This document provides an overview of firewall fundamentals and Cisco firewall solutions. It discusses the basics of standard and extended ACLs, stateful packet inspection, and zone-based policy firewalls. The key steps to configure Cisco's zone-based policy firewall using CLI are defined as: 1) create security zones, 2) define traffic classes with class-maps, 3) create policy maps to apply actions, and 4) apply policies to zone pairs and assign interfaces to zones.

1. 08- IOS Firewall Fundamentals
Ahmed Sultan
CCNA | CCNA Security | CCNP Security | JNCIA-Junos | CEH
© 2009 Cisco Learning Institute. 1

2. ACL Topology and Types
© 2009 Cisco Learning Institute. 2

3. Standard Numbered IP ACLs
Router(config)# access-list {1-99} {permit | deny}
source-addr [source-mask]
• The first value specifies the ACL number
• The second value specifies whether to permit or deny the configured
source IP address traffic
• The third value is the source IP address that must be matched
• The fourth value is the wildcard mask to be applied to the previously
configured IP address to indicate the range
• All ACLs assume an implicit deny statement at the end of the ACL6+
• At least one permit statement should be included or all traffic will be
dropped once that ACL is applied to an interface
© 2009 Cisco Learning Institute. 3

4. Extended Numbered IP ACLs
Router(config)# access-list {100-199} {permit | deny}
protocol source-addr [source-mask] [operator operand]
destination-addr [destination-mask] [operator operand]
[established]
• The first value specifies the ACL number
• The second value specifies whether to permit or deny accordingly
• The third value indicates protocol type
• The source IP address and wildcard mask determine where traffic
originates. The destination IP address and wildcard mask are used
to indicate the final destination of the network traffic
• The command to apply the standard or extended numbered ACL:
Router(config-if)# ip access-group number {in | out}
© 2009 Cisco Learning Institute. 4

5. Named IP ACLs
Router(config)# ip access-list extended vachon1
Router(config-ext-nacl)# deny ip any 200.1.2.10
0.0.0.1
Router(config-ext-nacl)# permit tcp any host
200.1.1.11 eq 80
Router(config-ext-nacl)# permit tcp any host
200.1.1.10 eq 25
Router(config-ext-nacl)# permit tcp any eq 25 host
200.1.1.10 any established
Router(config-ext-nacl)# permit tcp any 200.1.2.0
0.0.0.255 established
Router(config-ext-nacl)# permit udp any eq 53
200.1.2.0 0.0.0.255
Router(config-ext-nacl)# deny ip any any
Router(config-ext-nacl)# interface ethernet 1
Router(config-if)# ip access-group vachon1 in
Router(config-if)# exit
Standard
Extended
© 2009 Cisco Learning Institute. 5

6. Applying Standard ACLs
Use a standard ACL to block all traffic from
172.16.4.0/24 network, but allow all other traffic.
r1
R1(config)# access-list 1 deny
172.16.4.0 0.0.0.255
R1(config)# access-list 1 permit any
R1(config)# interface ethernet 0
R1(config-if)# ip access-group 1 out
© 2009 Cisco Learning Institute. 6

7. Applying Extended ACLs
Use an extended ACL to block all FTP traffic from
172.16.4.0/24 network, but allow all other traffic.
r1
R1(config)# access-list 101 deny tcp 172.16.4.0
0.0.0.255 172.16.3.0 0.0.0.255 eq 21
R1(config)# access-list 101 deny tcp 172.16.4.0
0.0.0.255 172.16.3.0 0.0.0.255 eq 20
R1(config)# access-list 101 permit ip any any
© 2009 Cisco Learning Institute. 7

8. Attacks Mitigated
ACLs can be used to:
• Mitigate IP address spoofing—inbound/outbound
• Mitigate Denial of service (DoS) TCP synchronizes (SYN) attacks—
blocking external attacks
• Mitigate DoS TCP SYN attacks—using TCP intercept
• Mitigate DoS smurf attacks
• Filter Internet Control Message Protocol (ICMP) messages—inbound
• Filter ICMP messages—outbound
• Filter traceroute
© 2009 Cisco Learning Institute. 8

9. Inbound
CLI Commands
R1(config)#access-list 150 deny ip 0.0.0.0 0.255.255.255 any
R1(config)#access-list 150 deny ip 10.0.0.0 0.255.255.255 any
R1(config)#access-list 150 deny ip 127.0.0.0 0.255.255.255 any
R1(config)#access-list 150 deny ip 172.16.0.0 0.15.255.255 any
R1(config)#access-list 150 deny ip 192.168.0.0 0.0.255.255 any
R1(config)#access-list 150 deny ip 224.0.0.0 15.255.255.255 any
R1(config)#access-list 150 deny ip host 255.255.255.255 any
Outbound
R1(config)#access-list 105 permit ip 192.168.1.0 0.0.0.255 any
© 2009 Cisco Learning Institute. 9

