Last month I talked about the fundamentals for understanding zone based firewalls (See the post Understanding Zone Based Firewalls). So for today’s post I want to go ahead and talk about configuring the zone based firewalls but with the Cisco SDM (Security Device Manger). The Cisco SDM is a Web-based device management tool a GUI for Cisco routers this can simplify router deployments and reduce ownership costs. (See the post Configure Cisco SDM) Instead of talking about what is zone based firewalls lets jump into the configuration of them.
This tutorial is assuming that the configurations to set up Cisco SDM have already been completed.
For this tutorial all we want to focus on is configuring zone based firewalls. Since this using Cisco SDM the firewall wizard is pretty effortless. Before we get started I like to have the Cisco SDM preview the commands before I deliver them to the router. To do that at the top of the menu bar click Edit and select Preferences a new window will appear (Like below) and verify that the Preview commands before delivering to the router is checked.
Now that we are ready to go, the first thing we need to do is select the Configure button at the top, and to the left hand-side under tasks select the Firewall and ACL option.
You now have to decide what type of firewall you want to configure and launch the wizard, the main difference between the basic firewall option and the advanced firewall option is you have the option to support a DMZ zone. The basic firewall set up does not support DMZ. (For this tutorial we are going to be using the basic firewall option)
A new window will show, the Firewall Wizard and will explain what the selected firewall option will do. Click on the next button.
The next area is going to be asking what interface is considered to be the outside (untrusted network) and the inside (trusted network). In the advanced firewall wizard you have an extra option the DMZ. For this tutorial we are using the basic firewall wizard and are selecting the serial interface has the untrusted (outside) network. The Fast-Ethernet interface has the trusted (inside) network. Click Next.
In the basic firewall wizard the nest section is the security configuration, depending on your type of security. Move the slider to the choice that best fits, you can also preview the commands by selecting the Preview Commands button to verify the commands before choosing them. (For this tutorial I selected the Low Security option) Click Next
The final section is the summary for the basic firewall configuration, here you can look over the summary to verify the configuration. Click Finish.
If you’ve selected the option to preview commands before delivering them to the router, a final window will appear. In this window you can see the real commands the SDM program will attempt to deliver. You have the option to save the running-configuration to the startup-configuration after the commands complete. You also have the option to save the configuration as a file and finally you can deliver them to the router.
Believe it or not that’s the SDM configuration of a zone-based firewall you can get more information at Cisco’s website about SDM and the configuration settings. Like always I hope this tutorial was informative and if you have a suggestion on the next topic that relates to ICND1 or ICND2 and even some CCNA Security comment below.
- Understanding Zone Based Firewalls (ciscoskills.net)
- Configuring Cisco Router Firewall through Command Prompt (brighthub.com)
- Firewall Vendors Challenge Findings of NSS Labs Report (pcworld.com)
- Enterprise Network Firewalls Leak (nsslabs.blogspot.com)
- Firewall Security Issue Raised in Report Angers Vendors (pcworld.com)