Cisco IOS software provides an extensive set of security features with which you can configure a simple or elaborate firewall, according to your particular requirements. When you configure Cisco IOS firewall features on your Cisco router, you turn your router into an effective, robust firewall.
Cisco IOS firewall features are designed to prevent unauthorized, external individuals from gaining access to your internal network, and to block attacks on your network, while at the same time allowing authorized users to access network resources.
You can use Cisco IOS firewall features to configure your Cisco IOS router as:
•An Internet firewall or part of an Internet firewall
•A firewall between groups in your internal network
•A firewall providing secure connections to or from branch offices
•A firewall between your company network and your company partners networks
Cisco IOS firewall features provide the following benefits:
•Protects internal networks from intrusion
•Monitors traffic through network perimeters
•Enables network commerce using the World Wide Web
At a minimum, you must configure basic traffic filtering to provide a basic firewall. You can configure your Cisco 7200 series router to function as a firewall by using the following Cisco IOS security features:
•Static access lists and static or dynamic extended access lists
•Lock-and-key (dynamic extended access lists)
•Reflective access lists
•TCP intercept
•Context-based access control
•Security server support
•Network address translation
•Cisco Encryption Technology
•IPSec network security
•Neighbor router authentication
•Event logging
•User authentication and authorization
This section explains how to configure an extended access list, which is a sequential collection of permit and deny conditions that apply to an IP address.
This section includes the following topics:
•Creating Extended Access Lists Using Access List Numbers
•Verifying Extended Access Lists
•Applying Access Lists to Interfaces
•Verifying Extended Access Lists Are Applied Correctly
The simplest connectivity to the Internet is to use a single device to provide the connectivity and firewall function to the Internet. With everything being in a single device, it is easy to address translation and termination of the VPN tunnels. Complexity arises when you need to add extra Cisco 7200 series routers to the network. This normally leads people into building a network where the corporate network touches the Internet through a network called the DMZ, or demilitarized zone.
Creating Extended Access Lists Using Access List Numbers
To create an extended access list that denies and permits certain types of traffic, complete the following steps starting in global configuration mode:
Command | Purpose | |
---|---|---|
Step 1 | hq-sanjose(config)# access-list 102 deny tcp any
any
| Define access list 102 and configure the access list to deny all TCP traffic. |
Step 2 | hq-sanjose(config)# access-list 102 deny udp any
any
| Configure access list 102 to deny all UDP traffic. |
Step 3 | hq-sanjose(config)# access-list 102 permit ip
any any
| Configure access list 102 to permit all IP traffic. |
Verifying Extended Access Lists
To verify the configuration:
Enter the show access-lists 102 EXEC command to display the contents of the access list.
hq-sanjose# show access-list 102 Extended IP access list 102 deny tcp any any deny udp any any permit ip any any
Applying Access Lists to Interfaces
After you create an access list, you can apply it to one or more interfaces. Access lists can be applied on either outbound or inbound interfaces.
To apply an access list inbound and outbound on an interface, complete the following steps starting in global configuration mode:
Command | Purpose | |
---|---|---|
Step 1 | hq-sanjose(config)# interface serial 1/0
| Specify serial interface 1/0 on the headquarters router and enter interface configuration mode. |
Step 2 | hq-sanjose(config-if)# ip access-group 102 in
| Configure access list 102 inbound on serial interface 1/0 on the headquarters router. |
Step 3 | hq-sanjose(config-if)# ip access-group 102 out
| Configure access list 102 outbound on serial interface 1/0 on the headquarters router. |
Step 4 | hq-sanjose(config-if)# exit
hq-sanjose(config)# | Exit back to global configuration mode. |
For inbound access lists, after receiving a packet, the Cisco IOS software checks the source address of the packet against the access list. If the access list permits the address, the software continues to process the packet. If the access list rejects the address, the software discards the packet and returns an “icmp hostunreachable” message.
For outbound access lists, after receiving and routing a packet to a controlled interface, the software checks the destination address of the packet against the access list. If the access list permits the address, the software transmits the packet. If the access list rejects the address, the software discards the packet and returns an “ICMP Host Unreachable” message.
When you apply an access list that has not yet been defined to an interface, the software acts as if the access list has not been applied to the interface and will accept all packets. Be aware of this behavior if you use undefined access lists as a means of security in your network.
Verifying Extended Access Lists Are Applied Correctly
To verify the configuration:
•Enter the show ip interface serial 1/0 EXEC command to confirm the access list is applied correctly (inbound and outbound) on the interface.
hq-sanjose# show ip interface serial 1/0 Serial1/0 is up, line protocol is up Internet address is 172.17.2.4 Broadcast address is 255.255.255.255 Address determined by setup command Peer address is 172.24.2.5 MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is 102 Inbound access list is 102 -Display text omitted-