Implementing Secure Converged Wide Area Networks (ISCW)

Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features

Module 6: Cisco IOS Threat Defense Features Lesson 6.3: Basic and Advanced Firewall Wizards

Objectives • Describe the Security Device Manager (SDM) and how it is used in firewall configuration. • Describe using the Basic and Advanced Firewall wizard in SDM to configure a firewall. • Explain how to review and modify the configuration generated by the SDM. • Explain how to enable logging in order to view firewall activity within SDM.

Basic and Advanced Firewall Wizards • SDM offers configuration wizards to simplify Cisco IOS Firewall configuration. • Two configuration wizards exist: • Basic Firewall Configuration wizard: • Supports two interface types (inside and outside) • Applies predefined rules • Advanced Firewall Configuration wizard: • Supports more interfaces (Inside, Outside, and DMZ) • Applies predefined or custom rules

Configuring a Basic Firewall 1 2 3 4

Basic Firewall Interface Configuration

Basic Firewall Configuration Summary and Deployment

Reviewing the Basic Firewall for the Originating Traffic

Reviewing the Basic Firewall for the Returning Traffic

Resulting Basic Firewall Inspection Rule Configuration Router#show running-config | include ip inspect name ip inspect name SDM_LOW cuseeme ip inspect name SDM_LOW dns ip inspect name SDM_LOW ftp ip inspect name SDM_LOW h323 ip inspect name SDM_LOW https ip inspect name SDM_LOW icmp ip inspect name SDM_LOW imap ip inspect name SDM_LOW pop3 ip inspect name SDM_LOW netshow ip inspect name SDM_LOW rcmd ip inspect name SDM_LOW realaudio ip inspect name SDM_LOW rtsp ip inspect name SDM_LOW esmtp ip inspect name SDM_LOW sqlnet ip inspect name SDM_LOW streamworks ip inspect name SDM_LOW tftp ip inspect name SDM_LOW tcp ip inspect name SDM_LOW udp ip inspect name SDM_LOW vdolive

Resulting Basic Firewall ACL Configuration Router#show running-config | include access-list access-list 100 remark autogenerated by SDM firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip 200.0.0.0 0.0.0.3 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark autogenerated by SDM firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 deny ip 10.1.1.0 0.0.0.255 any access-list 101 permit icmp any host 200.0.0.1echo-reply access-list 101 permit icmp any host 200.0.0.1time-exceeded access-list 101 permit icmp any host 200.0.0.1unreachable access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any log

Resulting Basic Firewall Interface Configuration Router#show running-config | begin interface interface FastEthernet0/0 description $FW_INSIDE$ ip address 10.1.1.1 255.255.255.0 ip access-group 100 in ! interface Serial0/0/0 description $FW_OUTSIDE$ ip address 200.0.0.1 255.255.255.252 ip access-group 101 in ip verify unicast reverse-path ip inspect SDM_LOW out ! <...rest of output removed...>

Configuring Interfaces on an Advanced Firewall 1 2 3 4

Advanced Firewall Interface Configuration

Advanced Firewall DMZ Service Configuration

Advanced Firewall DMZ Service Configuration: TCP

Advanced Firewall DMZ Service Configuration: UDP

Advanced Firewall DMZ Service Configuration: Configured Services

Advanced Firewall Security Policy

Advanced Firewall Protocols and Applications

Advanced Firewall Protocols and Applications (Cont.)

Advanced Firewall Inspection Parameters

Advanced Firewall Security Policy Selection

Advanced Firewall Configuration Summary and Deployment

Resulting Advanced Firewall Inspection Rule Configuration Router#show running-config | include ip inspect name ip inspect name appfw_100 tcpaudit-trail on ip inspect name appfw_100 udp ip inspect name appfw_100 ftp ip inspect name dmzinspect tcp ip inspect name dmzinspect udp

Resulting Advanced Firewall ACL Configuration Router#show running-config | include access-list access-list 100 remark autogenerated by SDM firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip 200.0.0.0 0.0.0.3 any access-list 100 deny ip 192.168.0.0 0.0.0.255 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark autogenerated by SDM firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 deny ip any any log access-list 102 remark autogenerated by SDM firewall configuration access-list 102 remark SDM_ACL Category=1 access-list 102 deny ip 192.168.0.0 0.0.0.255 any access-list 102 deny ip 10.1.1.0 0.0.0.255 any access-list 102 permit icmp any host 200.0.0.1echo-reply access-list 102 permit icmp any host 200.0.0.1time-exceeded access-list 102 permit icmp any host 200.0.0.1unreachable access-list 102 permit tcp any host 192.168.0.2 eq www access-list 102 permit udp any host 192.168.0.3 eq isakmp access-list 102 deny ip 10.0.0.0 0.255.255.255 any access-list 102 deny ip 172.16.0.0 0.15.255.255 any access-list 102 deny ip 192.168.0.0 0.0.255.255 any access-list 102 deny ip 127.0.0.0 0.255.255.255 any access-list 102 deny ip host 255.255.255.255 any access-list 102 deny ip host 0.0.0.0 any access-list 102 deny ip any any log

Resulting Advanced Firewall Interface Configuration Router#show running-config | begin interface interface FastEthernet0/0 description $FW_INSIDE$ ip address 10.1.1.1 255.255.255.0 ip access-group 100 in ip inspect appfw_100 in ! interface FastEthernet0/1 description $FW_DMZ$ ip address 192.168.0.1 255.255.255.0 ip access-group 101 in ip inspect dmzinspect out ! interface Serial0/0/0 description $FW_OUTSIDE$ ip address 200.0.0.1 255.255.255.252 ip access-group 102 in ip verify unicast reverse-path ! <...rest of the output removed...>

Preparing for Firewall Activity Viewing 1 4 3 5 6 2

Viewing Firewall Log 1 2

Summary • Cisco Security Device Manager (SDM), a configuration and management tool for Cisco IOS routers that use a GUI, offers a simple method to set up the Cisco IOS Firewall. • The Basic Firewall Configuration wizard applies default access rules to both inside and outside interfaces, applies default inspection rules to the outside interface, and enables IP unicast reverse path forwarding (uRPF) on the outside interface. • The Advanced Firewall Configuration wizard applies default or custom access rules, as well as default or custom inspection rules, to inside, outside, and DMZ interfaces. The Advanced Firewall Configuration wizard also enables IP unicast reverse-path forwarding on the outside interface.

Q and A

Resources • Cisco Router and Security Device Manager Introduction • http://cisco.com/en/US/partner/products/sw/secursw/ps5318/index.html • Cisco Router and Security Device Manager Support • http://cisco.com/en/US/partner/products/sw/secursw/ps5318/tsd_products_support_series_home.html • Cisco Router and Security Device Manager User Guides • http://cisco.com/en/US/partner/products/sw/secursw/ps5318/products_user_guide_list.html

Implementing Secure Converged Wide Area Networks (ISCW)