Security

Secure your router with Cisco's SDM Firewall Policy Wizard

Figure B

A Cisco IOS router offers a great deal of configuration options when you enable the firewall. However, while this may offer a better sense of security, it can also be pretty overwhelming, thanks to the complexity of the configuration.

But the SDM Firewall Policy Wizard can help make things easier. For example, let's configure a basic firewall using this wizard. For this demonstration, I'm using a Cisco 871W router with SDM version 2.4. I also have installed Cisco IOS Advanced Security version 12.4(11)T1.

Using the Cisco SDM Firewall And ACL Task section, you can create new firewalls and ACLs as well as edit existing ones. SDM offers wizards to create either a Basic Firewall or Advanced Firewall. What's the difference? The Basic Firewall won't configure a DMZ for you, but the Advanced Firewall will.

Because I wasn't interested in creating a DMZ, I chose the Basic Firewall option. Figure B shows a screenshot of the first screen I saw.

This screen explains how the Basic Firewall Configuration Wizard applies its template policy to the inside and outside interfaces. The wizard will give you the opportunity to decide which interface is which. The new policy will inspect TCP, UDP, and other protocols that travel from the inside to the outside zone. It will block IM, P2P, MSN, Yahoo, and AOL IM traffic. It will also deny any unsolicited traffic coming into the outside interface.

7 comments
srjm
srjm

HI, I am trying to set up SDM on a 2801. When I get to Fig D medium and High are grayed out. How do I activate them?

estevaoberri
estevaoberri

How Can I disable firewall for msn and p2p?? I have a Cisco 877 with SDM 2.4

nmalik1664
nmalik1664

Can you download this program, and where would you download it from?

jkawyn
jkawyn

What dns server do i put in if im useing my router at home on roadrunner.

ddavis
ddavis

You would use your ISP's DNS Servers. Your PC or router will get this from DHCP, automatically, from the ISP (or at least you should). If your router does not, you can hook up your PC only, get the IP of the DNS server via DHCP, then connect the router and plug the IP in. I hope that helps! Thanks, David Davis Personal Website: www.HappyRouter.com

bstiff929
bstiff929

I see you did the walk-through on SDM 2.4, which defaults to Zone Firewall in the wizard (provided there's not already an 'ip inspect' firewall configured). Previous SDM versions included a firewall wizard, but they configured the classic FW. (SDM 2.4 was the first version to support the Zone-Based Policy Firewall). Many of the firewall configuration options must be found on the "additional tasks" section at the bottom of the left column. However, it beats configuring the Zone FW through the CLI...