If required, you can adopt a defense-in-depth approach within the medium-sized network design. This alternative design incorporates the functionality of the Cisco IOS Firewall and the functionality of the edge router in a single device.
The implementation of this configuration requires that the edge router filtering, which was described in the previous section, be added to the Cisco IOS Firewall configuration, as explained next.
To implement the Cisco IOS Firewall, use the following steps:
Step 1. | Configure the firewall inspection rules: ip inspect name FIREWALL tcp ip inspect name FIREWALL udp ip inspect name FIREWALL ftp ip inspect name FIREWALL smtp NOTENot all of the available firewall inspection rules are shown in the preceding examples. Inspection rules can be amended as required. |
Step 2. | Apply the defined inspection rules so that traffic that is transiting the interface is inspected. |
The firewall inspection rule set is applied to the public VLAN interface of the edge router by using the command ip inspect FIREWALL in.
Referring to Figure 16-1, you can see that the next component within the medium-sized network is the PIX Firewall, which is discussed in the next section.