auto secure

noooooooooooooooo… auto sec will cbac the hell out of you… ie… before you get cbac’ed, understand what inspection does:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

CBAC access lists include ip inspect statements that allow the inspection of the protocol to make sure that it is not tampered with before the protocol goes to the systems behind the firewall.

no ip bootp server
no ip domain lookup
ip domain name ccie
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
login block-for 60 attempts 2 within 30

make it go away…

r1#sh access-list
Extended IP access list 100
10 permit udp any any eq bootpc
Extended IP access list autosec_firewall_acl
10 permit udp any any eq bootpc
20 deny ip any any (120 matches)
Extended IP access list sl_def_acl
10 deny tcp any any eq telnet log
20 deny tcp any any eq www log
30 deny tcp any any eq 22 log
40 permit ip any any log

yikes…

r1#sh ip route | b Gate
Gateway of last resort is 10.1.1.2 to network 0.0.0.0

10.0.0.0/30 is subnetted, 1 subnets
C       10.1.1.0 is directly connected, Serial0/0
C    192.168.1.0/24 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 [1/0] via 10.1.1.2

r1(config)#ip access-list ext autosec_firewall_acl
r1(config-ext-nacl)#15 permit eigrp any any
r1(config-ext-nacl)#end
r1#sh ip route | b Gate
Gateway of last resort is 10.1.1.2 to network 0.0.0.0

10.0.0.0/30 is subnetted, 2 subnets
D       10.2.2.0 [90/2681856] via 10.1.1.2, 00:00:05, Serial0/0
C       10.1.1.0 is directly connected, Serial0/0
C    192.168.1.0/24 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 [1/0] via 10.1.1.2

bad autosec, bad… i want to inspect your flows…

r1#sh run int s0/0
Building configuration…

Current configuration : 270 bytes
!
interface Serial0/0
ip address 10.1.1.1 255.255.255.252
ip access-group autosec_firewall_acl in
ip verify unicast source reachable-via rx allow-default 100
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect autosec_inspect out
clock rate 64000
end