10. Allowing Common Services
R1
Internet
Serial 0/0/0
F0/0
R1
DNS, SMTP, FTP
192.168.20.2/24
F0/1
PC A
200.5.5.5/24
R1(config)#access-list 122 permit udp any host 192.168.20.2 eq domain
R1(config)#access-list 122 permit tcp any host 192.168.20.2 eq smtp
R1(config)#access-list 122 permit tcp any host 192.168.20.2 eq ftp
R1(config)#access-list 180 permit tcp host 200.5.5.5 host 10.0.1.1 eq telnet
R1(config)#access-list 180 permit tcp host 200.5.5.5 host 10.0.1.1 eq 22
R1(config)#access-list 180 permit udp host 200.5.5.5 host 10.0.1.1 eq syslog
R1(config)#access-list 180 permit udp host 200.5.5.5 host 10.0.1.1 eq snmptrap
© 2009 Cisco Learning Institute. 10

11. Controlling ICMP Messages
200.5.5.5/24
Inbound on S0/0/0
R1
Internet
Serial 0/0/0
F0/0
R1
192.168.20.2/24
F0/1
PC A
R1(config)#access-list 112 permit icmp any any echo-reply
R1(config)#access-list 112 permit icmp any any source-quench
R1(config)#access-list 112 permit icmp any any unreachable
R1(config)#access-list 112 deny icmp any any
Outbound on S0/0/0
R1(config)#access-list 114 permit icmp 192.168.1.0 0.0.0.255 any echo
R1(config)#access-list 114 permit icmp 192.168.1.0 0.0.0.255 any parameter-problem
R1(config)#access-list 114 permit icmp 192.168.1.0 0.0.0.255 any packet-too-big
R1(config)#access-list 114 permit icmp 192.168.1.0 0.0.0.255 any source-quench
© 2009 Cisco Learning Institute. 11

12. Firewalls
• A firewall is a system that enforces an access
control policy between network
• Common properties of firewalls:
- The firewall is resistant to attacks
- The firewall is the only transit point between networks
- The firewall enforces the access control policy
© 2009 Cisco Learning Institute. 12

13. Benefits of Firewalls
• Prevents exposing sensitive
hosts and applications to
untrusted users
• Prevent the exploitation of
protocol flaws by sanitizing the
protocol flow
• Firewalls prevent malicious
data from being sent to servers
and clients.
• Properly configured firewalls
make security policy
enforcement simple, scalable,
and robust.
• A firewall reduces the
complexity of security
management by offloading
most of the network access
control to a couple of points in
the network.
© 2009 Cisco Learning Institute. 13

14. Types of Filtering Firewalls
• Packet-filtering firewall—is typically a router that has the capability to
filter on some of the contents of packets (examines Layer 3 and
sometimes Layer 4 information)
• Stateful firewall—keeps track of the state of a connection: whether
the connection is in an initiation, data transfer, or termination state
• Application gateway firewall (proxy firewall) —filters information at
Layers 3, 4, 5, and 7. Firewall control and filtering done in software.
• Address-translation firewall—expands the number of IP addresses
available and hides network addressing design.
© 2009 Cisco Learning Institute. 14

15. Types of Filtering Firewalls
• Host-based (server and personal) firewall—a PC or server with
firewall software running on it.
• Transparent firewall—filters IP traffic between a pair of bridged
interfaces.
• Hybrid firewalls—some combination of the above firewalls. For
example, an application inspection firewall combines a stateful
firewall with an application gateway firewall.
© 2009 Cisco Learning Institute. 15

16. Packet-Filtering Firewall
• Are based on simple permit or deny rule set
• Have a low impact on network performance
• Are easy to implement
• Are supported by most routers
• Afford an initial degree of security at a low
network layer
• Perform 90% of what higher-end firewalls do, at
a much lower cost
© 2009 Cisco Learning Institute. 16

17. Stateful Firewall
10.1.1.1 200.3.3.3
source port 1500 destination port 80
Inside ACL
(Outgoing Traffic)
Outside ACL
(Incoming Traffic)
permit ip 10.0.0.0 0.0.0.255 any
Dynamic: permit tcp host 200.3.3.3
eq 80 host 10.1.1.1 eq 1500
permit tcp any host 10.1.1.2 eq 25
permit udp any host 10.1.1.2 eq 53
deny ip any any
© 2009 Cisco Learning Institute. 17

18. Cisco Systems Firewall Solutions
• IOS Firewall
–Zone-based policy framework for intuitive management
–Instant messenger and peer-to-peer application filtering
–VoIP protocol firewalling
–Virtual routing and forwarding (VRF) firewalling
–Wireless integration
–Stateful failover
–Local URL whitelist and blacklist support
–Application inspection for web and e-mail traffic
• PIX 500 Series
• ASA 5500 Series
© 2009 Cisco Learning Institute. 18

