Wizards 6.3.1 Basic and Advanced
Firewall Wizards Figure summarizes the key features of the
Cisco Security Device Manager (SDM) basic and advanced firewall
wizards. Cisco SDM, a configuration and management tool for
Cisco IOS routers that use a GUI, offers a simple method to set
up the Cisco IOS Firewall. Depending on the number of router
interfaces in your network, you will select either the Basic
Firewall Configuration wizard, that supports only one
outside interface and one or more inside interfaces, or the
Advanced Firewall Configuration wizard, which, in
addition to the inside and outside interfaces, also supports a
DMZ interface. The Basic Firewall Configuration wizard
applies default access rules to both inside and outside
interfaces, applies default inspection rules to the outside
interface, and enables IP unicast reverse path forwarding
(uRPF) on the outside interface. The Advanced Firewall
Configuration wizard applies default or custom access
rules, as well as default or custom inspection rules, to
inside, outside, and DMZ interfaces. The Advanced Firewall
Configuration wizard also enables IP unicast reverse-path
forwarding on the outside interface. Note
Unicast
reverse path forwarding checks incoming packets for IP source
address integrity and compares the source IP address with the
routing table. If the packet arrived on one interface and the
IP route to the source network points to another interface, the
packet traversed a suboptimal path and will be discarded.
Content 6.3 Basic and Advanced
Firewall Wizards 6.3.2 Configuring a Basic
Firewall Figure shows the Cisco SDM Firewall and ACL GUI
screen. To launch the Basic Firewall Configuration
wizard, follow this procedure: Step 1 Click the
Configure icon in the top navigation bar to enter the
configuration page. Step 2 Click the Firewall and
ACL icon in the left vertical navigation bar. Step
3 Select Basic Firewall on the Create Firewall tab.
Step 4 Click Launch the selected task to proceed
to the next window. A new window opens that describes the
objective of the Basic Firewall Configuration wizard. Click
Next. Basic Firewall Interface Configuration
The Basic Firewall Interface Configuration window appears.
Figure shows the Cisco SDM Basic Firewall Interface
Configuration. In this window, identify the outside interface
by selecting the interface from the Outside(untrusted)
Interface drop-down list and identify the inside router
interfaces by checking the interface check boxes in the
Inside(trusted) Interfaces section. You can select
several inside interfaces. In the example, the interface
FastEthernet0/1 will not be affected because this interface is
not selected. At this stage, you can check the Allow secure
SDM access from outside interfaces check box. When you
select this check box, HTTPS access to the outside router
interfaces is permitted from the untrusted domain, and HTTP
access is denied. In this example, HTTPS access from outside
the network is not desired. Click Next to proceed to the
next window. You will receive a warning that you will not be
able to launch the SDM via the outside interface—in this case
Serial0/0. Make sure that you are not accessing the SDM through
the outside interface and then click OK to proceed to
the next task. Basic Firewall Configuration Summary and
Deployment
The final step of the wizard is to review
the Internet Firewall Configuration Summary. Figure shows the
Cisco SDM Internet Firewall Configuration Summary. After
clicking OK, you will see a summary of protection rules
that the SDM will apply to the router. Review this report, and
if all of the rules that you want are listed, click
Finish and then OK to send the commands to the
device. Reviewing the Basic Firewall for the Originating
Traffic
Figure shows the Edit Firewall Policy/ACL form
where you can verify and customize the firewall settings. In
the Edit Firewall Policy/ACL form, you can see the policy for
outbound traffic. When the firewall features are configured on
the router, the wizard finishes and you are placed in the Edit
Firewall Policy/ACL tab of the Firewall and ACL menu. In this
window, you can review and modify the configured options. In
the Edit Firewall Policy/ACL form, you can view the ACL entries
that are applied for the originating traffic (ACL 100 in this
example); in other words, this tab is where you examine the ACL
that applies to the inside interface in the inbound direction.
In this example, ACL 100 will be applied inbound to the inside
interface. This ACL prevents spoofing by denying packets that
are sourced from the 200.0.0.0/30 network, which is configured
on the outside interface. The ACL also blocks packets that are
sourced from the broadcast address and the 127.0.0.0/8 network
and permits all other traffic. The inspection rule name in this
example is SDM_LOW. In this example, the firewall is active
from the Fa0/0 to S0/0/0 direction, where Fa0/0 is in the
inside (trusted) interface and S0/0/0 is the outside
(untrusted) interface. You can also verify that the firewall is
active by the firewall icon that appears inside the router
icon. If you select the View Option > Swap From
and To interface, you will see that the firewall is
inactive from the S0/0/0 to Fa0/0 direction. To view the ACL
that applies for the returning traffic, click the Returning
traffic radio button. Reviewing the Basic Firewall for
the Returning Traffic
Figure illustrates the firewall
policy for inbound traffic that appears when you click
Returning traffic on the Edit Firewall Policy/ACL tab. You can
review the filter rules for returning traffic in a similar way
that you reviewed the rules for the originating traffic. This
window displays all ACL entries that have been applied to the
outside interface in the inbound direction (ACL 101). ACL 101
is applied in the inbound direction to the outside interface.
The ACL permits ICMP echo-reply, time-exceeded and unreachable
messages that are destined to the outside router interface
(200.0.0.1) and blocks packets sourced from private address
ranges, the broadcast, and the 0.0.0.0 address. The final entry
denies and logs all other packets. Resulting Basic Firewall
Inspection Rule Configuration
Another verification
method that you can use is to check the commands that have been
applied to the router using the CLI. Figure shows a
configuration that has been generated by the SDM. The SDM_LOW
predefined rule inspects all protocols that are commonly used
in enterprise networks. This group includes cuseeme, dns, ftp,
h323, https, icmp, imap, pop3, netshow, rcmd, realaudio, rtsp,
esmtp, sqlnet, streamworks, tftp, tcp, udp, and vdolive. The
TCP, UDP, and ICMP offer generic inspection, while the
remaining protocols require enhanced application awareness.
Resulting Basic Firewall ACL Configuration
Figure
shows two ACLs that the Basic Firewall Configuration wizard has
generated and will apply to the router interfaces. The
resulting ACLs filter the traffic in this way: - ACL
100 is applied inbound to the inside interface. This ACL
prevents spoofing by denying packets that are sourced from
200.0.0.0/30 network, which is configured on the outside
interface. The ACL also blocks packets that are sourced from
the broadcast address and the 127.0.0.0/8 network and permits
all other traffic.
- ACL 101 is applied in inbound
direction to the outside interface. The ACL permits ICMP
echo-reply, time-exceeded, and unreachable messages destined to
the outside router interface (200.0.0.1) and blocks packets
that are sourced from private address ranges, the broadcast,
and the 0.0.0.0 address. The final entry denies and logs all
other packets.
Resulting Basic Firewall Interface
Configuration
Figure shows the configured ACLs and
inspection rules that the Basic Firewall Configuration wizard
applies to the router interfaces. Note
SDM applies