(config-line)#exec-timeout 5 0
R2(config-line)#login
R2(config-line)#logging synchronous
R2(config-line)#line aux 0
R2(config-line)#password ciscoauxpass
R2(config-line)#exec-timeout 5 0
R2(config-line)#login
R2(config-line)#line vty 0 4
R2(config-line)#password ciscovtypass
R2(config-line)#exec-timeout 5 0
R2(config-line)#login
R3(config)#line console 0
R3(config-line)#password ciscoconpass
R3(config-line)#exec-timeout 5 0
R3(config-line)#login
R3(config-line)#logging synchronous
R3(config-line)#line aux 0
R3(config-line)#password ciscoauxpass
R3(config-line)#exec-timeout 5 0
R3(config-line)#login
R3(config-line)#line vty 0 4
R3(config-line)#password ciscovtypass
R3(config-line)#exec-timeout 5 0
R3(config-line)#login
R1(config)#ip http server
R1(config)#service password-encryption
R1(config)#do show run
Building configuration...
Current configuration : 1367 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
/line
filtering...
line con 0
exec-timeout 5 0
password 7 094F471A1A0A141D051C053938
logging synchronous
login
line aux 0
exec-timeout 5 0
password 7 0822455D0A1604020A1B0D1739
login
line vty 0 4
exec-timeout 5 0
password 7 121A0C0411041A10333B253B20
login
!
scheduler allocate 20000 1000
end
R2(config)#service password-encryption
R3(config)#service password-encryption
R2#ping 10.1.1.1 // PING R1 SERIAL INTERFACE
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
R2#ping 192.168.1.3 // PING TO PC-A
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
R1#show run
Building configuration...
Current configuration : 1367 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.252
no fair-queue
clock rate 64000
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/1/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/1/1
no ip address
shutdown
clock rate 2000000
!
router eigrp 101
network 10.1.1.0 0.0.0.3
network 192.168.1.0
no auto-summary
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 5 0
password 7 094F471A1A0A141D051C053938
logging synchronous
login
line aux 0
exec-timeout 5 0
password 7 0822455D0A1604020A1B0D1739
login
line vty 0 4
exec-timeout 5 0
password 7 121A0C0411041A10333B253B20
login
!
scheduler allocate 20000 1000
end
R1#auto secure
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***
AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
Is this router connected to internet? [no]: yes
Enter the number of interfaces facing the internet [1]: 1
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
FastEthernet0/1 192.168.1.1 YES manual up up
Serial0/0/0 10.1.1.1 YES manual up up
Serial0/0/1 unassigned YES unset administratively down down
Serial0/1/0 unassigned YES unset administratively down down
Serial0/1/1 unassigned YES unset administratively down down
Enter the interface name that is facing the internet: serial0/0/0
Securing Management plane services...
Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp
Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.
Authorized Access only
This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action.
Enter the security banner {Put the banner between
k and k, where k is any character}:
$ Unauthorized Access Prohibited $
Enable secret is either not configured or
is the same as enable password
Enter the new enable secret: <cisco12345>
Confirm the enable secret : <cisco12345>
Enter the new enable password: <cisco67890>
Confirm the enable password: <cisco67890>
Configuration of local user database
Enter the username: admin
Enter the password: <cisco12345>
Confirm the password: <cisco12345>
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Securing device against Login Attacks
Configure the following parameters
Blocking Period when Login Attack detected: 60
Maximum Login failures with the device: 2
Maximum time period for crossing the failed login attempts: 30
Configure SSH server? [yes]: no
Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
Disabling mop on Ethernet interfaces
Securing Forwarding plane services...
Enabling unicast rpf on all interfaces connected
to internet
Configure CBAC Firewall feature? [yes/no]: yes // AUTO SECURE GENERATES CBAC; CCP GENERATES ZBF
This is the configuration generated:
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
banner motd ^C Unauthorized Access Prohibited ^C
security authentication failure rate 10 log
enable secret 5 $1$NVLg$tnPQZvEIENzUemrBZK6xh1
enable password 7 14141B180F0B7C7C7C7163
username admin password 7 104D000A061843595F507F
aaa new-model
aaa authentication login local_auth local
line con 0
login authentication local_auth
exec-timeout 5 0
transport output telnet
line aux 0
login authentication local_auth
exec-timeout 10 0
transport output telnet
line vty 0 4
login authentication local_auth
transport input telnet
line tty 1
login authentication local_auth
exec-timeout 15 0
login block-for 60 attempts 2 within 30
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
interface FastEthernet0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface FastEthernet0/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface Serial0/0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
interface Serial0/0/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
interface Serial0/1/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
interface Serial0/1/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
access-list 100 permit udp any any eq bootpc
interface Serial0/0/0
ip verify unicast source reachable-via rx allow-default 100
ip inspect audit-trail
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect udp idle-time 1800
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
deny ip any any
interface Serial0/0/0
ip inspect autosec_inspect out
ip access-group autosec_firewall_acl in
!
