Beruflich Dokumente
Kultur Dokumente
• CBAC
• Turbo ACLs
• Lock and Key ACLs
• Authentication Proxy
• PAM
Router(config)#
0.255.255.255
Austin2(config)# interface e0/1
Austin2(config-if)# ip access-group 2 in
Router(config)#
128.88.3.0 128.88.1.2
Router(config)#
access-list access-list-number {deny | permit}
{protocol-number | protocol-keyword}{source
source-wildcard | any | host} {source-port}
{destination destination-wildcard | any | host}
{destination-port} [established][log | log-input]
Miami(config)# access-list 103 permit tcp any
128.88.0.0 0.0.255.255 established
Miami(config)# access-list 103 permit tcp any host
128.88.1.2 eq smtp
Miami(config)# interface e0/0
Miami(config-if)# ip access-group 103 in
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-11
Extended Named Access List Format
Router(config)#
ip access-list extended access-list-name
Router(config-ext-nacl)#
{deny | permit} {protocol-number | protocol-
keyword} {source source-wildcard | any | host}
{source-port} {destination destination-wildcard
| any | host} {destination-port}
[established][log | log-input]
Miami(config)# ip access-list extended mailblock
Miami(config-ext-nacl)# permit tcp any
128.88.0.0 0.0.255.255 established
Miami(config-ext-nacl)# permit tcp any host
128.88.1.2 eq smtp
Miami(config-ext-nacl)# exit
Router(config)#
remark message
Austin1
s0/0 e0/0
Internet
e0/1
Inbound Outbound
list-name}
Miami# show access-lists
Extended IP access list 102
permit ip any host 128.88.1.6
Extended IP access list mailblock
permit tcp any 128.88.0.0 0.0.255.255
established
Miami#
R2
Router(config)#
access-list compiled
Router#
show access-list compiled
R2(config)# access-list compiled
R2(config)# exit
R2# show access-list compiled
Internet
UDP
Router(config)#
ip inspect audit-trail
• Enables the Syslog server and turns on logging
Router(config)# logging on
Router(config)# logging 10.0.0.3
Router(config)# ip inspect audit-trail
Router(config)#
[no] ip inspect alert-off
• Alert can be turned off
Router(config)#
ip inspect tcp synwait-time seconds
• Specifies the time the Cisco IOS Firewall waits
for a TCP session to reach the established state.
Router(config)#
ip inspect tcp finwait-time seconds
• Specifies the time the Cisco IOS Firewall waits for
a FIN exchange to complete before quitting the
session.
Router(config)#
Router(config)#
ip inspect dns-timeout seconds
• Specifies the time allowed for a DNS session
with no activity.
Router(config)#
Router(config)#
ip inspect max-incomplete low number
• Defines the number of existing halfopened sessions
that cause the software to stop deleting halfopened
sessions.
Router(config)#
Router(config)#
ip inspect one-minute low number
• Defines the number of new halfopened
sessions per minute at which they stop being
deleted.
block-time seconds
• Defines the number of half-opened TCP sessions with the same
host destination address that can exist at a time before the Cisco
IOS Firewall starts deleting half-open sessions to the host.
• After the number of half-opened connections is exceeded to a
given host, the software deletes half-open sessions on that host
in the following manner:
– If block-time is 0, the oldest half-opened session is deleted,
per new connection request, to allow new connections.
– If block-time is greater than 0, all half-opened sessions are
deleted, and new connections to the host are not allowed
during the specified block time.
Router(config)#
Router(config)#
access-list permit acl_num ip_addr
ip port-map appl_name port port_num list acl_num
• Maps a port number to an application for a given host.
Router(config)#
access-list permit acl_num ip_addr wildcard_mask
ip port-map appl_name port port_num list acl_num
• Maps a port number to an application for a given network.
Router(config)#
Router(config)#
Router(config)#
Router(config)#
Router(config)#
Router (config-if)#
ip inspect inspection-name {in | out}
• Applies the named inspection rule to an interface.
• Permit only ICMP traffic initiated in the DMZ.
Router(config)# access-list 104 permit icmp any host 172.16.0.2
Router(config)# access-list 104 permit tcp any host 172.16.0.2
eq www
Router(config)# access-list 104 deny ip any any
• Permit only outward ICMP and HTTP traffic to host 172.16.0.2.
• Apply proper access lists and an inspection rule to the interface.
Router(config)#
no ip inspect
• Removes entire CBAC configuration.
• Resets all global timeouts and thresholds
to the defaults.
• Deletes all existing sessions.
• Removes all associated dynamic ACLs.