Security

Protect your network with the Cisco IOS Firewall

Why buy another expensive device if your router can also provide firewall functionality? Any "Firewall Feature Set" version of the Cisco IOS contains the IOS Firewall, a built-in firewall inside the Cisco router. Find out what the IOS Firewall can do, and learn how to configure it.

Why buy another expensive device if your router can also provide firewall functionality? Any "Firewall Feature Set" version of the Cisco IOS contains the IOS Firewall, a built-in firewall inside the Cisco router. Let's find out what the IOS Firewall can do and learn how to configure it.

Cisco previously referred to the IOS Firewall as Context-Based Access Control or CBAC, so don't let this throw you. A lot of books and videos out there still use this name, but the same features and commands apply.

The IOS Firewall is a stateful firewall that inspects TCP and UDP packets at the application layer of the OSI model. It watches the outgoing requests (usually to the Internet) and opens reciprocal, inbound ports for the return traffic. As a stateful firewall, the IOS Firewall maintains the state of each of the TCP connections; it allows return traffic back if it allowed it out and if it matches the state information stored for that TCP packet.

The IOS Firewall recognizes many different types of common TCP and UDP traffic, including SMTP, TFTP, FTP, and others. This is important because, as you know, many of these types of traffic aren't easy to write access control lists (ACLs) for. Those ACLs are open all the time unless you use the established keyword in your ACL. For example, FTP uses both ports 20 and 21 for data and control, and the IOS Firewall knows this.

The IOS Firewall offers these features:

  • Traffic filtering: This isn't only at the port level but also at the application level.
  • Traffic inspection: Considered a core firewall feature, this keeps the state of the TCP connection and prevents unauthorized access.
  • Alerts and audit trails: This offers real-time alerts and syslog audit trails.
  • Intrusion prevention: It includes an intrusion detection system that covers 59 of the most common attack signatures -- a very cool feature.

Why do I need an IOS Firewall if I have Cisco IOS ACLs?

Over the years, I've written a lot of articles about Cisco IOS ACLs. Every Cisco administrator out there needs to master ACLs because so many functions of the Cisco IOS use them.

In fact, to configure the IOS Firewall, you still need to understand how to use ACLs. Here are some resources to help boost your skills:

Configure the IOS Firewall

To begin, first make sure you have the proper IOS. If you have an IOS that includes the IOS Firewall, enter the ip inspect ? command at the Global Configuration Mode prompt, which will return a list of options, as shown in Figure A.

Figure A

Figure A

If the router returns the following, it means you don't have the IOS Firewall:

% Unrecognized Command

Let's configure the basic IOS Firewall traffic inspection and filtering. Please note that you should configure this first on a test system with test traffic -- an improperly configured firewall can halt all network communications.

Follow these steps:

1. Choose an interface. To protect your network from the Internet, choose the external WAN public interface. 2. Configure and apply an ACL. (Here's one reason why knowing how to work with ACLs is so important.) This ACL should block everything you want to permit with the IOS Firewall. Here's the simplest example possible:
Router(config)# access-list 100 deny tcp any any

Router(config)# access-list 100 deny udp any any

Router(config)# access-list 100 deny ip any any

Next, apply this to the external interface in the inbound direction, as shown below:

Router(config)# interface FastEthernet4
Router(config-if)# ip access-group 100 in
3. Create your firewall inspection rule. Now you need to define what protocols to inspect and monitor the statefulness of with your firewall.

Let's say you want to monitor, inspect, and filter not only TCP and UDP but also Citrix ICA, Real Audio, and FTP. You would use these inspection rules:

Router(config)# ip inspect name myfirewall tcp

Router(config)# ip inspect name myfirewall udp

Router(config)# ip inspect name myfirewall ica

Router(config)# ip inspect name myfirewall icabrowser

Router(config)# ip inspect name myfirewall realaudio

Router(config)# ip inspect name myfirewall ftp
Note: Some protocols use multiple port numbers, or the port numbers use a large range, which makes it more difficult when creating an ACL. However, because IOS Firewall works at the application layer, it can recognize these protocols much easier. 4. Apply the inspection rule. Next you need to apply the inspection rule to your interface in the out direction. This monitors the traffic that's going out and dynamically creates inbound openings in your ACL, which would otherwise deny the traffic. Here's an example:
Router(config-if)# ip inspect myfirewall out

At this point, your firewall should be active and working.