end
Apply this configuration to running-config? [yes]: yes
Applying the config generated to running-config
R1#
000042: *May 31 00:56:02.159 UTC: %AUTOSEC-1-MODIFIED: AutoSecure configuration has been Modified on this device
R1#show run
Building configuration...
Current configuration : 3412 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 10
logging message-counter syslog
logging buffered 4096
logging console critical
enable secret 5 $1$NVLg$tnPQZvEIENzUemrBZK6xh1
enable password 7 14141B180F0B7C7C7C7163
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
aaa session-id common
dot11 syslog
no ip source-route
no ip gratuitous-arps
!
!
!
!
ip cef
no ip bootp server
no ip domain lookup
ip inspect audit-trail // CBAC DOES STATEFUL PACKET INSPECTION; ALLOW RETURN TRAFFIC INITIATED FROM INSIDE HOST
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
login block-for 60 attempts 2 within 30
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
username admin password 7 104D000A061843595F507F
archive
log config
logging enable
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no mop enabled
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.252
ip access-group autosec_firewall_acl in
ip verify unicast source reachable-via rx allow-default 100
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect autosec_inspect out
snmp trap ip verify drop-rate
no fair-queue
clock rate 64000
!
interface Serial0/0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
clock rate 2000000
!
interface Serial0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
clock rate 2000000
!
interface Serial0/1/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
clock rate 2000000
!
router eigrp 101
network 10.1.1.0 0.0.0.3
network 192.168.1.0
no auto-summary
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
deny ip any any
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
no cdp run
!
!
!
!
!
!
!
control-plane
!
!
banner motd ^C Unauthorized Access Prohibited ^C
!
line con 0
exec-timeout 5 0
password 7 094F471A1A0A141D051C053938
logging synchronous
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
password 7 0822455D0A1604020A1B0D1739
login authentication local_auth
transport output telnet
line vty 0 4
exec-timeout 5 0
password 7 121A0C0411041A10333B253B20
login authentication local_auth
transport input telnet
!
scheduler allocate 20000 1000
end
R1#show access-list autosec_firewall_acl // AUTOSECURE CBAC FIREWALL BLOCKED EIGRP TRAFFIC BY DEFAULT
Extended IP access list autosec_firewall_acl
10 permit udp any any eq bootpc
20 deny ip any any (61 matches)
R1(config)#ip access-list extended autosec_firewall_acl
R1(config-ext-nacl)#15 permit ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
object-group Service object group
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol
R1(config-ext-nacl)#15 permit eigrp any any
R1(config-ext-nacl)#do show access-list autosec_firewall_acl
Extended IP access list autosec_firewall_acl
10 permit udp any any eq bootpc
15 permit eigrp any any (10 matches)
20 deny ip any any (102 matches)
R1#
000043: *May 31 00:56:14.275 UTC: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.1.1.2 (Serial0/0/0) is down: holding time expired
000044: *May 31 01:00:01.675 UTC: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.1.1.2 (Serial0/0/0) is up: new adjacency
000045: *May 31 01:05:17.379 UTC: %SYS-5-CONFIG_I: Configured from console by console
R1(config)#ip inspect ?
L2-transparent Transparent Mode commands
WAAS Firewall and Cisco WAE interoperability configuration
alert-off Disable alert
audit-trail Enable the logging of session information (addresses and
bytes)
dns-timeout Specify timeout for DNS
hashtable-size Specify size of hashtable
log Inspect packet logging
max-incomplete Specify maximum number of incomplete connections before
clamping
name Specify an inspection rule
one-minute Specify one-minute-sample watermarks for clamping
redundancy Redundancy settings for firewall sessions
tcp Config timeout values for tcp connections
udp Config timeout values for udp flows
<cr>
R1(config)#ip inspect name ?
