Today we prepared a legacy article for CCNA security candidates. In this article we learn how to configure Firewall capabilities on Cisco routers.As we know Cisco uses IOS. For security purpose it’s become necessary to learn the actual concept of Firewalling and to know how to configure Firewalling features on normal Routers.
The IOS Firewall is a stateful firewall that inspects TCP and UDP packets at the application layer of the OSI model. Not only that but it also used to watch the outgoing requests (usually to the Internet) and opens reciprocal, inbound ports for the return traffic.Many companies uses different types of Firewalls,some at OS level some are hardware based.Here we are talking about CISCO IOS Firewall which is an inbuilt FIREWALL inside of the Cisco Router.
The most crucial thing to keep in mind about IOS FIREWALL is that the it maintains the state of each of the TCP connections; it allows return traffic back if it allowed it out and if it matches the state information stored for that TCP packet.
Some words about the power of IOS Firewalling features:
To know and guess the IOS Firewall strength just see its feature.It has power to recognizes many different types of common TCP and UDP traffic, including HTTP(Hyper Text Transfer Protocol), NTP (Network Time Protocol), SMTP (Simple Mail Transfer Protocol), FTP(File Transfer Protocol), and others.I have mentioned this because many of these types of traffic aren’t easy to write access control lists (ACLs) for.
Diving deep through the 4 features available:
Traffic filtering: Trafiic Filtering is applicable only at the port level but also at the application level.
Traffic inspection: This feature of IOS Firewall keeps the state of the TCP connection and prevents unauthorized access.
Alerts and audit trails feature: This Feature of IOS Firewall offers real-time alerts and syslog audit trails.
Intrusion prevention: It includes an intrusion detection system that covers 59 of the most common attack signatures
Start with IP addressing and routing:
Assign ip address to on every PC and SERVERS and also each and every interface of routers as mentioned in above topology diagram.I hope if you are reading this article you already know from CCENT course how to assign IP addresses on these devices.
After assigning ip finish routing static or dynamic doesn’t matter.Its completely depends on your choice.
Configure the IOS Firewall:
Before start configuring IOS FIREWALL, first make sure you have configured above topology and all devices are able to communicate with each other.Also make sure that you have configured the proper IOS. If you have an IOS that includes the IOS Firewall, enter the ip inspect ? command at the Global Configuration Mode prompt, which will return a list of options to make the life easier for you.
Explanation of above output:Above output say that your current IOS support Firewall.
1. Choose an interface.
To protect your network from the Internet, choose the external WAN public interface.
2. Configure and apply an ACL.
As we know ACL can block everything you want to permit with the IOS Firewall. Here i am going to block all tcp and udp services.
Now, its time to apply this to the external interface in the inbound direction:
Router(config-if)#ip access-group 100 in
3. It's time to create your firewall inspection rule.
Warning! you need to define what protocols to inspect and monitor the statefulness of with your firewall.
Suppose here in this lab you want to monitor, inspect, and filter TCP and UDP.
Now apply the inspection rule.
Then it's time to apply the inspection rule to your interface in the out direction using ip inspect command.
This will monitors the traffic that’s going out and dynamically creates inbound openings in your ACL, which would otherwise deny the traffic.
At this point, your firewall should be active and working.
5. Now Configure logging and auditing(for log file and audit report).
You have also the opportunity to configure logging and auditing of your firewall traffic.
%FW-6-SESS_AUDIT_TRAIL_START: Start icmp session: initiator (126.96.36.199:520) -- responder (255.255.255.255:0)