Specifications
Chapter2 Configuring Security Features
Configuring Firewalls
2-8
Cisco 1700 Series Router Software Configuration Guide
78-5407-03
Configuring Extended Numbered Access Lists
In the following example, access list 102, an extended numbered access list, is
defined. The first command permits any incoming TCP messages with destination
ports greater than 1023. The second command permits incoming TCP messages
to the Simple Mail Transfer Protocol (SMTP) port of host 128.88.1.2. The third
command permits incoming Internet Control Message Protocol (ICMP) messages
for error feedback.
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 gt 1023
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25
access-list 102 permit icmp 0.0.0.0 255.255.255.255 128.88.0.0 255.255.255.255
The following commands tie the access group to a specific interface on the router
and specify that incoming packets are to be permitted or denied passage:
interface ethernet 0
ip access-group 102 in
Inspection Rules
Specify which protocols to examine by using the ip inspect name command.
When inspection detects that the specified protocol is passing through the
firewall, a dynamic access list is created to allow the passage of return traffic. The
timeout parameter specifies the length of time the dynamic access list will remain
active without return traffic passing through the router. When a timeout is
reached, the dynamic access list is removed, and subsequent packets (possibly
even valid ones) are not permitted.
For each protocol you want to inspect, enter a line in global configuration mode,
using the following syntax:
ip inspect name inspection-name protocol timeout seconds
Use the same inspection-name in multiple statements to group them into one set
of rules. This set of rules can be activated elsewhere in the configuration by using
the ip inspect inspection-name in | out command when you configure an
interface at the firewall.