Configuring Access Lists on the Interfaces
Consider the following guidelines when configuring ACLs in association
with the Cisco IOS Firewall:
■ Extended ACLs (as opposed to standard ACLs) are required if you
want to dynamically allow return traffic for sessions originated from
the inside.
■ Consider implementing antispoofing ACLs, as discussed in Chapter 5.
■ If you want to enable application layer inspection for a protocol that is
permitted through the firewall, that protocol must also be permitted by
the relevant extended ACLs. For example, if you want to perform
H.323 inspection, your extended ACLs must permit H.323.
Defining Inspection Rules
Inspection rules determine which application layer protocols are inspected at
the firewall interface. Typically, only one inspection rule is defined, and all
the protocols you want to inspect are added to it. The exception to this
scenario is where you want to inspect different protocols in different directions.
You define inspection rules with the ip inspect command. Example 6-
1 demonstrates how to configure basic protocol inspection.
Example 6-1 Basic Protocol Inspection
R2(config)#ip inspect name FW tcp alert on audit-trail on
timeout 300
R2(config)#ip inspect name FW ftp alert on audit-trail on
timeout 300
R2(config)#ip inspect name FW h323 alert on audit-trail on
timeout 300
R2(config)#ip inspect name FW udp alert on audit-trail on
timeout 300
Example 6-1 defines an inspection rule named FW with four protocols that
will be inspected: generic TCP, FTP, H.323, and generic UDP. When a
packet initiated from the inside interface exits the router, the inspection rule
allows replies to that session to pass through the external interface’s ACL,
provided that the reply packet does not violate any parameters of the protocol.
The alert and audit-trail keywords configure syslog alerting and auditing
for the protocol. The timeout keyword sets the period (in seconds) after
which the dynamic “hole” in the external ACL will be closed if there is no
activity.
The alert and audit-trail keywords produce log messages only if the global
commands ip inspect audit-trail and no ip inspect alert-off are also configured.
The following output shows sample representative sample messages
that the router sends when the alert and audit-trail features are active:
%FW-6-SESS_AUDIT_TRAIL: tcp session initiator (10.1.1.2:5590)
sent 22 bytes -- responder (10.1.1.3:23) sent 88 bytes
%FW-4-ALERT_ON: getting aggressive, count (550/500) current
1-min rate: 250
%FW-4-ALERT_OFF: calming down, count (0/400) current 1-min
rate: 0