You are currently viewing Configuring Cisco IOS Firewall Features

Configuring Cisco IOS Firewall Features

Cisco IOS software provides an extensive set of security features with which you can configure a simple or elaborate firewall, according to your particular requirements. When you configure Cisco IOS firewall features on your Cisco router, you turn your router into an effective, robust firewall.

Cisco IOS firewall features are designed to prevent unauthorized, external individuals from gaining access to your internal network, and to block attacks on your network, while at the same time allowing authorized users to access network resources.


You can use Cisco IOS firewall features to configure your Cisco IOS router as:

•An Internet firewall or part of an Internet firewall

•A firewall between groups in your internal network

•A firewall providing secure connections to or from branch offices

•A firewall between your company network and your company partners networks

Cisco IOS firewall features provide the following benefits:

•Protects internal networks from intrusion

•Monitors traffic through network perimeters

•Enables network commerce using the World Wide Web

At a minimum, you must configure basic traffic filtering to provide a basic firewall. You can configure your Cisco 7200 series router to function as a firewall by using the following Cisco IOS security features:

•Static access lists and static or dynamic extended access lists

•Lock-and-key (dynamic extended access lists)

•Reflective access lists

•TCP intercept

•Context-based access control

•Security server support

•Network address translation

•Cisco Encryption Technology

•IPSec network security

•Neighbor router authentication

•Event logging

•User authentication and authorization


This section explains how to configure an extended access list, which is a sequential collection of permit and deny conditions that apply to an IP address.

This section includes the following topics:

•Creating Extended Access Lists Using Access List Numbers

•Verifying Extended Access Lists

•Applying Access Lists to Interfaces

•Verifying Extended Access Lists Are Applied Correctly


The simplest connectivity to the Internet is to use a single device to provide the connectivity and firewall function to the Internet. With everything being in a single device, it is easy to address translation and termination of the VPN tunnels. Complexity arises when you need to add extra Cisco 7200 series routers to the network. This normally leads people into building a network where the corporate network touches the Internet through a network called the DMZ, or demilitarized zone.

Creating Extended Access Lists Using Access List Numbers

To create an extended access list that denies and permits certain types of traffic, complete the following steps starting in global configuration mode:

 CommandPurpose
Step 1 hq-sanjose(config)# access-list 102 deny tcp any any Define access list 102 and configure the access list to deny all TCP traffic.
Step 2 hq-sanjose(config)# access-list 102 deny udp any any Configure access list 102 to deny all UDP traffic.
Step 3 hq-sanjose(config)# access-list 102 permit ip any any Configure access list 102 to permit all IP traffic.

Verifying Extended Access Lists

To verify the configuration:

Enter the show access-lists 102 EXEC command to display the contents of the access list.

 hq-sanjose# show access-list 102 
Extended IP access list 102 
    deny   tcp any any 
    deny   udp any any 
    permit ip any any 

Applying Access Lists to Interfaces

After you create an access list, you can apply it to one or more interfaces. Access lists can be applied on either outbound or inbound interfaces.

To apply an access list inbound and outbound on an interface, complete the following steps starting in global configuration mode:

 CommandPurpose
Step 1 hq-sanjose(config)# interface serial 1/0 Specify serial interface 1/0 on the headquarters router and enter interface configuration mode.
Step 2 hq-sanjose(config-if)# ip access-group 102 in Configure access list 102 inbound on serial interface 1/0 on the headquarters router.
Step 3 hq-sanjose(config-if)# ip access-group 102 out Configure access list 102 outbound on serial interface 1/0 on the headquarters router.
Step 4 hq-sanjose(config-if)# exit hq-sanjose(config)#Exit back to global configuration mode.

For inbound access lists, after receiving a packet, the Cisco IOS software checks the source address of the packet against the access list. If the access list permits the address, the software continues to process the packet. If the access list rejects the address, the software discards the packet and returns an “icmp hostunreachable” message.

For outbound access lists, after receiving and routing a packet to a controlled interface, the software checks the destination address of the packet against the access list. If the access list permits the address, the software transmits the packet. If the access list rejects the address, the software discards the packet and returns an “ICMP Host Unreachable” message.

When you apply an access list that has not yet been defined to an interface, the software acts as if the access list has not been applied to the interface and will accept all packets. Be aware of this behavior if you use undefined access lists as a means of security in your network.

Verifying Extended Access Lists Are Applied Correctly

To verify the configuration:

•Enter the show ip interface serial 1/0 EXEC command to confirm the access list is applied correctly (inbound and outbound) on the interface.

 hq-sanjose# show ip interface serial 1/0 
Serial1/0 is up, line protocol is up 
  Internet address is 172.17.2.4 
  Broadcast address is 255.255.255.255 
  Address determined by setup command 
  Peer address is 172.24.2.5  
  MTU is 1500 bytes 
  Helper address is not set 
  Directed broadcast forwarding is disabled 
  Outgoing access list is 102 
  Inbound  access list is 102 


  -Display text omitted-