4. Set up access lists
Next, you need to configure two
access lists, both of which will be
applied in the inbound direction.
Note that in the remainder of this article,
I use the terms inbound and outbound frequently.
As Figure 1 shows, inbound refers to
traffic entering the interface; outbound refers
to traffic leaving the interface. Listing 1 shows
the two access lists: The first will be applied to
the LAN interface (in my case, BVI1), and the
second will be applied to the WAN interface
(in my case, FastEthernet4).
Access list 100 will be applied to the LAN
interface. The first line sets up the access list
and places the router in access list configuration
mode. The next line allows any IP traffic
matching the network (192.168.100.0/24) to
pass into the interface. If the subnet mask
looks odd to you, that’s not a typo. IOS uses
inverse subnet masks in its access lists. You
can compute these manually quite easily by
subtracting each octet of your standard mask
from 255. So mask 255.255.252.0 becomes
0.0.3.255, 255.252.0.0 becomes 0.3.255.255,
and so on.
The third line denies any other traffic
from entering the LAN interface. Although
all access lists have an implicit deny all at the
end, including an explicit deny line is a good
practice so that you know where your access
list ends and to aid the readability of your
configuration. The final line takes the router
out of access list configuration mode.
Access list 101 will be applied to the WAN
interface. The first line sets up the access list
and places the router in access list configuration
mode. I use a cable modem, so the next
line allows DHCP (bootps and bootpc) traffic
to enter the WAN interface. Without this
entry, my WAN interface would never receive
a public IP address, and I’d never get on the
Internet. You can use the same configuration
in a test lab as long as you have a DHCP
server set up and your networking team is OK
with what you’re doing. The third and fourth
lines allow any TCP and UDP traffic from any
source destined for anywhere to enter the
WAN interface.
The fifth, sixth, and seventh lines allow any
Internet Control Message Protocol (ICMP)
traffic that’s from any source; is headed for
any destination; and is an echo-reply,
time-exceeded, or unreachable message
to enter the WAN interface. You should
be cautious about which types of ICMP
traffic you allow on your network because
ICMP can be used for various exploits, especially
Denial of Service (DoS) attacks. However,
you need these three lines to use ping
and traceroute for troubleshooting. The last
two lines are the same as in the LAN access
list.
5. Configure basic TCP/UDP/
ICMP inspection
My IOS version includes the IOS firewall
feature set. If yours does as well,
you’ll definitely want to use it. Although the
IOS firewall doesn’t offer the deep application-layer inspection that, say, an ISA Server firewall
does, enabling it is a good idea for two
reasons. The first is to ensure that traffic
which is claiming to be TCP, UDP, or ICMP
is in fact TCP, UDP, or ICMP. The second is
that enabling this inspection also enables
Context-Based Access Control. CBAC allows
IOS to create dynamic access list entries
that allow return traffic to flow through the
router. Although our access lists above are
very generic (e.g., all TCP is allowed), once
your setup is working, you’ll certainly want to
harden them, set up internal servers reachable
from the Internet, and so on. After you’ve
done that, CBAC will allow return traffic to
pass through the router. For example, if you
browse to Amazon.com, CBAC will dynamically
place entries in the inbound access list
applied to your external (WAN) interface to
allow return traffic from Amazon.com to enter
the router. When the connection is closed,
these entries are dynamically removed.
First, set up a TCP SYN timeout threshold
to help mitigate SYN flood DoS attacks:
ip tcp synwait-time 30
This command tells IOS to drop any
TCP session that’s not established
within 30 seconds.
Next, set up an inspection rule each for
ICMP, TCP, and UDP:
ip inspect name InspectRule icmp
ip inspect name InspectRule tcp
ip inspect name InspectRule udp
(You can substitute a name you prefer for
InspectRule.)
6. Apply the access lists and
inspection rules
Now, apply both the access lists and
the inspection rules to the appropriate
interfaces in the inbound direction. For the
WAN interface—in my case, FastEthernet4—
first enter the interface configuration mode:
interface FastEthernet4
Then apply the access list:
ip access-group 101 in
(Note that you use access-group, not access-list here.) Then apply the inspection rule:
ip inspect InspectRule in
And finally, exit the interface configuration
mode:
exit
Next, for the LAN interface (BVI1, in this
example), type:
interface BVI1
ip access-group 100 in
ip inspect InspectRule in
exit
Some of you sharpies might be wondering
if you could apply the IP inspection rule in
the outbound direction as well as or in place
of the inbound direction. The answer is yes,
you can.
Continued on page 4
Register
