topic Re: Basic IOS firewall configuration in Network Security

Basic IOS firewall configuration

jamesitsolutions — Mon, 11 Mar 2019 17:42:42 GMT

Hi Guys, I have always trusted NAT as my firewall solutions but in the back of my head I've know this is unsecure.

While I don't want to restrict my users access to the Internet, I would like to make ports hidden on the Internet and secure the Internet connection as much as possible.

Also a quick explanation of the configuration would be much appreciated.

PS. It is unfortunate and a lacking area in the CCNA to cover ip inspect rules and simple adsl configurations

Re: Basic IOS firewall configuration

Federico Coto Fajardo — Sat, 08 May 2010 20:29:56 GMT

Andrew,

You are correct.

Many people misinterpret NAT as a security feature. NAT indeed hides the real IPs but it is not a security measure.

The IOS Firewall provides with a lot of security features like ACLs, inspection rules, IPS (although not recommended in software), content filtering, etc.

You can check most of you need here:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/product_data_sheet09186a0080117962.html

Federico.

Re: Basic IOS firewall configuration

jamesitsolutions — Sun, 09 May 2010 08:33:57 GMT

Sorry the forum lost my formatting (paragraphs) on my first post.

Anyway so far I have created the following and it appears to be working but I would like to confirm it is by what you guys can comment on, the configuration should block any incoming connections except those I allow but allow any outgoing connections and allow any incoming connections initated by a outgoing connection.

ip inspect name FIREWALL tcp

ip inspect name FIREWALL udp

interface Dialer1

ip access-group FIREWALL in

ip inspect FIREWALL out

ip access-list extended FIREWALL

permit tcp any any eq 3389

permit tcp any any eq 22

permit tcp any any eq smtp

permit tcp any any eq www

permit tcp any any eq pop3

permit tcp any any eq 443

permit tcp any any eq 1723

permit tcp any any eq 3390

permit tcp any any eq 4125

permit esp any any

permit udp any any eq isakmp

permit gre any any

deny tcp any any

deny udp any any

deny ip any any

Re: Basic IOS firewall configuration

Jennifer Halim — Sun, 09 May 2010 09:45:29 GMT

Yes, you are absolutely correct.

Re: Basic IOS firewall configuration

jamesitsolutions — Sun, 09 May 2010 09:48:54 GMT

Thank you for confirming would hate to apply it to one of my clients and find it blocks something... problem with small businesses is they don't want things blocked.

Is there any improvements you would make to make it more secure, with out blocking users from doing anything on the Internet?

Re: Basic IOS firewall configuration

Jennifer Halim — Sun, 09 May 2010 09:55:48 GMT

Base on the configuration posted, basically you are allowing all outbound traffic, however, restrict inbound traffic to the following: RDP, SSH, mail, web, PPTP, so I would assume that either you have a public ip address range for those servers' services, or you have configured static port address redirection to your Dialer interface ip address.

If you have a static public ip address, I would recommend that instead of configuring "permit tcp any any" on specific ports, I would tighten it even down as follows (assuming your public ip address is 200.1.1.1):

permit tcp any host 200.1.1.1 eq 3389

permit tcp any host 200.1.1.1 eq 22

...

Re: Basic IOS firewall configuration

jamesitsolutions — Sun, 09 May 2010 10:08:50 GMT

halijenn wrote:
Base on the configuration posted, basically you are allowing all outbound traffic, however, restrict inbound traffic to the following: RDP, SSH, mail, web, PPTP, so I would assume that either you have a public ip address range for those servers' services, or you have configured static port address redirection to your Dialer interface ip address.
If you have a static public ip address, I would recommend that instead of configuring "permit tcp any any" on specific ports, I would tighten it even down as follows (assuming your public ip address is 200.1.1.1):
permit tcp any host 200.1.1.1 eq 3389
permit tcp any host 200.1.1.1 eq 22
...
...

You are correct those ports are open and I use static NATs to route the ports to the correct devices behind the router. I also use a static public IP address, albit only 1 static IP.

What are the benefits of not using 'any' in the ACLs and using the static public IP address instead?

Also is there anyway on a 877 running 12.4 to detect port scans and other malicious activity?

Thank you for your help aswell

Re: Basic IOS firewall configuration

junshah22 — Sun, 09 May 2010 10:32:06 GMT

ip inspect name FIREWALL tcp

ip inspect name FIREWALL udp

interface Dialer1

ip access-group FIREWALL in

ip inspect FIREWALL out

ip access-list extended FIREWALL

permit tcp any any eq 3389

permit tcp any any eq 22

permit tcp any any eq smtp

permit tcp any any eq www

permit tcp any any eq pop3

permit tcp any any eq 443

permit tcp any any eq 1723

permit tcp any any eq 3390

permit tcp any any eq 4125

permit esp any any

permit udp any any eq isakmp

permit gre any any

deny tcp any any

deny udp any any

deny ip any any

Will it work on ASA 5510 ? .. it is not getting the command ip inspect....

Please advise

Re: Basic IOS firewall configuration

Jennifer Halim — Sun, 09 May 2010 10:40:56 GMT

The benefit would be to only allow connection towards the public ip address instead of towards any ip addresses in your internal network.

For example:

An attacker from the outside can go directly to your private ip address on those ports that you have opened if the attacker knows the private ip address range of your internal network. It's just an added security that you can implement to make it a little bit more secure.

With port scan, you would need to configure the IOS IPS feature set on your 877 router. Here is a bit more information on IOS IPS for your reference:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/product_data_sheet0900aecd803137cf.html

Hope that helps.

Re: Basic IOS firewall configuration

Jennifer Halim — Sun, 09 May 2010 10:42:09 GMT

Junaid,

Inspection in ASA firewall works a little bit differently. It is configured under policy-map.

Access-list needs to be applied to the interface using the access-group command.