Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3106
Views
0
Helpful
1
Replies

Cisco 887 Basic Firewall

thesupporthouseptyltd
Level 1
Level 1

‎05-19-2011 10:02 PM - edited ‎03-11-2019 01:36 PM

Hi Guys,

I have setup my Cisco routers to have the following basic configuration:

ip inspect name FIREWALL tcp

ip inspect name FIREWALL udp

ip inspect name FIREWALL icmp

!

interface Dialer1

ip inspect FIREWALL out

ip access-group FIREWALL-ACL in

!

ip access-list extended FIREWALL-ACL

permit tcp any any eq 22

permit esp any any

permit udp any any eq isakmp

permit gre any any

deny   tcp any any

deny   udp any any

deny   ip any any

However whilst this allows for a site to site VPN, remote SSH access, and clients to punch a way through the firewall. It is unable to allow the router its self to do a DNS lookup or fetch a new IOS over FTP, how can I allow this through with out opening excess holes that may only be used for such small tasks occasionally.
Also is there anything else I should add to help secure the routers from DOS attacks etc?
Many Thanks!

Labels:
0 Helpful
1 Reply 1

mirober2
Cisco Employee
Cisco Employee

‎05-20-2011 10:57 AM

Hi Matthew,

The command you're looking for is 'ip inspect name FIREWALL udp router-traffic' for DNS and 'ip inspect name FIREWALL tcp router-traffic' for FTP. This enables the inspection for traffic generated from the router itself.

Hope that helps.

-Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card