How to Configure a Firewall in Cisco Switch?
Last Updated :
30 Nov, 2022
A firewall is a type of network security device component that is used to keep track of incoming and outgoing network traffic and then make decisions regarding the traffic i.e., which traffic to allow or deny in accordance with a set of security rules.
Configure a Firewall on Cisco Switch:
Access lists are supported for network traffic filtering by the Cisco 850 and Cisco 870 series routers. The routers additionally feature context-based access control, dynamic temporary access lists, and packet inspection (CBAC). Basic traffic filtering is only possible with configured access list implementations, which analyze packets on the network or, at most, the transport layer and decide whether to let them pass through the firewall or not. Dynamic temporary access lists can be created and used in CBAC, but only when inspection criteria are used. The configured access lists at firewall interfaces may temporarily open up due to these dynamic lists. When a specific user session’s traffic leaves the internal network via the firewall, these openings are made. The openings permit re-entering traffic for the chosen session over the firewall, which is ordinarily blocked. To configure this network scenario, complete the following steps:
- Set up Access Lists
- Set up Inspection Rules
- Use Access Lists and Inspection Policies when using Interfaces
1. Set up Access Lists:
To build access lists for the firewall, follow these instructions starting in global configuration mode:
| Step No. |
Command |
Purpose |
| Step 1 |
access-list access-list-number {deny | permit} protocol source source-wildcard [operator [port]] destination
Example:
Router(config)# access-list 103 deny ip any
any
Router(config)# access-list 103 permit host
200.1.1.1 eq isakmp any
Router(config)#
|
Creates an access list that checks source and destination ports to block internet-initiated traffic from entering the router’s internal (local) network. |
2. Set up Inspection Rules:
Beginning in global configuration mode, carry out the following steps to set up firewall inspection rules for all TCP and UDP traffic as well as certain application protocols as specified by the security policy:
| Step No. |
Command or Action |
Purpose |
| Step 1 |
ip inspect name inspection-name protocol
Example:
Router(config)# ip inspect name firewall tcp
Router(config)#
|
Establishes an inspection guideline for a certain protocol. |
| Step 2 |
ip inspect name inspection-name protocol
Example:
Router(config)# ip inspect name firewall rtsp
Router(config)# ip inspect name firewall h323
Router(config)# ip inspect name firewall
netshow
Router(config)# ip inspect name firewall ftp
Router(config)# ip inspect name firewall
sqlnet
Router(config)#
|
For each inspection rule that you want to employ, issue the same command again. |
3. Use Access Lists and Inspection Policies when using interfaces:
To apply the ACLs and inspection rules to the network interfaces, follow these steps, starting in global configuration mode:
| Step No. |
Command |
Purpose |
| Step 1 |
interface type number
Example:
Router(config)# interface vlan 1
Router(config-if)#
|
Enables interface configuration mode for the router’s internal network interface. |
| Step 2 |
ip inspect inspection-name {in | out}
Example:
Router(config-if)# ip inspect firewall in
Router(config-if)#
|
The router’s internal interface is given a set of firewall inspection rules. |
| Step 3 |
exit
Example:
Router(config-if)# exit
Router(config)#
|
Brings back the mode for global configuration. |
| Step 4 |
interface type number
Example:
Router(config)# interface fastethernet 4
Router(config-if)#
|
Enables interface configuration mode for the router’s outside network interface. |
| Step 5 |
ip access-group {access-list-number | access-list-name}{in | out}
Example:
Router(config-if)# ip access-group 103 in
Router(config-if)#
|
Assigns the specified ACLs to the router’s outside interface. |
| Step 6 |
exit
Example:
Router(config-if)# exit
Router(config)#
|
Brings back the mode for global configuration. |
Configuration of Firewall on Cisco Switch:
Step 1: Open the Cisco Packet Tracer desktop application and select PC, Server, and Switch as devices.
- Then create a network topology.
- Use auto-connect cables to connect your gadget to other devices.
Step 2: Set up your servers, hosts, and PCs with IPv4 addresses and subnet masks according to the IP address as per your requirement.
- Click PC0 to assign an IP address.
- Then select Desktop, IP Configuration, and IPv4 Configuration.
- Specify the subnet mask and IPv4 address.
- Repeat the process for your server.
- IP addresses can be assigned manually or by command using the ipconfig command.
- Open the command terminal on your PC. Then enter ipconfig (if needed).
- To fully configure other PCs, do the same for them.
Step 3: Set up your server’s firewall to block packets and enable web browser traffic.
- Then click server0 to access the desktop.
- Then select IPv4 Firewall.
- Activate the service. Set the remote IP address to 0.0.0.0 and the remote wildcard mask to 255.255.255.255 before disabling the ICMP protocol.
- Then enable the IP protocol and set the remote IP and remote wildcard mask to 0.0.0.0 and 255.255.255.255 respectively. add them.
- Open the command terminal on your PC. Then enter ipconfig (if needed).
Step 4: Check the network by pinging the PC’s IP address.
- Use the ping command for this.
- First, click on PC2 and then select Command Prompt.
- Then enter the ping IP address of the desired node.
- Ping the server’s IP address (0x). In case no response has been received, the packets get stuck.
- You can check your web browser by putting your IP address in the URL. Click on PC2 to access the desktop and web browser.
Share your thoughts in the comments
Please Login to comment...