Cisco configurations

One way IOS Firewall - classic configuration

This configuration shows a simple one directional IOS Firewall configuration. Only traffic initiated on the internal network is allowed to the Internet. All traffic initiated from the Internet is blocked.

The router is configured as a DHCP client on it's external interface, and acting as a DHCP server on it's internal interface.

Prerequisites:

  • This config uses IOS 12.4 Advanced Security but this should also work with previous IOSFW versions
  • Cisco IOSFW capable router (for example: SOHO,8xx,17xx,18xx,26xx,28xx,36xx,37xx,38xx, etc)


    NAT (PAT in this case) configuration

    !--- configure FastEthernet0 as a DHCP client and configure it as the 'outside' interface
    !
    interface FastEthernet0
     ip address dhcp
     ip nat outside
    !
    !--- configure Vlan1 as the 'inside' interface 
    !
    interface Vlan1
     ip address 10.1.1.1 255.255.255.0
     ip nat inside
    !
    !--- configure PAT (Port Address Translation)
    !
    ip nat inside source list NAT interface FastEthernet0 overload
    !
    !--- use an access-list to classify which traffic is allowed to be NAT'ed.
    !
    ip access-list extended NAT
     permit ip 10.1.1.0 0.0.0.255 any
    

    DHCP sever configuration

    !
    ip dhcp excluded-address 10.1.1.1
    !
    ip dhcp pool 10.1.1.0/24
       !--- the 'import all' command learns settings like the DNS-servers from the DHCP client on the 'outside' interface
       import all
       network 10.1.1.0 255.255.255.0
       default-router 10.1.1.1
    !
    

    IOS Firewall configuration

    !
    !--- Let's turn on stateful inspection for some protocols. There are much more protocols to choose from, this is just an example.
    !
    ip inspect name FWall http
    ip inspect name FWall esmtp
    ip inspect name FWall ssh
    ip inspect name FWall https
    ip inspect name FWall icmp
    ip inspect name FWall tcp
    ip inspect name FWall udp
    !
    interface FastEthernet0
     ip address dhcp
     ip access-group outside in
    !
    interface Vlan1
     ip address 10.1.1.1 255.255.255.0
     ip access-group inside in
    !
    !--- we only allow sessions to be initiated from the internal network.
     ip inspect FWall in
    !
    ip access-list extended inside
     permit ip 10.1.1.0 0.0.0.255 any
     remark allow DHCP requests
     permit udp any eq bootpc any eq bootps
    ip access-list extended outside
     remark allow DHCP client request from the 'outside' interface
     permit udp any eq bootps host 255.255.255.255 eq bootpc
     deny   ip any any log
    !
    

    Check if the firewall is working

    You can check if the stateful inspection mechanism is working correctly by looking at the session table. You can see in the example below that stateful inspection mechanism of IOS Firewall dynamicly opened access-list outside.

    Router#show ip inspect sessions detail
    Established Sessions
     Session 82E87324 (10.1.1.2:4812)=>(192.109.18.1:22) ssh SIS_OPEN
      Created 00:01:05, Last heard 00:00:54
      Bytes sent (initiator:responder) [1424:6679]
      In  SID 194.109.21.3[22:22]=>194.18.13.19[4812:4812] on ACL outside  (52 matches)
    

    Complete configuration

    
    Current configuration : 1662 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname c1711
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$Nj1L$bXT53HJOtg6trMstwn2di.
    !
    no aaa new-model
    !
    resource policy
    !
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    ip cef
    !
    !
    ip inspect name FWall http
    ip inspect name FWall esmtp
    ip inspect name FWall ssh
    ip inspect name FWall https
    ip inspect name FWall icmp
    ip inspect name FWall tcp
    ip inspect name FWall udp
    no ip dhcp use vrf connected
    !
    ip dhcp pool 10.1.1.0/24
       import all
       network 10.1.1.0 255.255.255.0
       default-router 10.1.1.1
    !
    !
    no ip domain lookup
    !
    !
    !
    !
    !
    !
    !
    !
    !
    interface FastEthernet0
     ip address dhcp
     ip access-group outside in
     ip nat outside
     ip virtual-reassembly
     duplex auto
     speed auto
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface FastEthernet4
    !
    interface Vlan1
     ip address 10.1.1.1 255.255.255.0
     ip access-group inside in
     ip inspect FWall in
     ip nat inside
     ip virtual-reassembly
    !
    interface Async1
     no ip address
     encapsulation slip
    !
    !
    no ip http server
    no ip http secure-server
    ip nat inside source list NAT interface FastEthernet0 overload
    !
    ip access-list extended NAT
     permit ip 10.1.1.0 0.0.0.255 any
    ip access-list extended inside
     permit ip 10.1.1.0 0.0.0.255 any
     permit udp any eq bootpc any eq bootps
    ip access-list extended outside
     permit udp any eq bootps host 255.255.255.255 eq bootpc
     deny   ip any any log
    !
    !
    control-plane
    !
    !
    line con 0
    line 1
     stopbits 1
     speed 115200
     flowcontrol hardware
    line aux 0
    line vty 0 4
     login
    !
    end