WORD Name of inspection defined (16 characters max)
R1(config)#ip inspect name autosec_inspect ?
802-11-iapp IEEE 802.11 WLANs WG IAPP
ace-svr ACE Server/Propagation
appfw Application Firewall
appleqtc Apple QuickTime
bgp Border Gateway Protocol
biff Bliff mail notification
bittorrent bittorrent
bootpc Bootstrap Protocol Client
bootps Bootstrap Protocol Server
cddbp CD Database Protocol
cifs CIFS
cisco-fna Cisco FNATIVE
cisco-net-mgmt cisco-net-mgmt
cisco-svcs cisco license/perf/GDP/X.25/ident svcs
cisco-sys Cisco SYSMAINT
cisco-tdp Cisco TDP
cisco-tna Cisco TNATIVE
citrix Citrix IMA/ADMIN/RTMP
citriximaclient Citrix IMA Client
clp Cisco Line Protocol
creativepartnr Creative Partnr
creativeserver Creative Server
cuseeme CUSeeMe Protocol
daytime Daytime (RFC 867)
dbase dBASE Unix
dbcontrol_agent Oracle dbControl Agent po
ddns-v3 Dynamic DNS Version 3
dhcp-failover DHCP Failover
directconnect Direct Connect Version 2.0
discard Discard port
dns Domain Name Server
dnsix DNSIX Securit Attribute Token Map
echo Echo port
edonkey eDonkey
entrust-svc-hdlr Entrust KM/Admin Service Handler
entrust-svcs Entrust sps/aaas/aams
esmtp Extended SMTP
exec Remote Process Execution
fasttrack FastTrack Traffic - KaZaA, Morpheus, Gro
fcip-port FCIP
finger Finger
fragment IP fragment inspection
ftp File Transfer Protocol
ftps FTP over TLS/SSL
gdoi GDOI
giop Oracle GIOP/SSL
gnutella Gnutella Version2 Traffic - BearShare, S
gopher Gopher
gtpv0 GPRS Tunneling Protocol Version 0
gtpv1 GPRS Tunneling Protocol Version 1
h323 H.323 Protocol (e.g, MS NetMeeting, Intel Video Phone)
h323-annexe H.323 Protocol AnnexE (e.g, MS NetMeetin
h323-nxg H.323 Protocol AnnexG
hp-alarm-mgr HP Performance data alarm manager
hp-collector HP Performance data collector
hp-managed-node HP Performance data managed node
hsrp Hot Standby Router Protocol
http HTTP Protocol
https Secure Hypertext Transfer Protocol
ica ica (Citrix)
icabrowser icabrowser (Citrix)
icmp ICMP Protocol
ident Authentication Service
igmpv3lite IGMP over UDP for SSM
imap IMAP Protocol
imap3 Interactive Mail Access Protocol 3
imaps IMAP over TLS/SSL
ipass IPASS
ipsec-msft Microsoft IPsec NAT-T
ipx IPX
irc Internet Relay Chat Protocol
irc-serv IRC-SERV
ircs IRC over TLS/SSL
ircu IRCU
isakmp ISAKMP
iscsi iSCSI
iscsi-target iSCSI port
kazaa2 Kazaa Version 2
kerberos Kerberos
kermit kermit
l2tp L2TP/L2F
ldap Lightweight Directory Access Protocol
ldap-admin LDAP admin server port
ldaps LDAP over TLS/SSL
login Remote login
lotusmtap Lotus Mail Tracking Agent Protocol
lotusnote Lotus Note
microsoft-ds Microsoft-DS
ms-cluster-net MS Cluster Net
ms-dotnetster Microsoft .NETster Port
ms-sna Microsoft SNA Server/Base
ms-sql Microsoft SQL
ms-sql-m Microsoft SQL Monitor
msexch-routing Microsoft Exchange Routing
mysql MySQL
n2h2server N2H2 Filter Service Port
ncp NCP (Novell)
net8-cman Oracle Net8 Cman/Admin
netbios-dgm NETBIOS Datagram Service
netbios-ns NETBIOS Name Service
netbios-ssn NETBIOS Session Service
netshow Microsoft NetShow Protocol
netstat Variant of systat
nfs Network File System
nntp Network News Transport Protocol
ntp Network Time Protocol
oem-agent OEM Agent (Oracle)
oracle Oracle
oracle-em-vp Oracle EM/VP
oraclenames Oracle Names
orasrv Oracle SQL*Net v1/v2
parameter Specify inspection parameters
pcanywheredata pcANYWHEREdata
pcanywherestat pcANYWHEREstat
pop3 POP3 Protocol
pop3s POP3 over TLS/SSL
pptp PPTP
pwdgen Password Generator Protocol
qmtp Quick Mail Transfer Protocol
r-winsock remote-winsock
radius RADIUS & Accounting
rcmd R commands (r-exec, r-login, r-sh)
rdb-dbs-disp Oracle RDB
realaudio Real Audio Protocol
realsecure ISS Real Secure Console Service Port
router Local Routing Process
