07 September 2007

Cisco Router Firewall

To create a firewall on Cisco router one should define one or several access lists and associate them with interfaces. Access list is a set of traffic filtering rules. Rule specifies traffic source and destination and a policy to apply to this kind of traffic (permit or deny). Each access list has a numeric ID. We are interested in so called extended access lists, numbered from 100 to 199 inclusive.

To view the status of access lists on our router, run the following command:

Show access-list

The command output may look as follows:

Num Src Addr Src Port Dst Addr Dst Port Prot Policy
100 10.10.1.3 any 10.20.1.5 ftp tcp deny
100 any any any any ip permit


As we can see access list number 100 denies ftp traffic from host 10.10.1.3 to host 10.20.1.5 and allows all other traffic.

Let’s define our own access list to block web traffic from 192.116.1.50 to 10.10.10.146 and allow all other. Before we do that, let’s check that Http to 10.10.10.10 indeed works. Start the browser and type the address 10.10.10.146 :

If you get a web page it works

Now lets define our access list.

Conf t
Access-list 110 deny tcp host 192.116.1.50 host 10.10.10.146 eq www
Access-list 110 permit ip any any
Exit

We gave our access list number 110. You can select any other in the range 100-199, provided that access list with such number does nor exist.


Now let’s associate interface FastEthernet0/0 with this access list:

Conf t
Interface FastEthernet0/0
Ip access-group 110 in
Exit


This command instructs interface FastEthernet0/0 to filter all incoming traffic according to the rules defined in access list 110.

Click on refresh web page. You shouldn’t get any page display. if you get any response try to delete local cache files. The ping should work. Let’s disable our firewall, by running

Conf t
Interface FastEthernet0/0
No Ip access-group 110 in
Exit


Click on refresh web page. It should succeed this time.

You can define more complex firewalls using the above programs. For a complete set of options, please refer to a document titled “Cisco Router Monitoring and configuration utilities. User Manual”

Makin berkembangnya teknologi informasi saat ini, kami juga melayani jasa perbaikan serta cleaning dan instalasi ulang berbagai merk note...