Section 6.0: IOS Firewall Configuration

6.1. CBAC

6.1.1. Basic CBAC Configuration
  1. Configure basic IOS Firewall ip inspect commands and inspect TCP/UDP/HTTP only. Apply inspect outbound on serial links and ingress ACL for filtering.

6.1.2. Firewall Filtering
  1. Inbound ACL on serial links, permit ICMP, OSPF, BGP, and replies from TACACS+ server and host 111.111.111.111 to be able to Telnet to R2.

  2. For anti-spoofing, do a show ip route connected. Whichever networks are listed should be denied in the ACL for source network:

    r2#show access-lists 120 Extended IP access list 120 deny ip 12.12.12.0 0.0.0.255 any deny ip 122.122.122.0 0.0.0.255 any deny ip 10.50.22.0 0.0.0.15 any permit ospf any any (73740 matches) permit tcp any any eq bgp (29682 matches) ...

Get CCIE Security Practice Labs now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.