11-11-2014 11:26 PM - edited 03-11-2019 10:03 PM
Hello,
I'm pretty new to the cisco product and want to setup a simple firewall.
I found some exampels but can't get it to work.
For now we are using Cisco routers 88x and 89x series.
When I activate te script I the remote connection to the router is lost, although I have put an permit rule for ssh.
The script is the following:
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall rtsp
ip inspect name Firewall h323
ip inspect name Firewall netshow
ip inspect name Firewall ftp
ip inspect name Firewall ssh
!
ip access-list extended Allow-IN
permit eigrp any any
permit icmp any 192.168.2.0 0.0.0.255 echo-reply
permit icmp any 192.168.2.0 0.0.0.255 unreachable
permit icmp any 192.168.2.0 0.0.0.255 administratively-prohibited
permit icmp any 192.168.2.0 0.0.0.255 packet-too-big
permit icmp any 192.168.2.0 0.0.0.255 echo
permit icmp any 192.168.2.0 0.0.0.255 time-exceeded
permit tcp any 192.168.2.0 0.0.0.255 eq 22
deny ip any any
!
interface Vlan1
ip inspect Firewall in
!
interface Dialer1
ip access-group Allow-IN in
!
Can anyone tell me what I'm doing wrong here?
And a second question, can I use for the ip inspect also port numbers or must I always use a service name?
Thank you,
//Edwin
11-12-2014 02:22 AM
Hi,
I think as the SSH is to the router itself , you would need the "router-traffic" keyword.
For your 2nd Query , this will help:-
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i2.html#wp2665953023
Thanks and Regards,
Vibhor Amrodia
11-12-2014 05:59 AM
Hello,
I have tested this.
I couldn't add the router-traffic to the ip inspect rule for ssh but could add it to the ip inspect rule with tcp.
I tested this option but unfortunatly the connection was closed again as soon the rules were applied to the interfaces.
Maybe I did it wrong or it doesn't work.
//Edwin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide