Basic IOS firewall configuration

Answered Question
May 8th, 2010
User Badges:

Hi Guys,  I have always trusted NAT as my firewall solutions but in the back of my head I've know this is unsecure.


While I don't want to restrict my users access to the Internet, I would like to make ports hidden on the Internet and secure the Internet connection as much as possible.


Also a quick explanation of the configuration would be much appreciated.


PS. It is unfortunate and a lacking area in the CCNA to cover ip inspect rules and simple adsl configurations

Correct Answer by Jennifer Halim about 6 years 11 months ago

Base on the configuration posted, basically you are allowing all outbound traffic, however, restrict inbound traffic to the following: RDP, SSH, mail, web, PPTP, so I would assume that either you have a public ip address range for those servers' services, or you have configured static port address redirection to your Dialer interface ip address.


If you have a static public ip address, I would recommend that instead of configuring "permit tcp any any" on specific ports, I would tighten it even down as follows (assuming your public ip address is 200.1.1.1):


permit tcp any host 200.1.1.1 eq 3389

permit tcp any host 200.1.1.1 eq 22

...

...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Federico Coto F... Sat, 05/08/2010 - 13:29
User Badges:
  • Green, 3000 points or more

Andrew,


You are correct.

Many people misinterpret NAT as a security feature. NAT indeed hides the real IPs but it is not a security measure.

The IOS Firewall provides with a lot of security features like ACLs, inspection rules, IPS (although not recommended in software), content filtering, etc.


You can check most of you need here:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/product_data_sheet09186a0080117962.html


Federico.

jamesitsolutions Sun, 05/09/2010 - 01:33
User Badges:

Sorry the forum lost my formatting (paragraphs) on my first post.


Anyway so far I have created the following and it appears to be working but I would like to confirm it is by what you guys can comment on, the configuration should block any incoming connections except those I allow but allow any outgoing connections and allow any incoming connections initated by a outgoing connection.



ip inspect name FIREWALL tcp

ip inspect name FIREWALL udp

!

interface Dialer1


ip access-group FIREWALL in


ip inspect FIREWALL out

!


ip access-list extended FIREWALL

permit tcp any any eq 3389

permit tcp any any eq 22

permit tcp any any eq smtp

permit tcp any any eq www

permit tcp any any eq pop3

permit tcp any any eq 443

permit tcp any any eq 1723

permit tcp any any eq 3390

permit tcp any any eq 4125

permit esp any any

permit udp any any eq isakmp

permit gre any any

deny   tcp any any

deny   udp any any

deny   ip any any

!

jamesitsolutions Sun, 05/09/2010 - 02:48
User Badges:

Thank you for confirming would hate to apply it to one of my clients and find it blocks something... problem with small businesses is they don't want things blocked.


Is there any improvements you would make to make it more secure, with out blocking users from doing anything on the Internet?

Correct Answer
Jennifer Halim Sun, 05/09/2010 - 02:55
User Badges:
  • Cisco Employee,

Base on the configuration posted, basically you are allowing all outbound traffic, however, restrict inbound traffic to the following: RDP, SSH, mail, web, PPTP, so I would assume that either you have a public ip address range for those servers' services, or you have configured static port address redirection to your Dialer interface ip address.


If you have a static public ip address, I would recommend that instead of configuring "permit tcp any any" on specific ports, I would tighten it even down as follows (assuming your public ip address is 200.1.1.1):


permit tcp any host 200.1.1.1 eq 3389

permit tcp any host 200.1.1.1 eq 22

...

...

jamesitsolutions Sun, 05/09/2010 - 03:08
User Badges:

halijenn wrote:


Base on the configuration posted, basically you are allowing all outbound traffic, however, restrict inbound traffic to the following: RDP, SSH, mail, web, PPTP, so I would assume that either you have a public ip address range for those servers' services, or you have configured static port address redirection to your Dialer interface ip address.


If you have a static public ip address, I would recommend that instead of configuring "permit tcp any any" on specific ports, I would tighten it even down as follows (assuming your public ip address is 200.1.1.1):


permit tcp any host 200.1.1.1 eq 3389

permit tcp any host 200.1.1.1 eq 22

...

...

You are correct those ports are open and I use static NATs to route the ports to the correct devices behind the router. I also use a static public IP address, albit only 1 static IP.


What are the benefits of not using 'any' in the ACLs and using the static public IP address instead?


Also is there anyway on a 877 running 12.4 to detect port scans and other malicious activity?


Thank you for your help aswell

Jennifer Halim Sun, 05/09/2010 - 03:40
User Badges:
  • Cisco Employee,

The benefit would be to only allow connection towards the public ip address instead of towards any ip addresses in your internal network.


For example:

An attacker from the outside can go directly to your private ip address on those ports that you have opened if the attacker knows the private ip address range of your internal network. It's just an added security that you can implement to make it a little bit more secure.


With port scan, you would need to configure the IOS IPS feature set on your 877 router. Here is a bit more information on IOS IPS for your reference:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/product_data_sheet0900aecd803137cf.html


Hope that helps.

Junaid Abbas Sun, 05/09/2010 - 03:32
User Badges:

ip inspect name FIREWALL tcp

ip inspect name FIREWALL udp

!

interface Dialer1

ip access-group FIREWALL in

ip inspect FIREWALL out

!

ip access-list extended FIREWALL

permit tcp any any eq 3389

permit tcp any any eq 22

permit tcp any any eq smtp

permit tcp any any eq www

permit tcp any any eq pop3

permit tcp any any eq 443

permit tcp any any eq 1723

permit tcp any any eq 3390

permit tcp any any eq 4125

permit esp any any

permit udp any any eq isakmp

permit gre any any

deny   tcp any any

deny   udp any any

deny   ip any any


Will it work on ASA 5510 ? .. it is not getting the command ip inspect....


Please advise

Jennifer Halim Sun, 05/09/2010 - 03:42
User Badges:
  • Cisco Employee,

Junaid,

Inspection in ASA firewall works a little bit differently. It is configured under policy-map.

Access-list needs to be applied to the interface using the access-group command.

Actions

This Discussion