rpc Remote Prodedure Call Protocol
rsvd RSVD
rsvp-encap RSVP ENCAPSULATION-1/2
rsvp_tunnel RSVP Tunnel
rtc-pm-port Oracle RTC-PM port
rtelnet Remote Telnet Service
rtsp Real Time Streaming Protocol
send SEND
shell Remote command
sip SIP Protocol
sip-tls SIP-TLS
skinny Skinny Client Control Protocol
sms SMS RCINFO/XFER/CHAT
smtp Simple Mail Transfer Protocol
snmp Simple Network Management Protocol
snmptrap SNMP Trap
socks Socks
sqlnet SQL Net Protocol
sqlserv SQL Services
sqlsrv SQL Service
ssh SSH Remote Login Protocol
sshell SSLshell
ssp State Sync Protocol
streamworks StreamWorks Protocol
stun cisco STUN
syslog SysLog Service
syslog-conn Reliable Syslog Service
tacacs Login Host Protocol (TACACS)
tacacs-ds TACACS-Database Service
tarantella Tarantella
tcp Transmission Control Protocol
telnet Telnet
telnets Telnet over TLS/SSL
tftp TFTP Protocol
time Time
timed Time server
tr-rsrb cisco RSRB
ttc Oracle TTC/SSL
udp User Datagram Protocol
uucp UUCPD/UUCP-RLOGIN
vdolive VDOLive Protocol
vqp VQP
webster Network Disctionary
who Who's service
winmx WinMx file-sharing application
wins Microsoft WINS
x11 X Window System
xdmcp XDM Control Protocol
C:\Users\PC-A>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Users\PC-A>ping 192.168.1.1 // PING R1 LAN GATEWAY
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=2ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms
C:\Users\John Lloyd>ping 10.1.1.2 // PING R2 SERIAL0/0/0 INTERFACE; NO ICMP INSPECT CONFIGURED ON CBAC IOS FIREWALL
Pinging 10.1.1.2 with 32 bytes of data:
Reply from 192.168.1.3: Destination host unreachable.
Reply from 192.168.1.3: Destination host unreachable.
Reply from 192.168.1.3: Destination host unreachable.
Reply from 192.168.1.3: Destination host unreachable.
Ping statistics for 10.1.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
R1(config)#ip inspect name autosec_inspect icmp timeout 5 // DIDN'T WORK INITIALLY; HAD TO REMOVE AND RE-APPLY CBAC ON INTERFFACE SERIAL0/0/0
C:\Users\John Lloyd>ping 10.1.1.2
Pinging 10.1.1.2 with 32 bytes of data:
Reply from 10.1.1.2: bytes=32 time=19ms TTL=254
Reply from 10.1.1.2: bytes=32 time=18ms TTL=254
Reply from 10.1.1.2: bytes=32 time=18ms TTL=254
Reply from 10.1.1.2: bytes=32 time=18ms TTL=254
Ping statistics for 10.1.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 18ms, Maximum = 19ms, Average = 18ms
R1#show ip inspect sessions detail
Established Sessions
Session 65EC96E8 (192.168.1.3:8)=>(10.1.1.2:0) icmp SIS_OPEN
Created 00:00:30, Last heard 00:00:00
ECHO request
Bytes sent (initiator:responder) [928:928]
In SID 10.1.1.2[0:0]=>192.168.1.3[0:0] on ACL autosec_firewall_acl (29 matches)
In SID 0.0.0.0[0:0]=>192.168.1.3[3:3] on ACL autosec_firewall_acl
In SID 0.0.0.0[0:0]=>192.168.1.3[11:11] on ACL autosec_firewall_acl
R1#show ip inspect all
Session audit trail is enabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 14400 sec -- udp idle-time is 1800 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 7 sec
Inspection Rule Configuration
Inspection name autosec_inspect
cuseeme alert is on audit-trail is on timeout 3600
ftp alert is on audit-trail is on timeout 3600
http alert is on audit-trail is on timeout 3600
rcmd alert is on audit-trail is on timeout 3600
realaudio alert is on audit-trail is on timeout 3600
smtp max-data 20000000 alert is on audit-trail is on timeout 3600
tftp alert is on audit-trail is on timeout 30
udp alert is on audit-trail is on timeout 15
tcp alert is on audit-trail is on timeout 3600
icmp alert is on audit-trail is on timeout 5
Interface Configuration
Interface Serial0/0/0
Inbound inspection rule is not set
Outgoing inspection rule is autosec_inspect
