When your router is running IOS image with FW feature, you can implement CBAC as a Stateful Firewall IOS-based. With such inspection, the router can inspect inbound traffic from outside such as The Internet to inside the network. The router can also inspect outbound traffic from inside the network to outside. Note that the sample configurations implement outbound inspection on the WAN (Internet) interface that regulate outbound traffic from inside to the Internet.
Typically no inspection is necessary or even needed to regulate traffic between inside or non-Internet interfaces. When there are no public servers hanging off the router and there are only outbound traffic such as Internet browsing (in addition of no inspection between inside interfaces), there should be no reason to implement inspection on inside interface. Therefore it is common practice to implement inspection on the WAN (Internet) interface to regulate outbound traffic when there are multiple non-Internet interfaces on the router and/or there are no inbound traffic.
Inspecting Generic Traffic
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$uOpf$emfDhaV0/UALCYwjF.iHf/
!
no aaa new-model
ip subnet-zero
no ip source-route
!
ip inspect name OUTBOUND cuseeme
ip inspect name OUTBOUND ftp
ip inspect name OUTBOUND h323
ip inspect name OUTBOUND netshow
ip inspect name OUTBOUND rcmd
ip inspect name OUTBOUND realaudio
ip inspect name OUTBOUND rtsp
ip inspect name OUTBOUND sqlnet
ip inspect name OUTBOUND tcp
ip inspect name OUTBOUND udp
ip inspect name OUTBOUND vdolive
ip inspect name OUTBOUND icmp
ip ssh break-string
isdn switch-type basic-net3
!
!
!
!
!
!
interface Ethernet0
description LAN
ip address 192.168.0.16 255.255.255.0
no ip proxy-arp
ip nat inside
!
interface BRI0
no ip address
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
ppp authentication chap pap callin
!
interface Dialer1
description ISP
ip address negotiated
ip access-group 121 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect OUTBOUND out
encapsulation ppp
no ip split-horizon
dialer pool 1
dialer remote-name Cisco1
dialer idle-timeout 360
dialer string 08089916001 class DialClass
dialer hold-queue 10
dialer load-threshold 20 either
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname host-username
ppp chap password 7 ****
ppp pap sent-username username-here password 7 ****
!
ip nat inside source list 23 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
!
map-class dialer DialClass
access-list 23 permit 192.168.0.0 0.0.0.255
access-list 121 remark **** Permitted inbound packets ****
access-list 121 deny udp any range 137 139 any
access-list 121 deny tcp any range 137 139 any
access-list 121 deny icmp any any echo
access-list 121 permit icmp any any echo-reply
access-list 121 permit icmp any any time-exceeded
access-list 121 permit icmp any any unreachable
access-list 121 deny icmp any any
access-list 121 permit ip any any time-range TIME
access-list 121 deny ip any any log-input
dialer-list 1 protocol ip permit
!
!
line con 0
exec-timeout 0 0
transport preferred all
transport output all
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 0 0
login local
transport preferred all
transport input all
transport output all
!
no rcapi server
!
!
time-range TIME
periodic daily 0:00 to 23:59
!
!
end
Inspecting Instant Messaging Traffic
1. Medium Security Policy on Application Traffic
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 ???????????????????????
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
!
!
ip cef
ip inspect log drop-pkt
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
ip inspect name SDM_MEDIUM sip
ip inspect name SDM_MEDIUM sip-tls
ip tcp synwait-time 10
no ip bootp server
ip domain name wtbhome.net
ip name-server 71.242.0.12
ip ssh time-out 60
ip ssh authentication-retries 2
!
appfw policy-name SDM_MEDIUM
application im aol
service default action allow alarm
service text-chat action allow alarm
server permit name login.oscar.aol.com
server permit name toc.oscar.aol.com
server permit name oam-d09a.blue.aol.com
application im msn
service default action allow alarm
service text-chat action allow alarm
server permit name messenger.hotmail.com
server permit name gateway.messenger.hotmail.com
server permit name webmessenger.msn.com
application http
strict-http action allow alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action allow alarm
application im yahoo
service default action allow alarm
service text-chat action allow alarm
server permit name scs.msg.yahoo.com
server permit name scsa.msg.yahoo.com
server permit name scsb.msg.yahoo.com
server permit name scsc.msg.yahoo.com
server permit name scsd.msg.yahoo.com
server permit name cs16.msg.dcn.yahoo.com
server permit name cs19.msg.dcn.yahoo.com
server permit name cs42.msg.dcn.yahoo.com
server permit name cs53.msg.dcn.yahoo.com
server permit name cs54.msg.dcn.yahoo.com
server permit name ads1.vip.scd.yahoo.com
server permit name radio1.launch.vip.dal.yahoo.com
server permit name in1.msg.vip.re2.yahoo.com
server permit name data1.my.vip.sc5.yahoo.com
server permit name address1.pim.vip.mud.yahoo.com
server permit name edit.messenger.yahoo.com
server permit name messenger.yahoo.com
server permit name http.pager.yahoo.com
server permit name privacy.yahoo.com
server permit name csa.yahoo.com
server permit name csb.yahoo.com
server permit name csc.yahoo.com
!
