Learn Linux CCNA CEH IPv6 Cyber-Security Online

Today here in this article we learn how to configure Firewall on cisco routers.As we know cisco uses IOS.For security purpose it’s become essential to learn  the concept of Firewall and to know how to  configure Firewall on Routers.The IOS Firewall is a stateful firewall that inspects TCP and UDP packets at the application layer of the OSI model. Not only that but it also used to  watch the outgoing requests (usually to the Internet) and opens reciprocal, inbound ports for the return traffic.Many companies uses different types of Firewalls,some at OS level some are hardware based.Here we are talking about CISCO IOS Firewall which  is an inbuilt FIREWALL  inside the cisco Router.The most important thing to be kept in mind about IOS FIREWALL is that the IOS Firewall maintains the state of each of the TCP connections; it allows return traffic back if it allowed it out and if it matches the state information stored for that TCP packet.

 

NOW JUST UNDERSTAND THE POWER OF IOS FIREWALL:

To know and guess the IOS Firewall strength just see its feature.It has power to recognizes many different types of common TCP and UDP traffic, including  HTTP(Hyper Text Transfer Protocol),NTP(Network Time Protocol),SMTP(Simple Mail Transfer Protocol),  FTP(File Transfer Protocol), and others.I have mentioned this because many of these types of traffic aren’t easy to write access control lists (ACLs) for.

 

Understand the Features of IOS Firewall:Mainly 4 features available.

• Traffic filtering in IOS Firewall: Trafiic Filtering is applicable  only at the port level but also at the application level.
• Traffic inspection in IOS Firewall: This feature of IOS Firewall keeps the state of the TCP connection and prevents unauthorized access.
• Alerts and audit trails Feature of IOS Firewall: This Feature of IOS Firewall  offers real-time alerts and syslog audit trails.
• Intrusion prevention in IOS Firewall: It includes an intrusion detection system that covers 59 of the most common attack signatures — a very cool feature.

 

FIRST CONFIGURE THE IP ADDRESS ON DEVICES AND FINISH ROUTING.

Assign ip address to every PC and SERVERS and also each and every interface of routers as mentioned in above topology diagram.I hope if you are reading this article you already know how to assign ip address on these devices.

After assigning ip finish routing static or dynamic doesn’t matter.Its completely depends on your choice.

 

Now START Configuring the IOS Firewall:

Before start configuring IOS FIREWALL, first make sure you have configured above topology and all devices are able to communicate with each other.Also make sure that you have configured the proper IOS. If you have an IOS that includes the IOS Firewall, enter the ip inspect ? command at the Global Configuration Mode prompt, which will return a list of options… just see below!!!!!!!!!

 

Router#config t
 Enter configuration commands, one per line. End with CNTL/Z.
 Router(config)#ip inspect ?
 alert-off Disable alert
 audit-trail Enable the logging of session information (addresses and
 bytes)
 dns-timeout Specify timeout for DNS
 max-incomplete Specify maximum number of incomplete connections before
 clamping
 name Specify an inspection rule
 one-minute Specify one-minute-sample watermarks for clamping
 tcp Config timeout values for tcp connections
 udp Config timeout values for udp flows

 

Explanation of above output:Above output say that your current IOS support Firewall.

1. Choose an interface.

To protect your network from the Internet, choose the external WAN public interface.

2. Configure and apply an ACL.

As we know ACL can block everything you want to permit with the IOS Firewall. Here i am going to block all tcp and udp services.

Router(config)#access-list 100 deny tcp any any

Router(config)#access-list 100 deny udp any any

Router(config)#access-list 100 deny ip any any

 

Now, its time to  apply this to the external interface in the inbound direction:

Router(config-if)#ip access-group 100 in

 

3.Now  Create your firewall inspection rule.

Remember! you need to define what protocols to inspect and monitor the statefulness of with your firewall.

Suppose here in this lab you want to monitor, inspect, and filter  TCP and UDP.

 

Router(config)#ip inspect name myfirewall tcp

Router(config)#ip inspect name myfirewall udp

 

Now Apply the inspection rule.

Now its time  to apply the inspection rule to your interface in the out direction using ip inspect command.

This will monitors the traffic that’s going out and dynamically creates inbound openings in your ACL, which would otherwise deny the traffic.

 

Router(config-if)#ip inspect myfirewall out

 

At this point, your firewall should be active and working.

 

5. Now Configure logging and auditing(for log file and audit report).

Now you can configure logging and auditing of your firewall traffic.

Router(config)# ip inspect audit-trail

Router#show ip acc

%FW-6-SESS_AUDIT_TRAIL_START: Start icmp session: initiator (2.0.0.2:520) -- responder (255.255.255.255:0)

ess-lists

Extended IP access list 100

deny tcp any any (12 match(es))

deny udp any any (16 match(es))

deny ip any any (2 match(es))

 

See or inspect firewall log or audit report name myfirewall. 

 

Router#show ip inspect name myfirewall

Inspection name myfirewall

tcp alert is on audit-trail is on timeout 3600

udp alert is on audit-trail is on timeout 30

 

Router#show ip inspect confi

%FW-6-SESS_AUDIT_TRAIL_START: Start icmp session: initiator (2.0.0.2:520) -- responder (255.255.255.255:0)

g

Session audit trail is enabled

Session alert is enabled

one-minute (sampling period) thresholds are [unlimited : unlimited] connections

max-incomplete sessions thresholds are [unlimited : unlimited]

max-incomplete tcp connections per host is unlimited. Block-time 0 minute.

tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec

tcp idle-time is 3600 sec -- udp idle-time is 30 sec

tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes

dns-timeout is 5 sec

Inspection Rule Configuration

Inspection name myfirewall

tcp alert is on audit-trail is on timeout 3600

udp alert is on audit-trail is on timeout 30

 

Router#show ip inspect interfaces

Interface Configuration

Interface FastEthernet0/0

Inbound inspection rule is not set

Outgoing inspection rule is myfirewall

tcp alert is on audit-trail is on timeout 3600

udp alert is on audit-trail is on timeout 30

Inbound access list is 100

Outgoing access list is not set

 

Router#show ip inspect all

Session audit trail is enabled

Session alert is enabled

one-minute (sampling period) thresholds are [unlimited : unlimited] connections

max-incomplete sessions thresholds are [unlimited : unlimited]

max-incomplete tcp connections per host is unlimited. Block-time 0 minute.

tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec

tcp idle-time is 3600 sec -- udp idle-time is 30 sec

tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes

dns-timeout is 5 sec

Inspection Rule Configuration

Inspection name myfirewall

tcp alert is on audit-trail is on timeout 3600

udp alert is on audit-trail is on timeout 30

Interface Configuration

Interface FastEthernet0/0

Inbound inspection rule is not set

Outgoing inspection rule is myfirewall

tcp alert is on audit-trail is on timeout 3600

udp alert is on audit-trail is on timeout 30

Inbound access list is 100

Outgoing access list is not set

Established Sessions

Session 197465712 (2.0.0.2:520)=>(255.255.255.255:udp SIS_OPENING