cuseeme alert is on audit-trail is on timeout 3600
ftp alert is on audit-trail is on timeout 3600
http alert is on audit-trail is on timeout 3600
rcmd alert is on audit-trail is on timeout 3600
realaudio alert is on audit-trail is on timeout 3600
smtp max-data 20000000 alert is on audit-trail is on timeout 3600
tftp alert is on audit-trail is on timeout 30
udp alert is on audit-trail is on timeout 15
tcp alert is on audit-trail is on timeout 3600
icmp alert is on audit-trail is on timeout 5
Inbound access list is autosec_firewall_acl
Outgoing access list is not set
Established Sessions
Session 65EC96E8 (192.168.1.3:8)=>(10.1.1.2:0) icmp SIS_OPEN
R1#show access-list autosec_firewall_acl
Extended IP access list autosec_firewall_acl
10 permit udp any any eq bootpc
15 permit eigrp any any (588 matches)
20 deny ip any any (136 matches)
R2#telnet 10.1.1.1
Trying 10.1.1.1 ...
% Connection timed out; remote host not responding
R1#show access-list autosec_firewall_acl
Extended IP access list autosec_firewall_acl
10 permit udp any any eq bootpc
15 permit eigrp any any (603 matches)
20 deny ip any any (140 matches)
R1(config)#ip access-list extended autosec_firewall_acl
R1(config-ext-nacl)#18 permit tcp any any eq 23
R2#telnet 10.1.1.1
Trying 10.1.1.1 ... Open
Unauthorized Access Prohibited
User Access Verification
Username: admin
Password: <cisco12345>
R1>enable
Password: <cisco12345>
R1#show access-list autosec_firewall_acl
Extended IP access list autosec_firewall_acl
10 permit udp any any eq bootpc
15 permit eigrp any any (668 matches)
18 permit tcp any any eq telnet (135 matches)
20 deny ip any any (150 matches)
C:\Users\John Lloyd>telnet 10.1.1.2
User Access Verification
Password:
R2>
R1#show ip inspect all
Session audit trail is enabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 14400 sec -- udp idle-time is 1800 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 7 sec
Inspection Rule Configuration
Inspection name autosec_inspect
cuseeme alert is on audit-trail is on timeout 3600
ftp alert is on audit-trail is on timeout 3600
http alert is on audit-trail is on timeout 3600
rcmd alert is on audit-trail is on timeout 3600
realaudio alert is on audit-trail is on timeout 3600
smtp max-data 20000000 alert is on audit-trail is on timeout 3600
tftp alert is on audit-trail is on timeout 30
udp alert is on audit-trail is on timeout 15
tcp alert is on audit-trail is on timeout 3600
icmp alert is on audit-trail is on timeout 5
Interface Configuration
Interface Serial0/0/0
Inbound inspection rule is not set
Outgoing inspection rule is autosec_inspect
cuseeme alert is on audit-trail is on timeout 3600
ftp alert is on audit-trail is on timeout 3600
http alert is on audit-trail is on timeout 3600
rcmd alert is on audit-trail is on timeout 3600
realaudio alert is on audit-trail is on timeout 3600
smtp max-data 20000000 alert is on audit-trail is on timeout 3600
tftp alert is on audit-trail is on timeout 30
udp alert is on audit-trail is on timeout 15
tcp alert is on audit-trail is on timeout 3600
icmp alert is on audit-trail is on timeout 5
Inbound access list is autosec_firewall_acl
Outgoing access list is not set
Established Sessions
Session 65EC96E8 (192.168.1.3:7985)=>(10.1.1.2:23) tcp SIS_OPEN
R1#show ip inspect sessions detail
Established Sessions
Session 65EC96E8 (192.168.1.3:8062)=>(10.1.1.2:23) tcp SIS_OPEN
Created 00:00:19, Last heard 00:00:15
Bytes sent (initiator:responder) [45:65]
In SID 10.1.1.2[23:23]=>192.168.1.3[8062:8062] on ACL autosec_firewall_acl (16 matches)
R2#ping 10.2.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R2#ping 192.168.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R3#show run
Building configuration...
