8/9/2019 08-09-IOS Firewall Fundamentals and Zone Based Firewalls

1/2

08-Zone based firewall

Reflexive ACLs

config t

! Create an ACL that we will apply! outbound on Fa 4/0.! The "reflect REMEMBER" will create! a reflexive ACL entry called "REMEMBER"! that we can apply on a second ACL inbound.

ip access-list extended GOING-OUTpermit tcp any any reflect REMEMBERpermit udp any any reflect REMEMBERpermit icmp any any reflect REMEMBERdeny ip any any logexit

interface fa 4/0ip access-group GOING-OUT out

do show access-list

ip access-list extended COMING-INevaluate REMEMBERdeny ip any any logexit

int fa 4/0ip access-group COMING-IN inexit

do show access-list

Context Based Access Control

conf t

! Deny any initial inbound traffic

ip access-list extended DENYdeny ip any any log

int fa 4/0ip access-group DENY inexit

! Create a Context Based Access Control! (CBAC) inspection rule to remember! TCP, UDP and ICMP

ip inspect name REMEMBER TCP

8/9/2019 08-09-IOS Firewall Fundamentals and Zone Based Firewalls

2/2

ip inspect name REMEMBER UDPip inspect name REMEMBER ICMP

! Apply the inspection rule outbound! on Fa 4/0

int fa 4/0ip inspect REMEMBER outexit

do show ip inspect interfaces