username tborland privilege 15 secret 5 ??????????????
!
!
!
bridge irb
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_MEDIUM out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers tkip
!
encryption vlan 1 mode ciphers tkip
!
ssid wtbhome
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 7 ******
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
no dot11 extension aironet
no cdp enable
bridge-group 1
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description Bridge to Internal Network
ip address 192.168.0.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
!
ip classless
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip any any
access-list 103 remark VTY Access-class list
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 deny ip any any
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 103 in
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
2. High Security Policy on Application Traffic
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 ???????????????????????
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone PST -8
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.10
!
ip dhcp pool sdm-pool
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 208.67.222.222 208.67.220.220
!
!
no ip domain lookup
ip domain name yourdomain.com
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip inspect log drop-pkt
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
!
appfw policy-name SDM_HIGH
application im aol
service default action reset alarm
service text-chat action reset alarm
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action reset alarm
service text-chat action reset alarm
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.com
server deny name webmessenger.msn.com
audit-trail on
application http
strict-http action reset alarm
port-misuse im action
port-misuse p2p action reset alarm
port-misuse tunneling action reset alarm
application im yahoo
service default action reset alarm
service text-chat action reset alarm
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yahoo.com
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo.com
server deny name edit.messenger.yahoo.com
server deny name messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny na
server deny name csb.yahoo.com
server deny name csc.yahoo.com
audit-trail on
!
!
crypto pki trustpoint TP-self-signed-2642721116
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2642721116
revocation-check none
rsakeypair TP-self-signed-2642721116
!
!
crypto pki certificate chain TP-self-signed-2642721116
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32363432 37323131 3136301E 170D3038 30313136 30353033
34325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36343237
32313131 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CB9E 16476447 E416F6C1 A994AB08 1525CF8E FA38C653 49ED2B44 34A66AC9
4D9C2677 71756644 0D54DBB1 11C224E5 4D17EC67 2148384A FE15B177 3C8D3710
4338044F 6672B697 9FEBC408 EA552F2A 6B2C7035 2E38B6F8 55E09757 0AC5A2
163FFA91 C26D8443 3EFBDFD1 CE078C9C 350AE5E5 EE866021 491C4362 8476AD3D
0E930203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 15526F75 7465722E 796F7572 646F6D61 696E2E63 6F6D301F
0603551D 23041830 16801444 9A67C06B 63BCAF40 5D467966 AA658D22 F6353430
1D060355 1D0E0416 0414449A 67C06B63 BCAF405D 467966AA 658D22F6 3534300D
06092A86 4886F70D 01010405 00038181 005D6986 D31370A4 A327EB4B FF7ED748
25C11602 76C2A0B7 A0A1D670 7DF73001 BFAEEFF9 E6C4BE6F EB9BF6DC 1FD7D8
9B571B6E C4A4307C B1A03F91 92EF08BF B249D567 1A46D51D 3405862C A88BFCC7
AD9B755A B2BB1298 271B6952 7A08CD61 F89A31B6 A2DB9C6F 62B00F6D 7089A7FB
44D7D866 D527960F 7A138B26 92252C4B D4
quit
username tborland privilege 15 secret 5 ??????????????
!
!
!
bridge irb
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
ip mtu 1492
ip inspect SDM_HIGH out
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname [my dsl account]
ppp chap password 0 [password]
ppp pap sent-username [my_dsl_account] password 0 [password]
ppp ipcp dns request
ppp ipcp route default
ppp ipcp address accept
!
interface BVI1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.0
ip access-group 100 in
ip tcp adjust-mss 1452
!
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip any any log
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 1 in
transport input ssh
!
scheduler max-task-time 5000
end
Some discussions
»801 ISDN access list woes
»Cisco 831 hardened config example?
 feedback form
 feedback form
by aryoba 
last modified: 2009-01-21 08:40:39 |
