Stateful Cisco IOS Firewalls
Cisco IOS Firewall is capable of stateful packet filtering when it is configured to do so.
By applying inspection rules to an interface, you can configure the router to drop packets that could be potentially harmful given the state of a currently established session. For example, using a TCP inspection rule will not allow a TCP reset (RST) packet through the interface unless there is currently a TCP session established with the machine sending the reset.
To apply stateful packet filtering rules, you must apply an access control list (ACL) to the interface you wish to inspect. Packets traversing this interface will then be examined against the ACL first, then checked against the inspection rule(s) to determine whether the packet should be forwarded or dropped. Note that any packet may be rejected by the inspection rules, ACL, or both!
First, decide which interface you would like to do stateful inspection on. This is typically your WAN or untrusted network interface. Configure an IP ACL with this interface in mind. If you are configuring a firewall for an interface that uses DHCP, keep in mind that the destination IP for packets allowed in will be the IP address assigned to that interface. Therefore I generally use any and remember it is there for that purpose. This alleviates the issue of having to adjust ACLs every time your router receives a new IP address from your ISP. Also keep in mind that you must use an extended ACL when you are also using inspection rules:
Router(config)#ip access-list extended Internet-inbound-ACL Router(config-ext-nacl)#10 permit tcp any any eq 22 Router(config-ext-nacl)#20 deny ip any any log
The above permits traffic on port 22 (SSH) to traverse the interface. The deny statement is added for clarity and logging.
Next define your inspection rules. IOS supports more than 170 protocols:
[no] ip inspect name inspection-name protocol [alert {on | off}] [timeout seconds]
Router(config)#ip inspect name FIREWALL tcp Router(config)#ip inspect name FIREWALL udp
Finally apply the ACL and the inspection rules to the interface:
Router(config)#interface FastEthernet4 Router(config-if)#ip access-group Internet-inbound-ACL in Router(config-if)#ip inspect FIREWALL out
It is important that the inspect statement is applied in the outbound direction. I found numerous documentation that stated it needed to be applied in the inbound direction, however I have found that this does not work and any new connection attempts are not stored in the session table or permitted through the interface!
You can verify the configuration that was just applied by issuing a show ip inspect session command. The output should look something like this:
Router#sh ip inspect sessions Established Sessions Session 83C60000 (192.168.0.3:44271)=>(76.73.X.X:22) ssh SIS_OPEN Session 83C65828 (192.168.0.4:54333)=>(74.X.X.X:5222) tcp SIS_OPEN Session 83C5AAB0 (192.168.0.4:54327)=>(208.43.X.X:80) tcp SIS_OPEN Session 83C685A8 (192.168.0.4:54335)=>(174.X.X.X:443) tcp SIS_OPEN Session 83C66EE8 (192.168.0.4:54332)=>(74.X.X.X:5222) tcp SIS_OPEN Session 83C63BB8 (192.168.0.4:54334)=>(208.89.X.X:80) tcp SIS_OPEN