Cisco Cisco Expressway Manuel De Maintenance
![Cisco](https://files.manualsbrain.com/attachments/7380d0050044647c30f5c24bbbf5d0c0b6d9bb84/common/fit/150/50/faa183d287233c52228cfea3dbc2a127fe780f60564fcb0955d9c3d1cd23/brand_logo.png)
Finally, it includes a rule to allow access from the loopback interface.
■
Non-configurable application rules: this incorporates all necessary application-specific rules, for example to
allow SNMP traffic and H.323 gatekeeper discovery.
allow SNMP traffic and H.323 gatekeeper discovery.
■
User-configurable rules: this incorporates all of the manually configured firewall rules (as described in this
section) that refine — and typically restrict — what can access the Expressway. There is a final rule in this
group that allows all traffic destined for the Expressway LAN 1 interface (and the LAN 2 interface if the
Advanced Networking option key is installed).
section) that refine — and typically restrict — what can access the Expressway. There is a final rule in this
group that allows all traffic destined for the Expressway LAN 1 interface (and the LAN 2 interface if the
Advanced Networking option key is installed).
There is also a final, non-configurable rule that drops any broadcast or multicast traffic that has not already been
specifically allowed or denied by the previous rules.
specifically allowed or denied by the previous rules.
By default any traffic that is destined for the specific IP address of the Expressway is allowed access, but that traffic
will be dropped if the Expressway is not explicitly listening for it. You have to actively configure extra rules to lock
down the system to your specifications.
will be dropped if the Expressway is not explicitly listening for it. You have to actively configure extra rules to lock
down the system to your specifications.
Note that return traffic from outbound connections is always accepted.
User-configured rules
The user-configured rules are typically used to restrict what can access the Expressway. You can:
■
Specify the source IP address subnet from which to allow or deny traffic.
■
Choose whether to drop or reject denied traffic.
■
Configure well known services such as SSH, HTTP/HTTPS or specify customized rules based on transport
protocols and port ranges.
protocols and port ranges.
■
Configure different rules for the LAN 1 and LAN 2 interfaces (if the Advanced Networking option key is
installed), although note that you cannot configure specific destination addresses such as a multicast
address.
installed), although note that you cannot configure specific destination addresses such as a multicast
address.
■
Specify the priority order in which the rules are applied.
Setting Up and Activating Firewall Rules
The Firewall rules configuration page is used to set up and activate a new set of firewall rules.
The set of rules shown will initially be a copy of the current active rules. (On a system where no firewall rules have
previously been defined, the list will be empty.) If you have a lot of rules you can use the Filter options to limit the set
of rules displayed. Note that the built-in rules are not shown in this list.
previously been defined, the list will be empty.) If you have a lot of rules you can use the Filter options to limit the set
of rules displayed. Note that the built-in rules are not shown in this list.
You can then change the set of firewall rules by adding new rules, or by modifying or deleting any existing rules. Any
changes made at this stage to the current active rules are held in a pending state. When you have completed making
all the necessary changes you can activate the new rules, replacing the previous set.
changes made at this stage to the current active rules are held in a pending state. When you have completed making
all the necessary changes you can activate the new rules, replacing the previous set.
To set up and activate new rules:
1.
Go to System > Protection > Firewall rules > Configuration.
2.
Make your changes by adding new rules, or by modifying or deleting any existing rules as required.
You can change the order of the rules by using the up/down arrows and to swap the priorities of adjacent
rules.
rules.
—
New or modified rules are shown as Pending (in the State column).
—
Deleted rules are shown as Pending delete.
3.
When you have finished configuring the new set of firewall rules, click Activate firewall rules.
4.
Confirm that you want to activate the new rules. This will replace the existing set of active rules with the set
you have just configured.
After confirming that you want to activate the new rules, they are validated and any errors reported.
you have just configured.
After confirming that you want to activate the new rules, they are validated and any errors reported.
21
Cisco Expressway Administrator Guide