168.0.0 0.0.255.255 any
Denies public IP
192.168.0.0/16
Router(config)#access-list 101 deny ip
127.0.0.0 0.255.255.255 any
Denies traf?¬?c from the
loopback address
Router(config)#access-list 101 deny ip host
255.255.255.255 any
Denies any broadcast
Router(config)#access-list 101 deny ip 0.0.0.0
0.255.255.255 any
Denies traf?¬?c from any
device with a source
address of 0.x.x.x
Router(config)#access-list 101 deny ip any any
log
Denies all other traf?¬?c and
logs the results
NOTE: Context-Based
Access Control (CBAC)
setup is provided in the
following steps.
Router(config)#logging on Enables the logging
service
Router(config)#logging host 192.168.30.33 Sets the syslog server IP
address
Router(config)#ip inspect audit-trail Turns on CBAC audit trail
messages, which are
displayed on the console
Router(config)#ip inspect dns-timeout 7 Speci?¬?es the DNS idle
timeout (default is 5
seconds)
Router(config)#ip inspect tcp idle-time 14400 Speci?¬?es the TCP idle
timeout (default is 3600
seconds)
142 Con?¬?guring an IOS Firewall from the CLI
Step 4: De?¬?ne the Inspection Rules
NOTE: To override the global TCP, UDP, or Internet Control Message Protocol
(ICMP) idle timeouts for the speci?¬?ed protocol, specify the number of seconds for
a different idle timeout in the ip inspect name command.
Pages:
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129