5. Configure logging and auditing. Now you can configure logging and auditing of your firewall traffic. Assuming you've already configured logging, you could do something like this:
Router(config)# ip inspect audit-trail
6. View the status of your firewall. Here are some of the commands you can use to verify the operation of the IOS Firewall:
  • show ip access-lists (This should show you the dynamic ACL entries when the firewall is opening inbound ports for the return of outbound traffic.)
  • show ip inspect name
  • show ip inspect config
  • show ip inspect interfaces
  • show ip inspect all

Of course, the best way to really test your firewall is to perform a port scan from the outside (or Internet, in this case).

For more information on configuring the Cisco IOS Firewall, check out Cisco's official documentation: Configuring Cisco IOS Firewall (IOS 12.4).

Conclusion

The IOS Firewall is a very powerful feature that may already be available on your router. While this may not be a solution for Internet protection at very large enterprises, the IOS firewall is an excellent firewall for small and midsize businesses. To make IOS Firewall configuration even easier, you can also configure it with a GUI using Cisco's SDM Firewall Policy Wizard.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

14 comments
darks0ul
darks0ul

As far as I know, you have to configure first inspect ftp, inspect http, inspect smtp and so on, and finally inspect tcp.

Jon Irish
Jon Irish

Does anyone know where I can find a complete list of the protocols, by name, that Cisco IOS recognizes? TIA, Jon

mmason
mmason

I believe the their is an error with both the ACL and the inspect being on the same interface in the same direction. Networkers Session BRKSEC-3000. This is the most common TAC case in IOS FW deployments. It should be changed to ip inspect NAME out, I believe. Also, if you are wanted to inspect HTTP generally, use ip inspect NAME tcp, not ip inspect NAME http.

phxbruzer
phxbruzer

The best reason to purchase a separate firewall device is to have a separate layer of security, prior to a device that controls your network (i.e. an internal router). Now if you were going to use this router as a firewall and only a firewall then only use it as such.

3pdegeiso
3pdegeiso

Why do you need to create an ACL that blocks all traffic that you want to permit with the IOS firewall?

AYJE
AYJE

You always impress me with your articles. This is something I did not know. Thank you I will follow your advice and study more ACLs.

bstiff929
bstiff929

IOS Firewall has supported the entire PAM (Poert-Application Mapping) list since 12.3(14)T, or so. Most of the apps listed, if requiring application-specific inspection (i.e. ftp, rtp, tftp) are supported. Some applications such as sftp are listed, but aren't fully supported in cases where data-channel connectivity is negotiated on an encrypted control channel.

JoeBeckner
JoeBeckner

Yes, mmason, I have set up dozens of these IOS firewalls and you are right the ACL and inspect should be in different data flow directions. The best implementation is to put the ACL inbound on the outside interface, and then put the inspection inbound on the inside interface. This way you protect the entire router/firewall on the outside interface, and the inspect inbound on the inside interface opens up for return traffic (based on source and destination ip address and tcp/udp port number) in the ACL on the inbound side of the outside interface.

mmason
mmason

Be aware that the DOS settings are maxed in 12.4(11)T and beyond. TAC was receiving to many cases with the default lower valued DOS settings.

tfskelly
tfskelly

Hello, I noticed the error in the article as well. I have an 871w at home, and have the ACL-in on the outside IF, and the inspect-out also on the outside interface. In the case of routers with only inside and outside interfaces, I suppose it doesn't matter where you place the inspect statement - on the inside-incoming or outside-outgoing. But what are the best practices for using inspect with multiple interfaces? If a router has dual Internet connections, or multiple internal subnets separated by ACLs, what guidelines should I use when choosing where to place the inspect statement?

Photogenic Memory
Photogenic Memory

Can you please clarify? I'm a little confused? This is a Cisco appliance, right? Of course, so what did you mean about maxed out values? What did you mean?

Photogenic Memory
Photogenic Memory

Thanks for the reply. I don't know what happen to me there, LOL!

JoeBeckner
JoeBeckner

The DOS mmason is refering to is Denial Of Service attack settings. Firewalls can be set to stop network attacks that generate thousands of half-open TCP and UDP connections per second on the network. The DOS setting refered to is setting the thresholds related to this feature. Most firewalls should have this feature, the IOS Firewall, PIX and ASA have it.

Editor's Picks