19. Design with DMZ
DMZ
Public-DMZ
Policy
Private-DMZ
DMZ-Private
Policy
Policy
Trusted Untrusted
Private-Public
Policy
Internet
© 2009 Cisco Learning Institute. 19

20. CBAC Example
© 2009 Cisco Learning Institute. 20

21. Configuration of CBAC
Four Steps to Configure
• Step 1: Pick an Interface
• Step 2: Configure IP ACLs at the Interface
• Step 3: Define Inspection Rules
• Step 4: Apply an Inspection Rule to an Interface
© 2009 Cisco Learning Institute. 21

22. Step 1: Pick an Interface
Two-Interface
Three-Interface
© 2009 Cisco Learning Institute. 22

23. Step 2: Configure IP ACLs
at the Interface
© 2009 Cisco Learning Institute. 23

24. Step 3: Define Inspection Rules
Router(config)#
ip inspect name inspection_name protocol [alert {on | off}] [audit-trail
{on | off}] [timeout seconds]
© 2009 Cisco Learning Institute. 24

25. Step 4: Apply an Inspection Rule
to an Interface
© 2009 Cisco Learning Institute. 25

26. Zone Based Firewall
Each zone holds only
one interface.
• If an additional interface is added to the private zone, the hosts
connected to the new interface in the private zone can pass traffic to
all hosts on the existing interface in the same zone.
• Additionally, hosts connected to the new interface in the private zone
must adhere to all existing “private” policies related to that zone when
passing traffic to other zones.
© 2009 Cisco Learning Institute. 26

27. Benefits
Two Zones
• Zone-based policy firewall is not dependent on ACLs
• The router security posture is now “block unless explicitly allowed”
• C3PL (Cisco Common Classification Policy Language) makes
policies easy to read and troubleshoot
• One policy affects any given traffic, instead of needing multiple
ACLs and inspection actions.
© 2009 Cisco Learning Institute. 27

28. Common Designs
LAN-to-Internet Public Servers
Redundant Firewalls Complex Firewall
© 2009 Cisco Learning Institute. 28

29. Actions
Inspect – This action configures Cisco IOS stateful packet inspection
Drop – This action is analogous to deny in an ACL
Pass – This action is analogous to permit in an ACL
© 2009 Cisco Learning Institute. 29

30. Manually Implementing Zone-based
Policy Firewall with CCP
• Step 1: Define zones
• Step 2: Configure class maps to describe traffic
between zones
• Step 3: Create policy maps to apply actions to
the traffic of the class maps
• Step 4: Define zone pairs and assign policy
maps to the zone pairs
© 2009 Cisco Learning Institute. 30

31. Implementing Zone-based Policy
Firewall with CLI
1. Create the zones for the firewall
with the zone security
command
3. Specify firewall policies with
the policy-map type
inspect command
2. Define traffic classes with the
class-map type inspect
command
4. Apply firewall policies to pairs of
source and destination zones with
zone-pair security
5. Assign router interfaces to zones using the zone-member security
interface command
© 2009 Cisco Learning Institute. 31

32. Step 1: Create the Zones
FW(config)# zone security Inside
FW(config-sec-zone)# description Inside network
FW(config)# zone security Outside
FW(config-sec-zone)# description Outside network
© 2009 Cisco Learning Institute. 32

33. Step 2: Define Traffic Classes
FW(config)# class-map type inspect FOREXAMPLE
FW(config-cmap)# match access-group 101
FW(config-cmap)# match protocol tcp
FW(config-cmap)# match protocol udp
FW(config-cmap)# match protocol icmp
FW(config-cmap)# exit
FW(config)# access-list 101 permit ip 10.0.0.0
0.0.0.255 any
© 2009 Cisco Learning Institute. 33

34. Step 3: Define Firewall Policies
FW(config)# policy-map type inspect InsideToOutside
FW(config-pmap)# class type inspect FOREXAMPLE
FW(config-pmap-c)# inspect
© 2009 Cisco Learning Institute. 34

35. Step 4: Assign Policy Maps to Zone Pairs
and Assign Router Interfaces to Zones
FW(config)# zone-pair security InsideToOutside source Inside
destination Outside
FW(config-sec-zone-pair)# description Internet Access
FW(config-sec-zone-pair)# service-policy type inspect
InsideToOutside
FW(config-sec-zone-pair)# interface F0/0
FW(config-if)# zone-member security Inside
FW(config-if)# interface S0/0/0.100 point-to-point
FW(config-if)# zone-member security Outside
© 2009 Cisco Learning Institute. 35