There are two configuration models to setup a firewall on IOS; the classic firewall (used to be called CBAC – Context based access control) and the zone based firewall. In this post I’m going to document how to setup the classic IOS firewall as it’s quick and simple to configure.
Supported models and IOS versions
All Cisco IOS router models with release 12.4(6)T and above support this with the exception of newer ASR models and IOS XE which only supports the zone based model.
Setting up a simple two interface firewall
Here’s the task:
- Inside Network Interface- 192.168.1.1/24
- Outside Network Interface (Internet)- 10.0.0.1/24
- NAT your traffic from inside to outside
- Protect your inside network from outside traffic
- Stateful packet inspection of traffic from inside and ensure return traffic is permitted when entering the outside interface
First setup your interfaces and define which interface is your inside and which is your outside.
interface Ethernet 0/1 ip address 192.168.1.1 255.255.255.0 ip nat inside
interface Ethernet 0/2 ip address 10.0.0.1 255.255.255.0 ip nat outside
Setup NAT for traffic coming from the inside to the outside and overload on the outside interface
ip access-list extended INSIDENAT permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source list INSIDENAT interface Ethernet 0/2 overload
Define an access-list for your outside (Firewalled) interface to prevent any hostile traffic.
Here I’m simply going to set a deny any any rule and apply it to your outside interface. If you have any inside servers that you want to open up to the internet this is where you want to define ports.
ip access-list extended OUTSIDE_ACCESS_IN deny ip any any log-input
interface Ethernet 0/2 ip access-group OUTSIDE_ACCESS_IN in
If you defined other services that you are opening up, don’t forget to setup a proper static NAT mapping (port forwarding) rule too.
Setup a simple Stateful packet inspection and apply it to your outside interface for traffic leaving that interface
ip inspect name FIREWALL tcp ip inspect name FIREWALL udp ip inspect name FIREWALL icmp
interface Ethernet 0/2 ip inspect FIREWALL out
Note: You can also apply the inspect statement on the inside interface for traffic going in like below:
interface Ethernet 0/1 ip inspect FIREWALL in
It’s better to inspect traffic going out the outside interface as if you were setting up multiple internal interfaces you only need to setup your inspection on one interface – the last interface that the packet traverses. This also allows traffic that’s initiated from the router itself to be inspected.
And this completes the simple firewall configuration!
Of course the firewall supports more advanced application protocols, please refer to appendix 1 on the Cisco document below. http://www.cisco.com/c/en/us/products/collateral/security/ios-firewall/product_implementation_design_guide09186a00800fd670.html