Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Basic IOS firewall configuration

Hi Guys,  I have always trusted NAT as my firewall solutions but in the back of my head I've know this is unsecure.

While I don't want to restrict my users access to the Internet, I would like to make ports hidden on the Internet and secure the Internet connection as much as possible.

Also a quick explanation of the configuration would be much appreciated.

PS. It is unfortunate and a lacking area in the CCNA to cover ip inspect rules and simple adsl configurations

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: Basic IOS firewall configuration

Base on the configuration posted, basically you are allowing all outbound traffic, however, restrict inbound traffic to the following: RDP, SSH, mail, web, PPTP, so I would assume that either you have a public ip address range for those servers' services, or you have configured static port address redirection to your Dialer interface ip address.

If you have a static public ip address, I would recommend that instead of configuring "permit tcp any any" on specific ports, I would tighten it even down as follows (assuming your public ip address is 200.1.1.1):

permit tcp any host 200.1.1.1 eq 3389

permit tcp any host 200.1.1.1 eq 22

...

...

9 REPLIES

Re: Basic IOS firewall configuration

Andrew,

You are correct.

Many people misinterpret NAT as a security feature. NAT indeed hides the real IPs but it is not a security measure.

The IOS Firewall provides with a lot of security features like ACLs, inspection rules, IPS (although not recommended in software), content filtering, etc.

You can check most of you need here:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/product_data_sheet09186a0080117962.html

Federico.

New Member

Re: Basic IOS firewall configuration

Sorry the forum lost my formatting (paragraphs) on my first post.

Anyway so far I have created the following and it appears to be working but I would like to confirm it is by what you guys can comment on, the configuration should block any incoming connections except those I allow but allow any outgoing connections and allow any incoming connections initated by a outgoing connection.

ip inspect name FIREWALL tcp

ip inspect name FIREWALL udp

!

interface Dialer1

ip access-group FIREWALL in

ip inspect FIREWALL out

!

ip access-list extended FIREWALL

permit tcp any any eq 3389

permit tcp any any eq 22

permit tcp any any eq smtp

permit tcp any any eq www

permit tcp any any eq pop3

permit tcp any any eq 443

permit tcp any any eq 1723

permit tcp any any eq 3390

permit tcp any any eq 4125

permit esp any any

permit udp any any eq isakmp

permit gre any any

deny   tcp any any

deny   udp any any

deny   ip any any

!

Super Bronze

Re: Basic IOS firewall configuration

Yes, you are absolutely correct.

New Member

Re: Basic IOS firewall configuration

Thank you for confirming would hate to apply it to one of my clients and find it blocks something... problem with small businesses is they don't want things blocked.

Is there any improvements you would make to make it more secure, with out blocking users from doing anything on the Internet?

Super Bronze

Re: Basic IOS firewall configuration

Base on the configuration posted, basically you are allowing all outbound traffic, however, restrict inbound traffic to the following: RDP, SSH, mail, web, PPTP, so I would assume that either you have a public ip address range for those servers' services, or you have configured static port address redirection to your Dialer interface ip address.

If you have a static public ip address, I would recommend that instead of configuring "permit tcp any any" on specific ports, I would tighten it even down as follows (assuming your public ip address is 200.1.1.1):

permit tcp any host 200.1.1.1 eq 3389

permit tcp any host 200.1.1.1 eq 22

...

...

New Member

Re: Basic IOS firewall configuration

halijenn wrote:

Base on the configuration posted, basically you are allowing all outbound traffic, however, restrict inbound traffic to the following: RDP, SSH, mail, web, PPTP, so I would assume that either you have a public ip address range for those servers' services, or you have configured static port address redirection to your Dialer interface ip address.

If you have a static public ip address, I would recommend that instead of configuring "permit tcp any any" on specific ports, I would tighten it even down as follows (assuming your public ip address is 200.1.1.1):

permit tcp any host 200.1.1.1 eq 3389

permit tcp any host 200.1.1.1 eq 22

...

...

You are correct those ports are open and I use static NATs to route the ports to the correct devices behind the router. I also use a static public IP address, albit only 1 static IP.

What are the benefits of not using 'any' in the ACLs and using the static public IP address instead?

Also is there anyway on a 877 running 12.4 to detect port scans and other malicious activity?

Thank you for your help aswell

Super Bronze

Re: Basic IOS firewall configuration

The benefit would be to only allow connection towards the public ip address instead of towards any ip addresses in your internal network.

For example:

An attacker from the outside can go directly to your private ip address on those ports that you have opened if the attacker knows the private ip address range of your internal network. It's just an added security that you can implement to make it a little bit more secure.

With port scan, you would need to configure the IOS IPS feature set on your 877 router. Here is a bit more information on IOS IPS for your reference:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/product_data_sheet0900aecd803137cf.html

Hope that helps.

New Member

Re: Basic IOS firewall configuration

ip inspect name FIREWALL tcp

ip inspect name FIREWALL udp

!

interface Dialer1

ip access-group FIREWALL in

ip inspect FIREWALL out

!

ip access-list extended FIREWALL

permit tcp any any eq 3389

permit tcp any any eq 22

permit tcp any any eq smtp

permit tcp any any eq www

permit tcp any any eq pop3

permit tcp any any eq 443

permit tcp any any eq 1723

permit tcp any any eq 3390

permit tcp any any eq 4125

permit esp any any

permit udp any any eq isakmp

permit gre any any

deny   tcp any any

deny   udp any any

deny   ip any any

Will it work on ASA 5510 ? .. it is not getting the command ip inspect....

Please advise

Super Bronze

Re: Basic IOS firewall configuration

Junaid,

Inspection in ASA firewall works a little bit differently. It is configured under policy-map.

Access-list needs to be applied to the interface using the access-group command.

502
Views
4
Helpful
9
Replies