Wizards 6.3.1 Basic and Advanced Firewall Wizards Figure summarizes the key features of the Cisco Security Device Manager (SDM) basic and advanced firewall wizards. Cisco SDM, a configuration and management tool for Cisco IOS routers that use a GUI, offers a simple method to set up the Cisco IOS Firewall. Depending on the number of router interfaces in your network, you will select either the Basic Firewall Configuration wizard, that supports only one outside interface and one or more inside interfaces, or the Advanced Firewall Configuration wizard, which, in addition to the inside and outside interfaces, also supports a DMZ interface. The Basic Firewall Configuration wizard applies default access rules to both inside and outside interfaces, applies default inspection rules to the outside interface, and enables IP unicast reverse path forwarding (uRPF) on the outside interface. The Advanced Firewall Configuration wizard applies default or custom access rules, as well as default or custom inspection rules, to inside, outside, and DMZ interfaces. The Advanced Firewall Configuration wizard also enables IP unicast reverse-path forwarding on the outside interface. Note
Unicast reverse path forwarding checks incoming packets for IP source address integrity and compares the source IP address with the routing table. If the packet arrived on one interface and the IP route to the source network points to another interface, the packet traversed a suboptimal path and will be discarded.
Content 6.3 Basic and Advanced Firewall Wizards 6.3.2 Configuring a Basic Firewall Figure shows the Cisco SDM Firewall and ACL GUI screen. To launch the Basic Firewall Configuration wizard, follow this procedure: Step 1 Click the Configure icon in the top navigation bar to enter the configuration page. Step 2 Click the Firewall and ACL icon in the left vertical navigation bar. Step 3 Select Basic Firewall on the Create Firewall tab. Step 4 Click Launch the selected task to proceed to the next window. A new window opens that describes the objective of the Basic Firewall Configuration wizard. Click Next. Basic Firewall Interface Configuration
The Basic Firewall Interface Configuration window appears. Figure shows the Cisco SDM Basic Firewall Interface Configuration. In this window, identify the outside interface by selecting the interface from the Outside(untrusted) Interface drop-down list and identify the inside router interfaces by checking the interface check boxes in the Inside(trusted) Interfaces section. You can select several inside interfaces. In the example, the interface FastEthernet0/1 will not be affected because this interface is not selected. At this stage, you can check the Allow secure SDM access from outside interfaces check box. When you select this check box, HTTPS access to the outside router interfaces is permitted from the untrusted domain, and HTTP access is denied. In this example, HTTPS access from outside the network is not desired. Click Next to proceed to the next window. You will receive a warning that you will not be able to launch the SDM via the outside interface—in this case Serial0/0. Make sure that you are not accessing the SDM through the outside interface and then click OK to proceed to the next task. Basic Firewall Configuration Summary and Deployment
The final step of the wizard is to review the Internet Firewall Configuration Summary. Figure shows the Cisco SDM Internet Firewall Configuration Summary. After clicking OK, you will see a summary of protection rules that the SDM will apply to the router. Review this report, and if all of the rules that you want are listed, click Finish and then OK to send the commands to the device. Reviewing the Basic Firewall for the Originating Traffic
Figure shows the Edit Firewall Policy/ACL form where you can verify and customize the firewall settings. In the Edit Firewall Policy/ACL form, you can see the policy for outbound traffic. When the firewall features are configured on the router, the wizard finishes and you are placed in the Edit Firewall Policy/ACL tab of the Firewall and ACL menu. In this window, you can review and modify the configured options. In the Edit Firewall Policy/ACL form, you can view the ACL entries that are applied for the originating traffic (ACL 100 in this example); in other words, this tab is where you examine the ACL that applies to the inside interface in the inbound direction. In this example, ACL 100 will be applied inbound to the inside interface. This ACL prevents spoofing by denying packets that are sourced from the 200.0.0.0/30 network, which is configured on the outside interface. The ACL also blocks packets that are sourced from the broadcast address and the 127.0.0.0/8 network and permits all other traffic. The inspection rule name in this example is SDM_LOW. In this example, the firewall is active from the Fa0/0 to S0/0/0 direction, where Fa0/0 is in the inside (trusted) interface and S0/0/0 is the outside (untrusted) interface. You can also verify that the firewall is active by the firewall icon that appears inside the router icon. If you select the View Option > Swap From and To interface, you will see that the firewall is inactive from the S0/0/0 to Fa0/0 direction. To view the ACL that applies for the returning traffic, click the Returning traffic radio button. Reviewing the Basic Firewall for the Returning Traffic
Figure illustrates the firewall policy for inbound traffic that appears when you click Returning traffic on the Edit Firewall Policy/ACL tab. You can review the filter rules for returning traffic in a similar way that you reviewed the rules for the originating traffic. This window displays all ACL entries that have been applied to the outside interface in the inbound direction (ACL 101). ACL 101 is applied in the inbound direction to the outside interface. The ACL permits ICMP echo-reply, time-exceeded and unreachable messages that are destined to the outside router interface (200.0.0.1) and blocks packets sourced from private address ranges, the broadcast, and the 0.0.0.0 address. The final entry denies and logs all other packets. Resulting Basic Firewall Inspection Rule Configuration
Another verification method that you can use is to check the commands that have been applied to the router using the CLI. Figure shows a configuration that has been generated by the SDM. The SDM_LOW predefined rule inspects all protocols that are commonly used in enterprise networks. This group includes cuseeme, dns, ftp, h323, https, icmp, imap, pop3, netshow, rcmd, realaudio, rtsp, esmtp, sqlnet, streamworks, tftp, tcp, udp, and vdolive. The TCP, UDP, and ICMP offer generic inspection, while the remaining protocols require enhanced application awareness. Resulting Basic Firewall ACL Configuration
Figure shows two ACLs that the Basic Firewall Configuration wizard has generated and will apply to the router interfaces. The resulting ACLs filter the traffic in this way: Resulting Basic Firewall Interface Configuration
Figure shows the configured ACLs and inspection rules that the Basic Firewall Configuration wizard applies to the router interfaces. Note
SDM applies