How to setup a simple Cisco IOS Firewall


Classic Firewall

There are two configuration models to setup a firewall on IOS; the classic firewall (used to be called CBAC – Context based access control) and the zone based firewall. In this post I’m going to document how to setup the classic IOS firewall as it’s quick and simple to configure.

Supported models and IOS versions

All Cisco IOS router models with release 12.4(6)T and above support this with the exception of newer ASR models and IOS XE which only supports the zone based model.

Setting up a simple two interface firewall

Here’s the task:


  • Inside Network Interface-
  • Outside Network Interface (Internet)-
  • NAT your traffic from inside to outside
  • Protect your inside network from outside traffic
  • Stateful packet inspection of traffic from inside and ensure return traffic is permitted when entering the outside interface

First setup your interfaces and define which interface is your inside and which is your outside.

interface Ethernet 0/1
 ip address
 ip nat inside
interface Ethernet 0/2
 ip address
 ip nat outside

Setup NAT for traffic coming from the inside to the outside and overload on the outside interface

ip access-list extended INSIDENAT
permit ip any
ip nat inside source list INSIDENAT interface Ethernet 0/2 overload

Define an access-list for your outside (Firewalled) interface to prevent any hostile traffic.
Here I’m simply going to set a deny any any rule and apply it to your outside interface. If you have any inside servers that you want to open up to the internet this is where you want to define ports.

ip access-list extended OUTSIDE_ACCESS_IN
 deny ip any any log-input
interface Ethernet 0/2
ip access-group OUTSIDE_ACCESS_IN in

If you defined other services that you are opening up, don’t forget to setup a proper static NAT mapping (port forwarding) rule too.
Setup a simple Stateful packet inspection and apply it to your outside interface for traffic leaving that interface

ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
ip inspect name FIREWALL icmp
interface Ethernet 0/2
ip inspect FIREWALL out

Note: You can also apply the inspect statement on the inside interface for traffic going in like below:

interface Ethernet 0/1
ip inspect FIREWALL in

It’s better to inspect traffic going out the outside interface as if you were setting up multiple internal interfaces you only need to setup your inspection on one interface – the last interface that the packet traverses. This also allows traffic that’s initiated from the router itself to be inspected.

And this completes the simple firewall configuration!

Of course the firewall supports more advanced application protocols, please refer to appendix 1 on the Cisco document below.

Related Posts with Thumbnails