Current configuration : 1181 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Serial0/0/1
ip address 10.2.2.1 255.255.255.252
!
router eigrp 101
network 10.2.2.0 0.0.0.3
network 192.168.3.0
no auto-summary
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 5 0
password 7 0822455D0A1606181C1B0D1739
logging synchronous
login
line aux 0
exec-timeout 5 0
password 7 00071A1507540A1317314D5D1A
login
line vty 0 4
exec-timeout 5 0
password 7 094F471A1A0A0106121C053938
login
!
scheduler allocate 20000 1000
end
R3(config)#enable secret cisco12345
R3(config)#ip http server // ENABLE WEB SERVER
R3(config)#username admin privilege 15 secret cisco12345
R3(config)#ip http authentication local // CCP TO USE LOCAL ROUTER DATABASE
class-map type inspect match-all ccp-invalid-src
match access-group 100
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 10.2.2.0 0.0.0.3 any
class-map type inspect match-any SDM_EIGRP
match access-group name SDM_EIGRP
class-map type inspect match-any SDM_EIGRP_TRAFFIC
match class-map SDM_EIGRP
class-map type inspect match-all SDM_EIGRP_PT
match class-map SDM_EIGRP_TRAFFIC
policy-map type inspect ccp-permit
class type inspect SDM_EIGRP_PT
pass
class class-default
drop
ip access-list extended SDM_EIGRP
remark CCP_ACL Category=1
permit eigrp any any
R3#show run
Building configuration...
Current configuration : 4383 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$ypyC$Vgw4aKTh9ldDPDP4hm3gv.
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
username admin privilege 15 secret 5 $1$iPbz$1Jkudbr.B0fC6vShWsrWU0
archive
log config
hidekeys
!
!
!
!
!
!
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any SDM_EIGRP
match access-group name SDM_EIGRP
class-map type inspect match-any SDM_EIGRP_TRAFFIC
match class-map SDM_EIGRP
class-map type inspect match-all SDM_EIGRP_PT
match class-map SDM_EIGRP_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_EIGRP_PT
pass
class class-default
drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
description $FW_INSIDE$
ip address 192.168.3.1 255.255.255.0
zone-member security in-zone
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Serial0/0/1
description $FW_OUTSIDE$
ip address 10.2.2.1 255.255.255.252
zone-member security out-zone
!
router eigrp 101
network 10.2.2.0 0.0.0.3
network 192.168.3.0
no auto-summary
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
!
!
ip access-list extended SDM_EIGRP
remark CCP_ACL Category=1
permit eigrp any any
!
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 10.2.2.0 0.0.0.3 any
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 5 0
password 7 0822455D0A1606181C1B0D1739
logging synchronous
login
line aux 0
exec-timeout 5 0
password 7 00071A1507540A1317314D5D1A
login
line vty 0 4
exec-timeout 5 0
password 7 094F471A1A0A0106121C053938
login
!
scheduler allocate 20000 1000
end
R3#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/30 is subnetted, 2 subnets
C 10.2.2.0 is directly connected, Serial0/0/1
D 10.1.1.0 [90/2681856] via 10.2.2.2, 00:40:27, Serial0/0/1
D 192.168.1.0/24 [90/2684416] via 10.2.2.2, 00:39:36, Serial0/0/1
C 192.168.3.0/24 is directly connected, FastEthernet0/1
C:\Users\PC-C>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.3.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.3.1
C:\Users\John Lloyd>ping 10.2.2.2
Pinging 10.2.2.2 with 32 bytes of data:
Reply from 10.2.2.2: bytes=32 time=18ms TTL=254
Reply from 10.2.2.2: bytes=32 time=18ms TTL=254
Reply from 10.2.2.2: bytes=32 time=18ms TTL=254
Reply from 10.2.2.2: bytes=32 time=18ms TTL=254
Ping statistics for 10.2.2.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 18ms, Maximum = 18ms, Average = 18ms
R2#ping 192.168.3.3 // ZBF POLICY ALLOW PING FROM R3 TO ANY IP
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
R2#telnet 10.2.2.1 // TELNET TRAFFIC UNDER DEFAULT CLASS FROM OUTSIDE TO R3 IS DROPED
Trying 10.2.2.1 ...
