Zoom Technologies CCNP Lab Guide

IOS Firewall

*The scenario set up is as shown above. RA1 has two interfaces connected to two
different LANs. Both can communicate with each other initially. Our scenario is
to allow communication from one LAN to the other, but deny the communication
in the opposite direction.
*Configure access-lists on both the interfaces allowing one way communication.
For example, PC connected to the Fa0/0 interface must be able to ping to the PC
connected to the Fa4/0, but the opposite should not be possible
RA1#config terminal
RA1(config)# access-list 100 permit ip 192.168.1.16 0.0.0.15 192.168.100.0 0.0.0.255
RA1(config)# access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.1.16 0.0.0.15
RA1(config)#interface fa 0/0
RA1(config-if)#ip access-group 100 in
RA1(config-if)#interface fa 4/0
RA1(config-if)#ip access-group 101 in

*When you ping from both the PCs to each other, you will note that both cannot
ping each other. To achieve our goal on only one-way communication, we have to
configure the following. Configure a firewall rule for ICMP protocol and apply it
on the interface where we want the traffic to flow to, in the inbound direction.

RA1(config)#ip inspect name zoom icmp

RA1(config)#interface fa0/0
RA1(config-if)#ip inspect zoom in

*Now, you will notice that PC on the F0/0 can ping the PC on Fa4/0 but the PC
on Fa4/0 cannot ping Fa0/0

40 | P a g e