10.8 Context-Based Access Control
10.8.5 Basic configuration
The first time you configure the Cisco IOS Firewall, it is helpful to start with a basic access-list configuration that makes the operation of the firewall easy to understand without compromising security. The basic configuration allows all network traffic from the protected networks access to the unprotected networks, while blocking all network traffic (with some exceptions) from the unprotected networks to the protected networks.

Any firewall configuration depends on your site security policy. If the basic configuration does not meet your initial site security requirements, configure the firewall to meet your policy. If you are unfamiliar with that policy or need help with the configuration, contact your network administration group for assistance.

Use the following guidelines for configuring the initial firewall access lists:

  • Do not configure an access list for traffic from the protected networks to the unprotected networks, meaning that all traffic from the protected networks can flow through the interface.

This helps to simplify firewall management by reducing the number of access lists applied at the interfaces. Of course this assumes a high level of trust for the users on the protected networks, and it assumes there are no malicious users on the protected networks who might launch attacks from the "inside." You can fine-tune network access for users on the protected networks as you gain experience with access-list configuration and the operation of the firewall.

  • Configure an access list that includes entries permitting certain ICMP traffic from unprotected networks.

Although an access list that denies all IP traffic not part of a connection inspected by CBAC seems most secure, it is not practical for normal operation of the router. The router expects to see ICMP traffic from other routers in the network. Additionally, ICMP traffic is not inspected by CBAC, meaning specific entries are needed in the access list to permit return traffic for ICMP commands. For example, a user on a protected network uses the ping command to get the status of a host on an unprotected network; without entries in the access list that permit echo reply messages, the user on the protected network gets no response to the ping command.

Include access-list entries to permit the ICMP messages. (see the main Figure).

  • Add an access-list entry denying any network traffic from a source address matching an address on the protected network.

This is known as antispoofing protection because it prevents traffic from an unprotected network from assuming the identity of a device on the protected network.

  • Add an entry denying broadcast messages with a source address of 255.255.255.255.

This entry helps to prevent broadcast attacks.

  • By default, the last entry in an extended access list is an implicit denial of all IP traffic not specifically allowed by other entries in the access list.

Although this is the default setting, this final deny statement is not shown by default in an access list. Optionally, you can add an entry to the access list denying IP traffic with any source or destination address with no undesired effects.

External Interface

Following are some tips for your access lists when you will be configuring CBAC on an external interface:

  • If you have an outbound IP access list at the external interface, the access list can be a standard or extended access list. This outbound access list should permit traffic that you want to be inspected by CBAC. If traffic is not permitted, it will not be inspected by CBAC, but will be simply dropped.
  • The inbound IP access list at the external interface must be an extended access list. This inbound access list should deny traffic that you want to be inspected by CBAC. (CBAC will create temporary openings in this inbound access list as appropriate to permit only return traffic that is part of a valid, existing session.)

Internal Interface

Following are some tips for your access lists when you will be configuring CBAC on an internal interface:

  • If you have an inbound IP access list at the internal interface or an outbound IP access list at external interface(s), these access lists can be either standard or extended access lists. These access lists should permit traffic that you want to be inspected by CBAC. If traffic is not permitted, it will not be inspected by CBAC, but will be simply dropped.
  • The outbound IP access list at the internal interface and the inbound IP access list at the external interface must be extended access lists. These outbound access lists should deny traffic that you want to be inspected by CBAC. (CBAC will create temporary openings in these outbound access lists as appropriate to permit only return traffic that is part of a valid, existing session.) You do not necessarily need to configure an extended access list at both the outbound internal interface and the inbound external interface, but at least one is necessary to restrict traffic flowing through the firewall into the internal protected network.
  • For complete information about how to configure IP access lists, refer to the "Configuring IP Services" chapter of the Cisco IOS Release 12.0 Network Protocols Configuration Guide, Part 1.