In small Offices or branch Offices, instead of buying separate devices for edge router and Firewall we can configure the edge router as a firewall and NAT device also. This will reduce the cost of overall IT budget and which will ease the management also.Here is a step by step configuration example to configure a Cisco 1841 integrated service router as an Edge router with NAT and a basic IOS firewall.All the router comes with or able to install Cisco SDM, a graphical tool to make the configuration which is very helpful to make the configuration and monitor the device. But in this tutorial we will go through the CLI configuration method.TopologyWe are going to discuss is a very simple topology consists of,
- One Internet connection ends in the WAN interface of the router (FastEthernet0/0).
- One LAN interface (FastEthernet0/1) connects to the internal LAN L3/L2 switch.
- LAN IP address: 10.2.2.1/24
- WAN IP address: 2.3.3.2/30
Internet <==> Router <==> LANStarting the basic configuration We will start configure the router through the console port of the router using a console cable, which normally provided with the router itself. First make sure the router should be clean from older configurations, you can assure this by clearing the existing configurations. If you are sure with your router configuration, you can skip this stage.
router#configure terminal
router(config)#config-register 0x2102 < This register value can be found from sh version command
router(config)#end
router#write erase
router#reload
System configuration has been modified. Save? [yes/no]: n
Proceed with reload? [confirm]
When the router comes up, which will prompt you for doing the initial configuration through the configuration assistant, you can skip this because we will be doing it manually.
Configure the hostname for the router, I am going to put as Edge-01
router>en
router#conf t
router(config)#hostname Edge-01
Configure the external interface of the router with the ip address of 2.3.3.2
Edge-01(config)#interface FastEthernet0/0
Edge-01(config-if)#ip address 2.3.3.2 255.255.255.252
Edge-01(config-if)#speed 100
Edge-01(config-if)#duplex full
Edge-01(config-if)#speed 100
Edge-01(config-if)#no shut
Now configure the internal interface of the router.
Edge-01(config-if)#interface FastEthernet0/1
Edge-01(config-if)#ip address 10.2.2.1 255.255.255.0
Edge-01(config-if)#speed 100
Edge-01(config-if)#duplex full
Edge-01(config-if)#speed 100
Edge-01(config-if)#no shut
Configure the default gateway as 2.3.3.1 (change it accordingly)
Edge-01(config)#ip route 0.0.0.0 0.0.0.0 2.3.3.1
Enabling SSH:
For securely accessing this router, we will be using ssh as a remote access mechanism instead of telnet, so we need to enable ssh now.
Edge-01(config)#aaa new-model
Edge-01(config)#ip domain-name my.domain.com < This need to change with your domain-name
Edge-01(config)#crypto key generate rsa
Edge-01(config)#ip ssh time-out 60
Edge-01(config)#ip ssh authentication-retries 2
Edge-01(config)#ip ssh version 2
Enabling NAT:
For the internal clients to access the internet the router should be configured with NAT especially NAT with overload (PAT). The following commands will enable PAT and all the internal clients will be able to access the internet through this router.
Create an access-list which will be used to include the LAN addresses, the clients will be trying from
Edge-01(config)#access-list 1 permit 10.2.2.0 0.0.0.255
Now we need to tell which is internal and which is external interfaces for doing the nat.
Edge-01(config)#interface FastEthernet0/1
Edge-01(config-if)#ip nat inside
Edge-01(config-if)#interface FastEthernet0/0
Edge-01(config-if)#ip nat outside
Now we have to define the external IP address pool, which will be used by the internal clients to access the internet. Here I have only one public ip address, even if we need to define the pool, but we will use starting and ending as a single address.
Edge-01(config)#ip nat pool MYPOOL 2.3.3.2 2.3.3.2 netmast 255.255.255.252
Now define the nat with overload or PAT (Port Address Translation) as,
Edge-01(config)#ip nat inside source list 1 pool MYPOOL overload
At this point, we have a router which can be acted as the edge router and do the NAT(PAT) for the internal clients to access Internet. But it lacks a firewall so we cannot put this router in production until we configure a firewall on it.
