CCNA Security Certification Tutorial:
The Cisco IOS Firewall Set (Part 5)
Using Security Device Manager (SDM) To Configure Firewalls
Chris Bryant, CCIE #12933
In the previous installment of this CCNA Security exam tutorial, we went through the prerequisite tasks necessary for a successful installation of SDM.
With that done, we'll use the Basic Firewall Wizard to configure the Cisco IOS Firewall. (Don't worry, we'll see the Advanced Firewall Wizard in action too.)
As we saw in the previous installment, clicking the Firewall And ACL button in SDM presents us with this choice on the Create Firewall tab:
The text we'll see in SDM windows is great review material for the exam, and here SDM reminds you that only the Advanced option allows configuration of a DMZ or of custom rules. Additionally, you'll see this illustration to the right when the Basic wizard is selected:
The Basic Firewall Wizard allows multiple inside interfaces, one outside interface, and no DMZ. As always, SDM will remind you of this, but the CCNA Security ISCW exam questions probably won't! :)
We'll proceed with a Basic configuration, looking at the CLI commands along the way.
The next window is excellent review material as well....
On the next screen, we'll define our trusted and untrusted interfaces.
We'll continue this illustrated look at the Cisco SDM Basic Firewall Wizard right after this brief and important message!
I'm Paying It Forward Bigger Than Before.
My Famous CCNA Study Package Is Now $25.
 
And if you're working on the CCNA Security certification instead - click that link and earn that certification for twenty bucks!
Now let's get back to SDM...
The untrusted interface is selected from the dropdown list, and two things happen when you do so - the newly-selected untrusted interface is removed from the list of possible trusted interfaces, and the option to enable SDM access via the untrusted interface is enabled.
After selecting Fast0/1 as the trusted interface, I click Next at the bottom of that screen (not shown), and we move on.
Or maybe not ... SDM's got a little message for us.
That's fine with us, so we click OK and move on to the next screen, where we're prompted to choose one of three Application Security default policies.
There is a Preview Commands button, but no option to create a custom application policy - we'd have to use the Advanced wizard to do that.
You can see almost the entire description of the High Security policy - here's the missing part you can't see: "Choose this option if you want to prevent use of these applications on the network".
The following is just part of configuration the High policy will write to the router. No need to memorize this, but I did want you to see the resulting policy. (The entire config is literally about 90 lines.)
ip inspect log drop-pkt
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
appfw policy-name SDM_HIGH
application im aol
service default action reset alarm
service text-chat action reset alarm
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail on
exit
Instead of applying this policy, I chose the Low application policy previewed below.
After selecting the Low application policy and clicking Next (not shown) , we're shown a summary of the configuration we've selected.
On the untrusted interface, IPSec, NTP, and GRE traffic is allowed if necessary. ICMP traffic is also permitted. but the following traffic types are denied:
potential IP Spoofing traffic
traffic from broadcast, local loopback, and private address ranges
There's a Finish button at the bottom of the screen, so I click that, and we find that we're not quite finished:
We're running EIGRP on the untrusted interface, and SDM has picked up on that. The check box is already checked, so SDM's assuming we want to allow EIGRP updates through the firewall. We certainly do, so we'll leave that checked and click OK.
The next screen shows us the actual commands to be delivered. I can't get them all into one screen shot, but this gives you a view of the actual ACL.
Note the unchecked option at the bottom of the screen and the three options for this configuration.
The delivery window tells us that this simple firewall config - simple in SDM, that is - requires 50 commands.
That blue bar will actually be white at first, and will scroll from left to right as the configuration is delivered. When it's done, the bar will be fully blue and the OK button will enable. You're now be taken to the Edit Firewall Policy window, which allows you to verify your configuration.
I'm Paying It Forward Bigger Than Before.
My Famous CCNA Study Package Is Now $25.
Chris Bryant
CCIE #12933
"The Computer Certification Bulldog"
chris@thebryantadvantage.com
No Gimmicks -- Just Results.
Get CCNA Security Certified Today For $20.
Chris Bryant
CCIE #12999
"The Computer Certification Bulldog"
chris@thebryantadvantage.com
 
|
