CCIE Quick Reference http://www.cciequick.com Short, concise reference information and checklists for your CCIE study Sun, 07 Feb 2010 20:17:09 +0000 en hourly 1 http://wordpress.org/?v=3.1.2 Copyright © CCIE Quick Reference 2011 brian@packetslave.com (CCIE Quick Reference) brian@packetslave.com (CCIE Quick Reference) http://www.cciequick.com/wp-content/plugins/podpress/images/powered_by_podpress.jpg CCIE Quick Reference http://www.cciequick.com 144 144 Short, concise reference information and checklists for your CCIE study CCIE Quick Reference CCIE Quick Reference brian@packetslave.com no no Configure IOS Zone-based Firewall (ZBF) http://www.cciequick.com/2010/02/07/configure-ios-zone-based-firewall-zbf/ http://www.cciequick.com/2010/02/07/configure-ios-zone-based-firewall-zbf/#comments Sun, 07 Feb 2010 20:17:09 +0000 Brian http://www.cciequick.com/?p=4
  • Create zones
    • zone security INSIDE
zone security OUTSIDE
  • Map zones to interfaces
    • interface Serial1/0
  zone-member security OUTSIDE
!
interface GigabitEthernet0/0
  zone-member security INSIDE
!
  • Create class-maps to classify inter-zone traffic
    • class-map type inspect match-any SERVERS
  match protocol http
  match protocol smtp
!
  • Create policy-maps to filter inter-zone traffic
    • policy-map type inspect INBOUND_POLICY
  class type inspect SERVERS
    pass
!
policy-map type inspect OUTBOUND_POLICY
  class-default
    inspect
!
  • Configure zone-pairs to apply policies to traffic
    • zone-pair security IN2OUT source INSIDE destination OUTSIDE
  service-policy type inspect OUTBOUND_POLICY
!
zone-pair security OUT2IN source OUTSIDE destination INSIDE
  service-policy type inspect INBOUND_POLICY
!
  • Verify
    • show policy-map type inspect zone-pair
    ]]>     http://www.cciequick.com/2010/02/07/configure-ios-zone-based-firewall-zbf/feed/ 1     Configure IOS Intrusion Prevention (IPS) http://www.cciequick.com/2010/01/16/configure-ios-intrusion-prevention-ips/ http://www.cciequick.com/2010/01/16/configure-ios-intrusion-prevention-ips/#comments Sat, 16 Jan 2010 19:15:32 +0000 Brian http://www.cciequick.com/?p=1
  • Create and define a directory for IPS configuration files
    • mkdir flash:/ips
  • Import the Cisco RSA public key (available from the cisco.com download area)
    • crypto key pubkey-chain rsa
  named-key realm-cisco.pub signature
    key-string
    ....
    quit
  • (optional) create an ACL to define what traffic gets inspected
    • ip access-list extended IPS-INSPECT
  permit ip any host 1.2.3.4
  permit ip host 1.2.3.4 any
!
ios ips name IPS1 list IPS-INSPECT
  • Retire and un-retire signature sets
    • ip ips signature-category
  category-all
    retired true
  category ios_ips_basic
    retired false
    exit
  exit
  • Apply the IPS configuration to an interface
    • int gi0/0
  ip ips IPS1 in
  ip ips IPS1 out
  • Upload signature definitions
    • copy ftp://cisco:cisco@10.1.1.1/IOS-S310-CLI.pkg idconf
  • (optional) enable syslog notifications for IPS events
    • ip ips notify log
  • (optional) enable SDEE notifications for IPS events
    • access-list 80 permit 2.2.2.2
ip http access-class 80
ip http server enable
ip ips notify sdee
  • (optional) Tweak individual signatures
    • ip ips signature-definition
  signature 6130 10
    engine
      event-action produce-alert
      event-action deny-packet-inline
      exit
    exit
  exit
  • Verification
    • show ip ips signature count

    Based on Keith Barker’s blog post at InternetworkExpert and this Cisco.com technote.

    ]]>     http://www.cciequick.com/2010/01/16/configure-ios-intrusion-prevention-ips/feed/ 0