© 2006 Cisco Systems, Inc. All rights reserved. SND v Configuring a Cisco IOS Firewall Configuring a Cisco IOS Firewall with the Cisco SDM Wizard

© 2006 Cisco Systems, Inc. All rights reserved. SND v Outline Overview Cisco SDM Firewall Wizard Tasks Configuring a Basic Firewall Configuring an Advanced Firewall Configuring Firewall Inspection Rules Application Security Policy Configuration Delivering the Configuration to the Router Editing Firewall Policies and ACLs Summary

© 2006 Cisco Systems, Inc. All rights reserved. SND v Choosing the Type of Firewall You Need Choose the Cisco IOS Firewall that meets your network security needsbasic or advanced.

© 2006 Cisco Systems, Inc. All rights reserved. SND v SDM Firewall Wizard Help Screens How Do I View Activity on My Firewall? How Do I Configure a Firewall on an Unsupported Interface? How Do I Configure a Firewall After I Have Configured a VPN? How Do I Permit Specific Traffic Through a DMZ Interface? How Do I Modify an Existing Firewall to Permit Traffic from a New Network or Host? How Do I Configure NAT on an Unsupported Interface? How Do I Configure NAT Passthrough for a Firewall? How Do I Permit Traffic Through a Firewall to My Easy VPN Concentrator? How Do I Associate a Rule with an Interface? How Do I Disassociate an Access Rule from an Interface How Do I Delete a Rule That Is Associated with an Interface? How Do I Create an Access Rule for a Java List? How Do I View the IOS Commands I Am Sending to the Router? How Do I Permit Specific Traffic onto My Network if I Dont Have a DMZ Network?

© 2006 Cisco Systems, Inc. All rights reserved. SND v Step-by-Step Help Screens

© 2006 Cisco Systems, Inc. All rights reserved. SND v Basic Firewall Basic Firewall Use Case Scenario One Outside 1 – n Inside Internet Note: 1 – n is one-to-many Define inside and outside interfaces. Configure firewall interfaces for remote management access: –Choose the outside interfaces, or –Specify a single source host or network

© 2006 Cisco Systems, Inc. All rights reserved. SND v Creating an Advanced Firewall Advanced Firewall Use Case Scenario 1 - n Outside 1 - n Inside Internet DMZ Optional Define inside, outside, and DMZ interfaces. Configure firewall interfaces for remote management access. Configure DMZ service type (TCP, UDP) and service (FTP, Telnet, protocol number) on the router. Configure host address, service, and service type.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Configuring Firewall Inspection Rules Inspection rules allow returning traffic that would otherwise be blocked. If you want to:Do this: Examine an existing inspection rule Choose the rule name from the Inspection Rule Name list. The inspection rule entries appear in a separate dialog box. Edit an existing inspection rule Choose the rule name from the Inspection Rule Name list and click Edit. Then edit the rule in the Inspection Rule Information window. Create a new inspection rule Choose the rule name from the Inspection Rule Name list, click New, and create the rule in the Inspection Rule Information window.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Application Security Configuration Choose a high, medium, or low security firewall policy.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Advanced Firewall Configuration Summary Review and verify the configuration. Use the Back button to edit entries. Click Finish to complete the configuration.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Delivering the Commands to the Router Commands are delivered to the running configuration and are not saved on exit.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Editing a Firewall Policy

© 2006 Cisco Systems, Inc. All rights reserved. SND v Editing the Application Security Policy

© 2006 Cisco Systems, Inc. All rights reserved. SND v Editing the Application Security Policy (Cont.) Use the Applications/Protocols menu for applications and protocols that are not shown.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Editing the Application Security Policy (Cont.) Example: You can prevent internal defacing of a web page by choosing HTTP > Header Options to block put commands and send an alarm.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Editing Firewall Global Settings Global settings should not be changed without care and attention.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Summary You can use Cisco SDM Firewall Wizard help screens to guide you through most configuration tasks. You need to define only inside and outside interfaces to create a basic firewall. An advanced firewall allows you to configure a DMZ. You may need to configure the firewall inspection rules to allow certain types of returning traffic. Cisco SDM allows you to customize default application security policies. Once policies have been selected, changes need to be delivered to the router, and you need to save the configuration. The firewall and ACL editor allows you to edit application policies and global settings.

© 2006 Cisco Systems, Inc. All rights reserved. SND v