Why buy another expensive device if your router can also provide firewall functionality? Any "Firewall Feature Set" version of the Cisco IOS contains the IOS Firewall, a built-in firewall inside the Cisco router. Let's find out what the IOS Firewall can do and learn how to configure it.
Cisco previously referred to the IOS Firewall as Context-Based Access Control or CBAC, so don't let this throw you. A lot of books and videos out there still use this name, but the same features and commands apply.
The IOS Firewall is a stateful firewall that inspects TCP and UDP packets at the application layer of the OSI model. It watches the outgoing requests (usually to the Internet) and opens reciprocal, inbound ports for the return traffic. As a stateful firewall, the IOS Firewall maintains the state of each of the TCP connections; it allows return traffic back if it allowed it out and if it matches the state information stored for that TCP packet.
The IOS Firewall recognizes many different types of common TCP and UDP traffic, including SMTP, TFTP, FTP, and others. This is important because, as you know, many of these types of traffic aren't easy to write access control lists (ACLs) for. Those ACLs are open all the time unless you use the established keyword in your ACL. For example, FTP uses both ports 20 and 21 for data and control, and the IOS Firewall knows this.
The IOS Firewall offers these features:
- Traffic filtering: This isn't only at the port level but also at the application level.
- Traffic inspection: Considered a core firewall feature, this keeps the state of the TCP connection and prevents unauthorized access.
- Alerts and audit trails: This offers real-time alerts and syslog audit trails.
- Intrusion prevention: It includes an intrusion detection system that covers 59 of the most common attack signatures -- a very cool feature.
Why do I need an IOS Firewall if I have Cisco IOS ACLs?
Over the years, I've written a lot of articles about Cisco IOS ACLs. Every Cisco administrator out there needs to master ACLs because so many functions of the Cisco IOS use them.
In fact, to configure the IOS Firewall, you still need to understand how to use ACLs. Here are some resources to help boost your skills:
- Use advanced parameters on your Cisco IOS ACLs
- Cisco IOS access lists: 10 things you should know
- Video: Harden your Cisco Router with IOS ACLs
Configure the IOS FirewallTo begin, first make sure you have the proper IOS. If you have an IOS that includes the IOS Firewall, enter the ip inspect ? command at the Global Configuration Mode prompt, which will return a list of options, as shown in Figure A.
If the router returns the following, it means you don't have the IOS Firewall:
% Unrecognized Command
Let's configure the basic IOS Firewall traffic inspection and filtering. Please note that you should configure this first on a test system with test traffic -- an improperly configured firewall can halt all network communications.
Follow these steps:1. Choose an interface. To protect your network from the Internet, choose the external WAN public interface. 2. Configure and apply an ACL. (Here's one reason why knowing how to work with ACLs is so important.) This ACL should block everything you want to permit with the IOS Firewall. Here's the simplest example possible:
Router(config)# access-list 100 deny tcp any any
Router(config)# access-list 100 deny udp any anyRouter(config)# access-list 100 deny ip any any
Next, apply this to the external interface in the inbound direction, as shown below:
Router(config)# interface FastEthernet4 Router(config-if)# ip access-group 100 in3. Create your firewall inspection rule. Now you need to define what protocols to inspect and monitor the statefulness of with your firewall.
Let's say you want to monitor, inspect, and filter not only TCP and UDP but also Citrix ICA, Real Audio, and FTP. You would use these inspection rules:
Router(config)# ip inspect name myfirewall tcpNote: Some protocols use multiple port numbers, or the port numbers use a large range, which makes it more difficult when creating an ACL. However, because IOS Firewall works at the application layer, it can recognize these protocols much easier. 4. Apply the inspection rule. Next you need to apply the inspection rule to your interface in the out direction. This monitors the traffic that's going out and dynamically creates inbound openings in your ACL, which would otherwise deny the traffic. Here's an example:
Router(config)# ip inspect name myfirewall udp
Router(config)# ip inspect name myfirewall ica
Router(config)# ip inspect name myfirewall icabrowser
Router(config)# ip inspect name myfirewall realaudioRouter(config)# ip inspect name myfirewall ftp
Router(config-if)# ip inspect myfirewall out
At this point, your firewall should be active and working.5. Configure logging and auditing. Now you can configure logging and auditing of your firewall traffic. Assuming you've already configured logging, you could do something like this:
Router(config)# ip inspect audit-trail6. View the status of your firewall. Here are some of the commands you can use to verify the operation of the IOS Firewall:
- show ip access-lists (This should show you the dynamic ACL entries when the firewall is opening inbound ports for the return of outbound traffic.)
- show ip inspect name
- show ip inspect config
- show ip inspect interfaces
- show ip inspect all
Of course, the best way to really test your firewall is to perform a port scan from the outside (or Internet, in this case).
For more information on configuring the Cisco IOS Firewall, check out Cisco's official documentation: Configuring Cisco IOS Firewall (IOS 12.4).
The IOS Firewall is a very powerful feature that may already be available on your router. While this may not be a solution for Internet protection at very large enterprises, the IOS firewall is an excellent firewall for small and midsize businesses. To make IOS Firewall configuration even easier, you can also configure it with a GUI using Cisco's SDM Firewall Policy Wizard.
Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!