Configure IOS Firewall
Now we are going to explore the zone based firewall functionality of Cisco IOS. Here we can create multiple security zones with various security levels which we can define. And finally we will add our router interfaces in to these security zones as zone members to avail the defined security levels.
Creating Zones and assigning interfaces
In this example we are going to create only two security zones (TRUSTED & INTERNET) and will assign each interfaces in to each of these security zones as zone members. But it is possible to create multiple security zones and also possible to add multiple interfaces (real or virtual) in to same security zones.
TRUSTED: Internal LAN connection
INTERNET: Internet connection
Create the security zones as follows,
Edge-01(config)#zone security Trusted
Edge-01(config-sec-zone)#zone security Internet
There is also a special default zone named "self". This zone applies to traffic which originates from or is destined for the control plane of router itself (e.g. routing protocols, SSH, SNMP, etc.). By default, all traffic is allowed into the self zone.
The interfaces now need to assign to security zones with the command zone-member security
Edge-01(config)#interface FastEthernet0/0
Edge-01(config-if)#zone-member security Internet
Edge-01(config-if)#interface FastEthernet0/1
Edge-01(config-if)#zone-member security Trusted
Edge-01#show zone security
Creating Zone Pairs
Zone pairs apply policy enforcement to traffic flowing from one security zone to another. A zone pair must be defined for each direction in which traffic is allowed to be initiated. For example, a common simple policy is that the internal network can initiate any sort of traffic to the Internet, but no traffic may be initiated from the Internet to the internal network. This policy requires only a single zone pair, from the internal zone to the Internet zone.
We'll create only one zone pair to meet our requirements:
The command to configure a zone pair uses the following syntax:
zone-pair security NAME source FROM-ZONE destination TO-ZONE
Here is our zone pair definition:
Edge-01(config)#zone-pair security Trusted->Internet source Trusted destination Internet
Edge-01(config-sec-zone-pair)#
Creating and Applying Security Policies
Finally, we'll define and apply our security policies to the zone pairs. Policies are defined as inspection policy maps, which are very similar in construct to policy maps used for quality of service (QoS) classification and marking. Policy maps reference class maps, which in turn reference access lists or NBAR definitions to classify traffic.
One of three security actions can be taken on traffic matched by a class map:
Drop - The traffic is dropped.
Pass - The traffic is permitted.
Inspect - The traffic is permitted and inspected statefully so that return traffic in the opposite direction is also permitted.
First, we'll create a class map to match all of the traffic we want to allow from the Trusted zone out to the Internet. We want to inspect all traffic outbound to the Internet so that return traffic is allowed statefully. Unfortunately, we can't use the inspect
action with the default class map, so we'll need to create a custom class map to match the base protocols TCP, UDP, and ICMP. (This doesn't allow non-TCP/UDP protocols such as IPsec, but meets our needs.)
Edge-01(config)# class-map type inspect match-any All_Protocols
Edge-01(config-cmap)# match protocol tcp
Edge-01(config-cmap)# match protocol udp
Edge-01(config-cmap)# match protocol icmp
Our class maps need to be wrapped into service policies so that they can be associated with security actions. We do this by creating inspection policy maps.
Edge-01(config)#policy-map type inspect Trusted_to_Internet
Edge-01(config-pmap)#class type inspect All_Protocols
Edge-01(config-pmap-c)#inspect
Lastly, we'll apply the policy maps to their appropriate zone pairs.
Edge-01(config)#zone-pair security Trusted->Internet
Edge-01(config-sec-zone-pair)# service-policy type inspect Trusted_to_Internet
We can verify our configuration using the command show zone-pair security:Edge-01# show zone-pair security
Zone-pair name Trusted->Internet
Source-Zone Trusted Destination-Zone Internet
service-policy Trusted_to_Internet
More detail regarding the entire firewall policy hierarchy can be achieved with the command Edge-01#show policy-map type inspect zone-pair
Our Zone based firewall configuration is now completed, so its time to test the configuration. If you have lab with separated Internet connection, you can easily do the testing. Otherwise do simulate the scenario by connecting at least two machines in which one will act as LAN machine and other one will act as an Internet server.