% Connection timed out; remote host not responding
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_EIGRP_PT
pass
class class-default
drop
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
C:\Users\PC-C>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.3.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.3.1
C:\Users\John Lloyd>telnet 10.2.2.2
User Access Verification
Password: <ciscovtypass>
R2>
R3#show policy-map ?
WORD policy-map name
apn Show APN related policy information
control-plane Show Control Plane policy
interface Show Qos Policy Interface
session Show session Qos Policy
type type of the policy-map
| Output modifiers
<cr>
R3#show policy-map type ?
NAT NAT Policymap
access-control access-control specific policy-map
control Control policy-maps
inspect Firewall Policy-map
logging Control-plane packet logging
port-filter Control-plane tcp/udp port filtering
queue-threshold Control-plane protocol queue limiting
R3#show policy-map type inspect ?
WORD Policy-map name
condition-debugging Condition Debugging Settings
h323 H323
http HTTP
im IM
imap IMAP
p2p P2P
pop3 POP3
sip SIP
smtp SMTP
sunrpc RPC
urlfilter URLF
zone-pair Security zone-pair
| Output modifiers
<cr>
R3#show policy-map type inspect zone-pair ?
WORD Security zone-pair name
sessions Inspect sessions information
urlfilter URLFiltering information
| Output modifiers
<cr>
R3#show policy-map type inspect zone-pair sessions
policy exists on zp ccp-zp-self-out
Zone-pair: ccp-zp-self-out
Service-policy inspect : ccp-permit-icmpreply
Class-map: ccp-icmp-access (match-all)
Match: class-map match-any ccp-cls-icmp-access
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: class-default (match-any)
Match: any
Pass
427 packets, 17080 bytes
policy exists on zp ccp-zp-in-out
Zone-pair: ccp-zp-in-out
Service-policy inspect : ccp-inspect
Class-map: ccp-invalid-src (match-all)
Match: access-group 100
Drop
0 packets, 0 bytes
Class-map: ccp-protocol-http (match-all)
Match: protocol http
Inspect
Class-map: ccp-insp-traffic (match-all)
Match: class-map match-any ccp-cls-insp-traffic
Match: protocol cuseeme
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol dns
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ftp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol https
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol imap
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol pop3
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol netshow
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol shell
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol realmedia
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol rtsp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol smtp extended
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol sql-net
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol streamworks
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol tftp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol vdolive
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol tcp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol udp
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Number of Established Sessions = 1
Established Sessions
Session 65B74A00 (192.168.3.3:3724)=>(10.2.2.2:23) tacacs:tcp SIS_OPEN
Created 00:01:09, Last heard 00:01:05
Bytes sent (initiator:responder) [45:65]
Class-map: ccp-sip-inspect (match-any)
Match: protocol sip
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: ccp-h323-inspect (match-any)
Match: protocol h323
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: ccp-h323annexe-inspect (match-any)
Match: protocol h323-annexe
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: ccp-h225ras-inspect (match-any)
Match: protocol h225ras
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: ccp-h323nxg-inspect (match-any)
Match: protocol h323-nxg
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: ccp-skinny-inspect (match-any)
Match: protocol skinny
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
policy exists on zp ccp-zp-out-self
Zone-pair: ccp-zp-out-self
Service-policy inspect : ccp-permit
Class-map: SDM_EIGRP_PT (match-all)
Match: class-map match-any SDM_EIGRP_TRAFFIC
Match: class-map match-any SDM_EIGRP
0 packets, 0 bytes
30 second rate 0 bps
Match: access-group name SDM_EIGRP
0 packets, 0 bytes
30 second rate 0 bps
Pass
862 packets, 34480 bytes
Class-map: class-default (match-any)
Match: any
Drop
8 packets, 256 bytes