https://community.cisco.com/t5/network-security/simple-firewall-implementation/m-p/2590629#M200652 <P>Hi,</P><P>I think as the SSH is to the router itself , you would need the "router-traffic" keyword.</P><P>For your 2nd Query , this will help:-</P><P>http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i2.html#wp2665953023</P><P>Thanks and Regards,</P><P>Vibhor Amrodia</P> Wed, 12 Nov 2014 10:22:19 GMT Vibhor Amrodia 2014-11-12T10:22:19Z https://community.cisco.com/t5/network-security/simple-firewall-implementation/m-p/2590628#M200651 <P>Hello,</P><P>&nbsp;</P><P>I'm pretty new to the cisco product and want to setup a simple firewall.</P><P>I found some exampels but can't get it to&nbsp;work.</P><P>&nbsp;</P><P>For now we are using Cisco routers 88x and 89x series.</P><P>When I activate te script I the remote connection to the router is lost, although I have put an permit rule for ssh.</P><P>&nbsp;</P><P>The script is the following:</P><P>ip inspect name Firewall tcp<BR />ip inspect name Firewall udp<BR />ip inspect name Firewall rtsp<BR />ip inspect name Firewall h323<BR />ip inspect name Firewall netshow<BR />ip inspect name Firewall ftp<BR />ip inspect name Firewall ssh<BR />!<BR />ip access-list extended Allow-IN<BR />&nbsp;permit eigrp any any<BR />&nbsp;permit icmp any 192.168.2.0 0.0.0.255 echo-reply<BR />&nbsp;permit icmp any 192.168.2.0 0.0.0.255 unreachable<BR />&nbsp;permit icmp any 192.168.2.0 0.0.0.255 administratively-prohibited<BR />&nbsp;permit icmp any 192.168.2.0 0.0.0.255 packet-too-big<BR />&nbsp;permit icmp any 192.168.2.0 0.0.0.255 echo<BR />&nbsp;permit icmp any 192.168.2.0 0.0.0.255 time-exceeded<BR />&nbsp;permit tcp any 192.168.2.0 0.0.0.255 eq 22<BR />&nbsp;deny ip any any<BR />!<BR />interface Vlan1<BR />&nbsp;ip inspect Firewall in<BR />!<BR />interface Dialer1<BR />&nbsp;ip access-group Allow-IN in<BR />!</P><P>&nbsp;</P><P>Can anyone tell me what I'm doing wrong here?</P><P>And a second question, can I use for the ip inspect also port numbers or must I always use a service name?</P><P>&nbsp;</P><P>Thank you,</P><P>&nbsp;</P><P>//Edwin</P> Tue, 12 Mar 2019 05:03:55 GMT https://community.cisco.com/t5/network-security/simple-firewall-implementation/m-p/2590628#M200651 deboeredwin 2019-03-12T05:03:55Z https://community.cisco.com/t5/network-security/simple-firewall-implementation/m-p/2590629#M200652 <P>Hi,</P><P>I think as the SSH is to the router itself , you would need the "router-traffic" keyword.</P><P>For your 2nd Query , this will help:-</P><P>http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i2.html#wp2665953023</P><P>Thanks and Regards,</P><P>Vibhor Amrodia</P> Wed, 12 Nov 2014 10:22:19 GMT https://community.cisco.com/t5/network-security/simple-firewall-implementation/m-p/2590629#M200652 Vibhor Amrodia 2014-11-12T10:22:19Z https://community.cisco.com/t5/network-security/simple-firewall-implementation/m-p/2590630#M200653 <P>Hello,</P><P>&nbsp;</P><P>I have tested this.</P><P>I couldn't add the router-traffic to the ip inspect rule for ssh but could add it to the ip inspect rule with tcp.</P><P>I tested this option but unfortunatly the connection was closed again as soon the rules were applied to the interfaces.</P><P>&nbsp;</P><P>Maybe I did it wrong or it doesn't work.</P><P>&nbsp;</P><P>//Edwin</P> Wed, 12 Nov 2014 13:59:12 GMT https://community.cisco.com/t5/network-security/simple-firewall-implementation/m-p/2590630#M200653 deboeredwin 2014-11-12T13:59:12Z