Mediant MSBRs 26 Document #: LTRT-31828
Security Setup
Note that when a firewall is enabled, all inbound traffic is denied access; however, the user
can still explicitly permit only ICMP inbound traffic.
Table 6-4: Firewall ā Permit ICMP Inbound Traffic
Command Description
(config-data)# ip firewall allow-
icmp
Allow ICMP (ping) on interfaces without an
access-list.
6.1 Configuration Example
This example configures a firewall on the G0/0 interface to allow traffic on TCP ports 20 to
23 and UDP ports 5000-5004 at the destination, from the 192.168.0.0/24 to any network.
The firewall also allows ping from and to any host. The firewall ends with a deny any any
rule, which blocks all other traffic.
# configure data
; Create the ACL
(config-data)# ip access-list extended FW_out
(config-ext-nacl)# permit tcp 192.168.0.0 0.0.0.255 any eq 20 log
(config-ext-nacl)# permit tcp 192.168.0.0 0.0.0.255 any eq 21 log
(config-ext-nacl)# permit tcp 192.168.0.0 0.0.0.255 any eq 22 log
(config-ext-nacl)# permit tcp 192.168.0.0 0.0.0.255 any eq 23 log
(config-ext-nacl)# permit udp 192.168.0.0 0.0.0.255 any eq 5000
log
(config-ext-nacl)# permit udp 192.168.0.0 0.0.0.255 any eq 5001
log
(config-ext-nacl)# permit udp 192.168.0.0 0.0.0.255 any eq 5002
log
(config-ext-nacl)# permit udp 192.168.0.0 0.0.0.255 any eq 5003
log
(config-ext-nacl)# permit udp 192.168.0.0 0.0.0.255 any eq 5004
log
(config-ext-nacl)# permit icmp any any log
(config-ext-nacl)# deny ip any any log
(config-ext-nacl)#
@ Apply ACL on an interface
(config-ext-nacl)# exit
(config-data)# interface gigabitethernet 0/0
(conf-if-GE 0/0)# ip access-group FW_out out
To Next Page
Loading...
Need help?
General
