Secure your Router with Cisco’s SDM Firewall Policy Wizard

ByNetworkSecurity.Weebly.Com

Figure A

A Cisco IOS Router offers a great deal of Configuration options when you enable the firewall. However, while this may offer a better sense of security, it can also be pretty overwhelming, thanks to the complexity of the configuration.

But the SDM firewall policy wizard can make things easier. For example, let’s configure a basic firewall using the wizard. For this demonstration, a Cisco 871 Router is used with SDM version 2.4. Also installed is Cisco IOS Advanced Security Version 12.4(11) T1.

Using the Cisco SDM firewall and ACL Task Section, you can create new firewalls and ACLs as well as edit existing ones. SDM offers wizards to create either a basic firewall or advanced firewall. What’s the difference? The basic firewall won’t configure a DMZ for you but the advanced firewall will.

Because we are not interested in creating a DMZ, we choose the basic firewall option. Figure A shows the first Screen.

This figure explains how the basic firewall Configuration Wizard applies its template policy to the inside and outside interfaces. The wizard will give you the opportunity to which interface is which. The new policy will inspect TCP, UDP and other protocols that travel from inside to outside zone. It will block IM, P2P, MSN, Yahoo and AOL IM traffic. It will also deny any unsolicited traffic coming on to the outside interface.

Figure B

Click Next, which will take you to the basic firewall Interface Configuration screen, as seen in figure B. This is where you can select which interface will be the inside and which will be the outside.

After you have made your selection, click Next. This takes you to the Basic firewall Security Configuration screen, as shown in figure C. Choose the level of Security for the firewall: High, Medium, or Low.

I choose Medium Security and clicked the preview commands button to review the commands this settings would apply.

Figure C

When you see the output, you will be glad you didn’t have to manually type all those commands.

Figure D

Once you are satisfied with your security settings, Click Next. This takes you to the Basic Firewall Domain Name Server Configuration Screen, as shown in figure D. Specify the primary DNS server, and click Next. The Firewall Configuration summary screen sums up our choices as shown in figure E. If you are happy with your choice, click Finish.

Figure E

Figure F

The Wizard then applied 273 commands to the router as shown in figure F.

Figure G

After the wizard applies the configuration, you can click Edit Firewall Policy tab in SDM to review the changes, as shown in Figure G.

One Caveat: The Firewall policy Wizard doesn’t apply ACLs. Instead it uses a new type of firewall configuration called Zone Policy Firewalls (ZPF). For more information on ZPFs, please see Cisco’s Configuring Zone Policy Firewall Documentations.