Learn to Configure the IOS Firewall on cisco router

Posted: June 3, 2015 in CCNP
Tags: , , , ,

Today here in this article we learn how to configure Firewall on cisco routers.As we know cisco uses IOS.For security purpose it’s become essential to learn  the concept of Firewall and to know how to  configure Firewall on Routers.The IOS Firewall is a stateful firewall that inspects TCP and UDP packets at the application layer of the OSI model. Not only that but it also used to  watch the outgoing requests (usually to the Internet) and opens reciprocal, inbound ports for the return traffic.Many companies uses different types of Firewalls,some at OS level some are hardware based.Here we are talking about CISCO IOS Firewall which  is an inbuilt FIREWALL  inside the cisco Router.The most important thing to be kept in mind about IOS FIREWALL is that the IOS Firewall maintains the state of each of the TCP connections; it allows return traffic back if it allowed it out and if it matches the state information stored for that TCP packet.

 

NOW JUST UNDERSTAND THE POWER OF IOS FIREWALL:

To know and guess the IOS Firewall strength just see its feature.It has power to recognizes many different types of common TCP and UDP traffic, including  HTTP(Hyper Text Transfer Protocol),NTP(Network Time Protocol),SMTP(Simple Mail Transfer Protocol),  FTP(File Transfer Protocol), and others.I have mentioned this because many of these types of traffic aren’t easy to write access control lists (ACLs) for.

 

Understand the Features of IOS Firewall:Mainly 4 features available.

  • Traffic filtering in IOS Firewall: Trafiic Filtering is applicable  only at the port level but also at the application level.
  • Traffic inspection in IOS Firewall: This feature of IOS Firewall keeps the state of the TCP connection and prevents unauthorized access.
  • Alerts and audit trails Feature of IOS Firewall: This Feature of IOS Firewall  offers real-time alerts and syslog audit trails.
  • Intrusion prevention in IOS Firewall: It includes an intrusion detection system that covers 59 of the most common attack signatures — a very cool feature.

ios firewall

 

FIRST CONFIGURE THE IP ADDRESS ON DEVICES AND FINISH ROUTING.

Assign ip address to every PC and SERVERS and also each and every interface of routers as mentioned in above topology diagram.I hope if you are reading this article you already know how to assign ip address on these devices.

After assigning ip finish routing static or dynamic doesn’t matter.Its completely depends on your choice.

 

Now START Configuring the IOS Firewall:

Before start configuring IOS FIREWALL, first make sure you have configured above topology and all devices are able to communicate with each other.Also make sure that you have configured the proper IOS. If you have an IOS that includes the IOS Firewall, enter the ip inspect ? command at the Global Configuration Mode prompt, which will return a list of options… just see below!!!!!!!!!

 

Router#config t
 Enter configuration commands, one per line. End with CNTL/Z.
 Router(config)#ip inspect ?
 alert-off Disable alert
 audit-trail Enable the logging of session information (addresses and
 bytes)
 dns-timeout Specify timeout for DNS
 max-incomplete Specify maximum number of incomplete connections before
 clamping
 name Specify an inspection rule
 one-minute Specify one-minute-sample watermarks for clamping
 tcp Config timeout values for tcp connections
 udp Config timeout values for udp flows

 

Explanation of above output:Above output say that your current IOS support Firewall.

1. Choose an interface.

To protect your network from the Internet, choose the external WAN public interface.

2. Configure and apply an ACL.

As we know ACL can block everything you want to permit with the IOS Firewall. Here i am going to block all tcp and udp services.


Router(config)#access-list 100 deny tcp any any
Router(config)#access-list 100 deny udp any any
Router(config)#access-list 100 deny ip any any

 

Now, its time to  apply this to the external interface in the inbound direction:

Router(config-if)#ip access-group 100 in

 

3.Now  Create your firewall inspection rule.

Remember! you need to define what protocols to inspect and monitor the statefulness of with your firewall.

Suppose here in this lab you want to monitor, inspect, and filter  TCP and UDP.

 

Router(config)#ip inspect name myfirewall tcp
Router(config)#ip inspect name myfirewall udp

 

Now Apply the inspection rule.

Now its time  to apply the inspection rule to your interface in the out direction using ip inspect command.

This will monitors the traffic that’s going out and dynamically creates inbound openings in your ACL, which would otherwise deny the traffic.

 

Router(config-if)#ip inspect myfirewall out

 

At this point, your firewall should be active and working.

 

5. Now Configure logging and auditing(for log file and audit report).

Now you can configure logging and auditing of your firewall traffic.

Router(config)# ip inspect audit-trail


Router#show ip acc
%FW-6-SESS_AUDIT_TRAIL_START: Start icmp session: initiator (2.0.0.2:520) -- responder (255.255.255.255:0)
ess-lists
Extended IP access list 100
deny tcp any any (12 match(es))
deny udp any any (16 match(es))
deny ip any any (2 match(es))

 

See or inspect firewall log or audit report name myfirewall. 

 

Router#show ip inspect name myfirewall
Inspection name myfirewall
tcp alert is on audit-trail is on timeout 3600
udp alert is on audit-trail is on timeout 30

 

Router#show ip inspect confi
%FW-6-SESS_AUDIT_TRAIL_START: Start icmp session: initiator (2.0.0.2:520) -- responder (255.255.255.255:0)
g
Session audit trail is enabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name myfirewall
tcp alert is on audit-trail is on timeout 3600
udp alert is on audit-trail is on timeout 30

 

Router#show ip inspect interfaces
Interface Configuration
Interface FastEthernet0/0
Inbound inspection rule is not set
Outgoing inspection rule is myfirewall
tcp alert is on audit-trail is on timeout 3600
udp alert is on audit-trail is on timeout 30
Inbound access list is 100
Outgoing access list is not set

 

Router#show ip inspect all
Session audit trail is enabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name myfirewall
tcp alert is on audit-trail is on timeout 3600
udp alert is on audit-trail is on timeout 30
Interface Configuration
Interface FastEthernet0/0
Inbound inspection rule is not set
Outgoing inspection rule is myfirewall
tcp alert is on audit-trail is on timeout 3600
udp alert is on audit-trail is on timeout 30
Inbound access list is 100
Outgoing access list is not set
Established Sessions
Session 197465712 (2.0.0.2:520)=>(255.255.255.255:udp SIS_OPENING
Comments
  1. Kalys Aisa says:

    Very nice job Mr. Satish. I want to learn CCNA course interesting labor. Good luck!

    Like

  2. Altaf hussain bhat says:

    How we reset a cisco router when he sees chinese language

    Like

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s