the inspection rule to the outside interface in the outbound direction although it was previously stated that applying inspection rules in inbound direction provides the most clarity. That recommendation is especially valid in environments with many interfaces and multiple flows. The SDM Basic and Advanced Firewall wizards operate in relatively simple environments, so the initial recommendation is not followed. In addition to the ACLs and inspection rules that apply to the respective interfaces, unicast reverse path forwarding is enabled on the outside interface. Note
In an Internet environment, the functionality of the unicast reverse path forwarding depends on the existence of a default route (0.0.0.0 0.0.0.0). If there is no default route and a packet comes in from an unmatched IP address, the packet is dropped by the unicast reverse path forwarding feature.
Content 6.3 Basic and Advanced Firewall Wizards 6.3.3 Configuring Interfaces on an Advanced Firewall Figure shows the Advanced Firewall Configuration wizard. To launch the Advanced Firewall Configuration wizard follow this procedure: Step 1 Click the Configure icon in the top navigation bar to enter the configuration page. Step 2 Click the Firewall and ACL icon in the left vertical navigation bar. Step 3 Select Advanced Firewall on the Create Firewall tab. Step 4 Click Launch the selected task to proceed to the next window. A window opens describing the objective of the Advanced Firewall Configuration wizard. Click Next. Advanced Firewall Interface Configuration
Figure shows the Advanced Firewall Interface Configuration window. In this window, identify the outside (untrusted) and the inside (trusted) interfaces by checking their check boxes in the appropriate column and the DMZ interface by choosing the interface from the DMZ Interface (Optional) drop-down list. In addition, you can check the Allow secure SDM access from outside interfaces check box. Checking this option allows HTTPS connectivity from the untrusted domain. HTTP will be denied from outside. Click Next to proceed to the Advanced Firewall DMZ Service Configuration window. You will receive a warning that you will not be able to launch the SDM via the outside interface—in this case Serial0/0/0.
Content 6.3 Basic and Advanced Firewall Wizards 6.3.4 Configuring a DMZ on an Advanced Firewall Figure shows the Advanced Firewall DMZ Service Configuration window. In the window, you can define DMZ services that should be accessible from the outside network. Typically, here is where you include information about public web, mail, and FTP, as well as virtual private network (VPN) site-to-site and remote access devices. Click the Add button to define a DMZ service. Advanced Firewall DMZ Service Configuration: TCP
Figure shows the Advanced Firewall DMZ Service Configuration TCP dialog box. This dialog box is where you optionally specify which TCP services are hosted on servers attached to the DMZ interface. When you click the Add button in the Advanced Firewall DMZ Service Configuration page, the DMZ Service Configuration window appears. You must provide the server addresses and select the DMZ services either by clicking the list of well-known services or by manually specifying the port number. Figure shows the configuration for access to the web server running on server 192.168.0.2 port TCP/80 (identified as www service). Advanced Firewall DMZ Service Configuration: UDP
Figure shows the Advanced Firewall DMZ Service Configuration UDP dialog box. In this dialog box you optionally specify which UDP services are hosted on servers that are attached to the DMZ interface. In Figure , Internet Security Association and Key Management Protocol (ISAKMP) connectivity (UDP port 500) to the VPN server using the address 192.168.0.3 is permitted. Note
ISAKMP is the VPN protocol that negotiates parameters that will be used to encrypt and authenticate data when the IPsec VPN tunnel is established. The data that traverses the tunnel is encrypted using Encapsulation Security Payload (ESP) protocol within the IPsec. Because ESP is not session-oriented, return ESP traffic cannot be dynamically permitted by the firewall engine. In such a scenario, you would have to explicitly permit inbound ESP traffic in the customization phase. Figure shows the Advanced Firewall DMZ Service Configuration GUI listing the currently configured services. After including all TCP and UDP services that are running on hosts attached to the DMZ interface in the Advanced Firewall DMZ Service Configuration window, click the Next button to proceed to the next task.
Content 6.3 Basic and Advanced Firewall Wizards 6.3.5 Advanced Firewall Security Configuration After completing the DMZ service configuration and clicking Next, the Advanced Firewall Security Configuration window appears, Figure . This window is where you define the inspection granularity for services that run in the DMZ. You have the option of choosing the default SDM application security policy by selecting Use a default SDM Application Security Policy and modifying the existing security level, or you can choose to use a custom policy. You can preview the commands that constitute the SDM default policy by clicking the Preview Commands button. If you want to use a custom policy, you must either create a new policy or select an existing one. In this example, no custom policies exist, so you need to create a custom policy by choosing the Create a new policy option. Advanced Firewall Protocols and Applications
When defining a custom application security policy, you can select applications that should be inspected by the firewall. Figure shows the Advanced Firewall Protocols and Applications form. The applications are grouped into categories that are listed on the left side of the Application Security window: Browse through the menu and select the protocols and applications that you want the firewall to inspect. In Figure , the example shows that you can enable generic inspection for TCP and UDP protocols. This inspection will be applied in the inbound direction to the inside interface. In addition to the generic TCP and UDP inspection, you can activate the inspection for FTP, as in the example in Figure . This inspection will be applied in the inbound direction to the inside interface. Advanced Firewall Inspection Parameters
You can modify the inspection parameters by clicking the Edit button in the upper-right corner of the Application Security window. Figure shows the Edit Inspection Rule form that appears. The parameters that you can modify are alerts, audit, and timeout, and also whether local router traffic should be inspected. You can set those parameters for each inspected protocol. In this example, you want to keep most parameters unchanged and enable audit trail for TCP inspection. Audit trail is disabled by default; select On from the drop-down menu. Click OK twice to return to the main wizard thread. Advanced Firewall Security Policy Selection
Next, you need to select the security policy that you want to deploy to the router. This action is performed in the screen that appears in Figure . You can verify that your custom policy will be deployed by clicking the Use a custom Application Security Policy radio button and choosing the policy from the Policy Name drop-down list. If you configured several policies, you need to select which policy to deliver to the router. Click Next to proceed to the next task.
Content 6.3 Basic and Advanced Firewall Wizards 6.3.6 Complete the Configuration