Hi,I think as the SSH is to

deboeredwin · ‎11-11-2014

Hello,

I'm pretty new to the cisco product and want to setup a simple firewall.

I found some exampels but can't get it to work.

For now we are using Cisco routers 88x and 89x series.

When I activate te script I the remote connection to the router is lost, although I have put an permit rule for ssh.

The script is the following:

ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall rtsp
ip inspect name Firewall h323
ip inspect name Firewall netshow
ip inspect name Firewall ftp
ip inspect name Firewall ssh
!
ip access-list extended Allow-IN
permit eigrp any any
permit icmp any 192.168.2.0 0.0.0.255 echo-reply
permit icmp any 192.168.2.0 0.0.0.255 unreachable
permit icmp any 192.168.2.0 0.0.0.255 administratively-prohibited
permit icmp any 192.168.2.0 0.0.0.255 packet-too-big
permit icmp any 192.168.2.0 0.0.0.255 echo
permit icmp any 192.168.2.0 0.0.0.255 time-exceeded
permit tcp any 192.168.2.0 0.0.0.255 eq 22
deny ip any any
!
interface Vlan1
ip inspect Firewall in
!
interface Dialer1
ip access-group Allow-IN in
!

Can anyone tell me what I'm doing wrong here?

And a second question, can I use for the ip inspect also port numbers or must I always use a service name?

Thank you,

//Edwin

Vibhor Amrodia · ‎11-12-2014

Hi,

I think as the SSH is to the router itself , you would need the "router-traffic" keyword.

For your 2nd Query , this will help:-

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i2.html#wp2665953023

Thanks and Regards,

Vibhor Amrodia

deboeredwin · ‎11-12-2014

Hello,

I have tested this.

I couldn't add the router-traffic to the ip inspect rule for ssh but could add it to the ip inspect rule with tcp.

I tested this option but unfortunatly the connection was closed again as soon the rules were applied to the interfaces.

Maybe I did it wrong or it doesn't work.

//Edwin

Simple firewall implementation