router firewell
o Permit ICMP echo requests and replies
o Permit telnet to servers in VLAN 8 and VLAN 88
o Permit HTTP and SSL access to a web server at 110.5.100.100
o Permit DNS lookups and zone transfers
o Permit any TCP and UDP sessions initiated from behind Router to return
Interface Serial0/0
ip access-group TRAFFIC_FILTER in
ip access-group ORIGINATED_INSIDE out
!
ip access-list extended ORIGINATED_INSIDE
permit tcp any any reflect CONTROL
permit udp any any reflect CONTROL
permit icmp any any echo-reply
!
ip access-list extended TRAFFIC_FILTER
permit icmp any any echo
permit tcp any 110.1.8.0 0.0.0.255 eq telnet
permit tcp any 110.1.88.0 0.0.0.255 eq telnet
permit tcp any host 110.5.100.100 eq www
permit tcp any host 110.5.100.100 eq 443
permit tcp any any eq domain
permit udp any any eq domain
permit tcp any any eq bgp
permit tcp any eq bgp any
permit udp any any eq rip
evaluate CONTROL
explication :
• Permit ICMP echo requests
ip access-list extended ORIGINATED_INSIDE
permit icmp any any echo-reply
ip access-list extended TRAFFIC_FILTER
permit icmp any any echo
• Permit telnet to servers in VLAN 7 and VLAN 77
ip access-list extended TRAFFIC_FILTER
permit tcp any 110.1.8.0 0.0.0.255 eq telnet
permit tcp any 110.1.88.0 0.0.0.255 eq telnet
• Permit HTTP and SSL access to a web server at 110.5.100.100
ip access-list extended TRAFFIC_FILTER
permit tcp any host 110.5.100.100 eq www
permit tcp any host 110.5.100.100 eq 443
• Permit DNS lookups and zone transfers
ip access-list extended TRAFFIC_FILTER
permit tcp any any eq domain
permit udp any any eq domain
• Permit any TCP and UDP sessions initiated from behind ROUTER to return
ip access-list extended ORIGINATED_INSIDE
permit tcp any any reflect CONTROL
permit udp any any reflect CONTROL
ip access-list extended TRAFFIC_FILTER
evaluate CONTROL
• Permit all necessary routing protocol traffic
ip access-list extended TRAFFIC_FILTER
permit tcp any any eq bgp
permit tcp any eq bgp any
permit udp any any eq rip