Configuring Cisco Router as a Packet Filtering Firewall

Step-by-step guide for securing internal and external networks

Key Highlights

• Interface Configuration: Correctly assign IP addresses to the router interfaces to segregate internal and external networks.
• Access Control Lists (ACLs): Use both standard and extended ACLs to permit and block traffic as needed.
• Verification & Testing: Test connectivity using tools like ping and web requests to ensure the ACLs are correctly enforced.

---

Understanding the Network Layout

The office has two network segments:

• Internal Network: Range 192.168.1.0/24 with employee laptops (Laptop0 at 192.168.1.10 and Laptop1 at 192.168.1.11).
• External Network: Range 192.168.2.0/24 featuring two servers (Server0, a web server at 192.168.2.10; and Server1, a file server at 192.168.2.11).

The Cisco router will act as a packet filtering firewall by enabling communication between these two networks based on preset security policies.

---

Step 1: Configure Router Interfaces

Begin with the configuration of the router interfaces by assigning each interface the appropriate IP address and subnet mask.

Internal Interface Configuration

The internal interface will serve the employee laptops within the 192.168.1.0/24 traffic domain.

Router> enable
Router# configure terminal
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip address 192.168.1.1 255.255.255.0
Router(config-if)# no shutdown
Router(config-if)# exit

External Interface Configuration

The external interface connects to the servers residing in the 192.168.2.0/24 network.

Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip address 192.168.2.1 255.255.255.0
Router(config-if)# no shutdown
Router(config-if)# exit

---

Step 2: Create and Apply the Access Control List (ACL)

ACLs define what traffic is authorized to pass between the internal and external networks. In this configuration, we will set up ACL entries to allow specified traffic, and block other traffic using the implicit deny rule.

Designing the ACL

The following security policies will be enforced:

• Internal to External: Permit HTTP traffic from both laptops to the web server, and optionally other allowed services (e.g., FTP if needed).
• External to Internal: Permit the appropriate response traffic (using established connection rules).
• Block all other traffic that does not adhere to these rules.

Here is a sample configuration using an extended ACL:

! Permit HTTP traffic from the internal network to the web server
Router(config)# access-list 101 permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.10 eq 80

! Optionally, if FTP service is required, allow FTP traffic:
Router(config)# access-list 101 permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.11 eq 21

! Deny all other traffic from the internal network to any external destination
Router(config)# access-list 101 deny ip 192.168.1.0 0.0.0.255 any
! Note: There is an implicit deny at the end of every ACL, but explicit rules aid clarity.
  

Additionally, to manage response traffic from the external network back to the internal network, you can use stateful inspection by applying “established” keywords on the ACL:

! Permit only traffic that is in response to an internal request (if supported)
Router(config)# access-list 102 permit tcp any 192.168.1.0 0.0.0.255 eq 80 established
Router(config)# access-list 102 permit tcp any 192.168.1.0 0.0.0.255 eq 21 established
Router(config)# access-list 102 deny ip any 192.168.1.0 0.0.0.255

Applying the ACLs to the Interfaces

Apply ACL 101 to the interface handling traffic leaving the internal network and apply ACL 102 to filter incoming traffic from the external interface.

! Apply outbound ACL to the internal interface (filtering outgoing traffic)
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip access-group 101 out
Router(config-if)# exit

! Apply inbound ACL to the external interface (filtering incoming traffic)
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip access-group 102 in
Router(config-if)# exit

---

Step 3: Verifying and Testing the Configuration

After applying the configuration, it is essential to test the firewall to ensure that the desired traffic is allowed and undesired traffic is denied.

Testing Steps

1. Ping Test:

   From one of the laptops, attempt to ping the web server (192.168.2.10). Successful responses indicate that basic connectivity is established:

   ping 192.168.2.10

2. Web Access Test:

   Open a web browser on either Laptop0 (192.168.1.10) or Laptop1 (192.168.1.11) and navigate to http://192.168.2.10. The web server should respond, confirming that HTTP traffic is permitted.

3. File Service Test:

   If FTP or file service access is required, conduct a similar test using an FTP client or appropriate utility to verify connectivity to Server1 at 192.168.2.11.

4. ACL Verification:

   Validate the applied ACL configurations by using:

   show access-lists
   show ip interface GigabitEthernet0/0
   show ip interface GigabitEthernet0/1

   The output should confirm that the ACLs are correctly applied to the respective interfaces.

5. Logging:

   To further troubleshoot or analyze traffic behavior, consider enabling logging for ACL entries:

   Router(config)# access-list 101 permit tcp any any log

---

Configuration Overview Table

Component	Details
Internal Interface	Interface: GigabitEthernet0/0 IP Address: 192.168.1.1 Subnet Mask: 255.255.255.0
External Interface	Interface: GigabitEthernet0/1 IP Address: 192.168.2.1 Subnet Mask: 255.255.255.0
ACL for Internal Traffic (Outbound)	ACL Number: 101 Permits HTTP (port 80), optionally FTP (port 21) from 192.168.1.0/24 to corresponding server(s). Denies all other traffic.
ACL for External Traffic (Inbound)	ACL Number: 102 Permits responses for HTTP/FTP if connection is established. Denies unsolicited traffic.

---

Final Testing & Verification

After detailed configuration, carry out comprehensive tests using ping, web browsers, and file access tools. Monitor the router logs to confirm that only the permitted traffic is passing through.

Regularly review the ACL configurations and update them as your network security needs evolve. Effective logging will ensure that any unwanted activity is caught early, and ongoing maintenance of the router configuration will preserve network integrity.

---

References

• Cisco Router Configuration - Cisco
• Understanding Access Control Lists (ACL) - RouterFreak
• Configuring Extended ACLs - CBT Nuggets
• Cisco Access Lists Overview - Pluralsight
• Cisco Router and Security Device Manager - Cisco

---

Recommended Further Queries

• How to configure stateful firewall inspection using Cisco routers?
• Best practices for ACL management on Cisco devices.
• Troubleshooting common Cisco firewall configurations.
• Exploring advanced Cisco router security features.
• Integrating logging and auditing in Cisco firewall configurations.