Home > Articles > Certification > Cisco Certification > CCIE

This chapter is from the book

Section 6.0: IOS Firewall Configuration

6.1: CBAC

6.1.1: Basic CBAC Configuration

  1. Configure basic IOS Firewall ip inspect commands and inspect tcp/udp/http only. Apply inspect outbound on serial links and ingress ACL for filtering.

6.1.2: Firewall Filtering

  1. Inbound ACL on serial links, permit ICMP, OSPF, BGP, and replies from tacacs+ server and host to be able to Telnet to R2.

  2. For anti-spoofing, do a show ip route connected. Whichever networks are listed should be denied in the ACL for source network:

  3. r2#show access-lists 120
    Extended IP access list 120
     deny ip any
     deny ip any
     deny ip any
     permit ospf any any (73740 matches)
     permit tcp any any eq bgp (29682 matches)
     permit tcp any eq bgp any (5155 matches)
     permit icmp any any (314 matches)
     permit tcp host eq tacacs any (100 matches)
     permit tcp host any eq telnet (636 matches) 

6.1.3: Advanced CBAC Configuration

  1. Configure TCP embryonic (half-open) connections as follows:

  2. ip inspect tcp max-incomplete host 200 block-time 0

6.2: Intrusion Detection System (IDS)

6.2.1: Basic IDS Configuration

  1. Configure basic IDS on R4 using the ip audit command set. Use the first example that follows to configure IDS, and use the second example for logs generated when you detect an attack/signature.

  2. NOTE

    Note that communication between IDS and Director is on UDP port 45000.

    ip audit name lab1 info action alarm
    ip audit name lab1 attack action alarm
    interface FastEthernet2/0
     ip address
     ip audit lab1 in
     ip audit lab1 out
     duplex half
    6d23h: %IDS-4-ICMP_FRAGMENT_SIG: Sig:2150:Fragmented ICMP Traffic - from to

6.2.2: Signature Tuning

  1. If you receive false positive alarms from the IDS on R4, you need to disable signature 3050 for host on R4. The following example demonstrates tuning IDS signatures on R4:

  2. ip audit signature 3050 list 5
    access-list 5 deny
    access-list 5 permit any

6.2.3: Spam Attack

  1. Configure R4 protection against SMTP mail spamming using the following command:

  2. ip audit smtp spam 500
  • + Share This
  • 🔖 Save To Your Account