implementing secure converged wide area networks iscw n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Implementing Secure Converged Wide Area Networks (ISCW) PowerPoint Presentation
Download Presentation
Implementing Secure Converged Wide Area Networks (ISCW)

Loading in 2 Seconds...

play fullscreen
1 / 34

Implementing Secure Converged Wide Area Networks (ISCW) - PowerPoint PPT Presentation


  • 150 Views
  • Uploaded on

Implementing Secure Converged Wide Area Networks (ISCW). Module 6: Cisco IOS Threat Defense Features. Module 6: Cisco IOS Threat Defense Features. Lesson 6.3: Basic and Advanced Firewall Wizards. Objectives.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Implementing Secure Converged Wide Area Networks (ISCW)' - iona-daniel


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
implementing secure converged wide area networks iscw

Implementing Secure Converged Wide Area Networks (ISCW)

Module 6: Cisco IOS Threat Defense Features

module 6 cisco ios threat defense features

Module 6: Cisco IOS Threat Defense Features

Lesson 6.3: Basic and Advanced Firewall Wizards

objectives
Objectives
  • Describe the Security Device Manager (SDM) and how it is used in firewall configuration.
  • Describe using the Basic and Advanced Firewall wizard in SDM to configure a firewall.
  • Explain how to review and modify the configuration generated by the SDM.
  • Explain how to enable logging in order to view firewall activity within SDM.
basic and advanced firewall wizards
Basic and Advanced Firewall Wizards
  • SDM offers configuration wizards to simplify Cisco IOS Firewall configuration.
  • Two configuration wizards exist:
    • Basic Firewall Configuration wizard:
      • Supports two interface types (inside and outside)
      • Applies predefined rules
    • Advanced Firewall Configuration wizard:
      • Supports more interfaces (Inside, Outside, and DMZ)
      • Applies predefined or custom rules
resulting basic firewall inspection rule configuration
Resulting Basic Firewall Inspection Rule Configuration

Router#show running-config | include ip inspect name

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

resulting basic firewall acl configuration
Resulting Basic Firewall ACL Configuration

Router#show running-config | include access-list

access-list 100 remark autogenerated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip 200.0.0.0 0.0.0.3 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark autogenerated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 deny ip 10.1.1.0 0.0.0.255 any

access-list 101 permit icmp any host 200.0.0.1echo-reply

access-list 101 permit icmp any host 200.0.0.1time-exceeded

access-list 101 permit icmp any host 200.0.0.1unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any log

resulting basic firewall interface configuration
Resulting Basic Firewall Interface Configuration

Router#show running-config | begin interface

interface FastEthernet0/0

description $FW_INSIDE$

ip address 10.1.1.1 255.255.255.0

ip access-group 100 in

!

interface Serial0/0/0

description $FW_OUTSIDE$

ip address 200.0.0.1 255.255.255.252

ip access-group 101 in

ip verify unicast reverse-path

ip inspect SDM_LOW out

!

<...rest of output removed...>

resulting advanced firewall inspection rule configuration
Resulting Advanced Firewall Inspection Rule Configuration

Router#show running-config | include ip inspect name

ip inspect name appfw_100 tcpaudit-trail on

ip inspect name appfw_100 udp

ip inspect name appfw_100 ftp

ip inspect name dmzinspect tcp

ip inspect name dmzinspect udp

resulting advanced firewall acl configuration
Resulting Advanced Firewall ACL Configuration

Router#show running-config | include access-list

access-list 100 remark autogenerated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip 200.0.0.0 0.0.0.3 any

access-list 100 deny ip 192.168.0.0 0.0.0.255 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark autogenerated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 deny ip any any log

access-list 102 remark autogenerated by SDM firewall configuration

access-list 102 remark SDM_ACL Category=1

access-list 102 deny ip 192.168.0.0 0.0.0.255 any

access-list 102 deny ip 10.1.1.0 0.0.0.255 any

access-list 102 permit icmp any host 200.0.0.1echo-reply

access-list 102 permit icmp any host 200.0.0.1time-exceeded

access-list 102 permit icmp any host 200.0.0.1unreachable

access-list 102 permit tcp any host 192.168.0.2 eq www

access-list 102 permit udp any host 192.168.0.3 eq isakmp

access-list 102 deny ip 10.0.0.0 0.255.255.255 any

access-list 102 deny ip 172.16.0.0 0.15.255.255 any

access-list 102 deny ip 192.168.0.0 0.0.255.255 any

access-list 102 deny ip 127.0.0.0 0.255.255.255 any

access-list 102 deny ip host 255.255.255.255 any

access-list 102 deny ip host 0.0.0.0 any

access-list 102 deny ip any any log

resulting advanced firewall interface configuration
Resulting Advanced Firewall Interface Configuration

Router#show running-config | begin interface

interface FastEthernet0/0

description $FW_INSIDE$

ip address 10.1.1.1 255.255.255.0

ip access-group 100 in

ip inspect appfw_100 in

!

interface FastEthernet0/1

description $FW_DMZ$

ip address 192.168.0.1 255.255.255.0

ip access-group 101 in

ip inspect dmzinspect out

!

interface Serial0/0/0

description $FW_OUTSIDE$

ip address 200.0.0.1 255.255.255.252

ip access-group 102 in

ip verify unicast reverse-path

!

<...rest of the output removed...>

summary
Summary
  • Cisco Security Device Manager (SDM), a configuration and management tool for Cisco IOS routers that use a GUI, offers a simple method to set up the Cisco IOS Firewall.
  • The Basic Firewall Configuration wizard applies default access rules to both inside and outside interfaces, applies default inspection rules to the outside interface, and enables IP unicast reverse path forwarding (uRPF) on the outside interface.
  • The Advanced Firewall Configuration wizard applies default or custom access rules, as well as default or custom inspection rules, to inside, outside, and DMZ interfaces. The Advanced Firewall Configuration wizard also enables IP unicast reverse-path forwarding on the outside interface.
resources
Resources
  • Cisco Router and Security Device Manager Introduction
    • http://cisco.com/en/US/partner/products/sw/secursw/ps5318/index.html
  • Cisco Router and Security Device Manager Support
    • http://cisco.com/en/US/partner/products/sw/secursw/ps5318/tsd_products_support_series_home.html
  • Cisco Router and Security Device Manager User Guides
    • http://cisco.com/en/US/partner/products/sw/secursw/ps5318/products_user_guide_list.html