the inspection rule to the outside interface in
the outbound direction although it was previously stated that
applying inspection rules in inbound direction provides the
most clarity. That recommendation is especially valid in
environments with many interfaces and multiple flows. The SDM
Basic and Advanced Firewall wizards operate in relatively
simple environments, so the initial recommendation is not
followed. In addition to the ACLs and inspection rules that
apply to the respective interfaces, unicast reverse path
forwarding is enabled on the outside interface.
Note
In an Internet environment, the functionality
of the unicast reverse path forwarding depends on the existence
of a default route (0.0.0.0 0.0.0.0). If there is no default
route and a packet comes in from an unmatched IP address, the
packet is dropped by the unicast reverse path forwarding
feature.
Content 6.3 Basic and
Advanced Firewall Wizards 6.3.3 Configuring
Interfaces on an Advanced Firewall Figure shows the
Advanced Firewall Configuration wizard. To launch the Advanced
Firewall Configuration wizard follow this procedure: Step
1 Click the Configure icon in the top navigation bar
to enter the configuration page. Step 2 Click the
Firewall and ACL icon in the left vertical navigation
bar. Step 3 Select Advanced Firewall on the
Create Firewall tab. Step 4 Click Launch the
selected task to proceed to the next window. A window opens
describing the objective of the Advanced Firewall Configuration
wizard. Click Next. Advanced Firewall Interface
Configuration
Figure shows the Advanced Firewall
Interface Configuration window. In this window, identify the
outside (untrusted) and the inside (trusted) interfaces by
checking their check boxes in the appropriate column and the
DMZ interface by choosing the interface from the DMZ Interface
(Optional) drop-down list. In addition, you can check the Allow
secure SDM access from outside interfaces check box. Checking
this option allows HTTPS connectivity from the untrusted
domain. HTTP will be denied from outside. Click Next to
proceed to the Advanced Firewall DMZ Service Configuration
window. You will receive a warning that you will not be able to
launch the SDM via the outside interface—in this case
Serial0/0/0.
Content 6.3 Basic
and Advanced Firewall Wizards 6.3.4 Configuring
a DMZ on an Advanced Firewall Figure shows the Advanced
Firewall DMZ Service Configuration window. In the window, you
can define DMZ services that should be accessible from the
outside network. Typically, here is where you include
information about public web, mail, and FTP, as well as virtual
private network (VPN) site-to-site and remote access devices.
Click the Add button to define a DMZ service.
Advanced Firewall DMZ Service Configuration: TCP
Figure shows the Advanced Firewall DMZ Service Configuration
TCP dialog box. This dialog box is where you optionally specify
which TCP services are hosted on servers attached to the DMZ
interface. When you click the Add button in the Advanced
Firewall DMZ Service Configuration page, the DMZ Service
Configuration window appears. You must provide the server
addresses and select the DMZ services either by clicking the
list of well-known services or by manually specifying the port
number. Figure shows the configuration for access to the web
server running on server 192.168.0.2 port TCP/80 (identified as
www service). Advanced Firewall DMZ Service Configuration:
UDP
Figure shows the Advanced Firewall DMZ Service
Configuration UDP dialog box. In this dialog box you optionally
specify which UDP services are hosted on servers that are
attached to the DMZ interface. In Figure , Internet Security
Association and Key Management Protocol (ISAKMP) connectivity
(UDP port 500) to the VPN server using the address 192.168.0.3
is permitted. Note
ISAKMP is the VPN protocol that
negotiates parameters that will be used to encrypt and
authenticate data when the IPsec VPN tunnel is established. The
data that traverses the tunnel is encrypted using Encapsulation
Security Payload (ESP) protocol within the IPsec. Because ESP
is not session-oriented, return ESP traffic cannot be
dynamically permitted by the firewall engine. In such a
scenario, you would have to explicitly permit inbound ESP
traffic in the customization phase. Figure shows the Advanced
Firewall DMZ Service Configuration GUI listing the currently
configured services. After including all TCP and UDP services
that are running on hosts attached to the DMZ interface in the
Advanced Firewall DMZ Service Configuration window, click the
Next button to proceed to the next task.
Content
6.3 Basic and Advanced Firewall
Wizards 6.3.5 Advanced Firewall Security
Configuration After completing the DMZ service
configuration and clicking Next, the Advanced Firewall
Security Configuration window appears, Figure . This window is
where you define the inspection granularity for services that
run in the DMZ. You have the option of choosing the default SDM
application security policy by selecting Use a default SDM
Application Security Policy and modifying the existing security
level, or you can choose to use a custom policy. You can
preview the commands that constitute the SDM default policy by
clicking the Preview Commands button. If you want to use a
custom policy, you must either create a new policy or select an
existing one. In this example, no custom policies exist, so you
need to create a custom policy by choosing the Create a new
policy option. Advanced Firewall Protocols and
Applications
When defining a custom application
security policy, you can select applications that should be
inspected by the firewall. Figure shows the Advanced Firewall
Protocols and Applications form. The applications are grouped
into categories that are listed on the left side of the
Application Security window: - E-mail
- Instant
Messaging (IM)
- Peer-to-Peer (P2P)
-
HTTP
- Applications / Protocols, which includes the
subcategories General, Network Services, Applications, Voice,
Multimedia, IPsec/VPN, Wireless, and User Defined
Browse through the menu and select the protocols and
applications that you want the firewall to inspect. In Figure ,
the example shows that you can enable generic inspection for
TCP and UDP protocols. This inspection will be applied in the
inbound direction to the inside interface. In addition to the
generic TCP and UDP inspection, you can activate the inspection
for FTP, as in the example in Figure . This inspection will be
applied in the inbound direction to the inside interface.
Advanced Firewall Inspection Parameters
You can
modify the inspection parameters by clicking the Edit
button in the upper-right corner of the Application Security
window. Figure shows the Edit Inspection Rule form that
appears. The parameters that you can modify are alerts, audit,
and timeout, and also whether local router traffic should be
inspected. You can set those parameters for each inspected
protocol. In this example, you want to keep most parameters
unchanged and enable audit trail for TCP inspection. Audit
trail is disabled by default; select On from the drop-down
menu. Click OK twice to return to the main wizard
thread. Advanced Firewall Security Policy Selection
Next, you need to select the security policy that you want to
deploy to the router. This action is performed in the screen
that appears in Figure . You can verify that your custom policy
will be deployed by clicking the Use a custom Application
Security Policy radio button and choosing the policy from the
Policy Name drop-down list. If you configured several policies,
you need to select which policy to deliver to the router. Click
Next to proceed to the next task.
Content
6.3 Basic and Advanced Firewall
Wizards 6.3.6 Complete the Configuration