Getting to the Command Line Interface
There are a couple of reasons why you may need to perform a Cisco router firewall configuration: you got a new router, or you wish to reconfigure your router. In either case, you will save time if you go for Cisco router firewall configuration through command line. Another reason command line configuration of Cisco routers is recommended is that the ISO commands are standard across all Cisco models.
Please Note: This article does not cover installation of the router. It deals only with the Cisco router firewall configuration on any operating system that you may be using.
The first thing to do after you have connected your Cisco router is to check whether it already contains any configurations. Some routers come with initial configurations in case you wish to connect them to a network and configure it using remote terminals.
Tip: You can use the Windows HyperTerminal to access and troubleshoot any peripheral that plugs into your serial or USB port (example: USB modems, CDMA phones etc.). If you are on Windows, you can use HyperTerminal (Windows Telnet Client). If on Linux, Minicom/Seyon should help. Windows command prompt will NOT support these Cisco IOS commands. In Windows, the HyperTerminal is present under the Start menu -> All Programs -> Accessories -> Communications.
IMPORTANT: Before you turn on HyperTerminal, you need to connect the router to the computer and turn itON. In case the HyperTerminal asks you baud rate, set it to 9600.
Once you have the HyperTerminal Window, hit Enter key to see the Cisco router firewall configuration. It will either contain a preset configuration or it will be blank!
If the response is Router >, the router is blank and you need to configure it from scratch.
If there is any preset configuration, you'll get the host name of the router. If you wish to reset it, you can use the Reset button. On most routers, the reset button is available under a small hole on backside of the device. Use a pencil to press and hold the reset button for 1 minute. This will reset the router to its factory settings. If you are not able to find the reset button, you can use commands to reset the Cisco router. Close the HyperTerminal.
Restart the router. As soon as you turn on the router, the firmware will ask you if you want to start initial configuration. As we intend to use command line for configuring Cisco router you will type NO. Start the HyperTerminal for Cisco router firewall configuration using command line commands.
Basic Cisco IOS Commands
Before you begin Cisco router firewall configuration, you need to enter the privileged mode. You cannot configure the router in the unprivileged mode. You can use it only for commands such as PING and LOGIN. To change to the privileged mode, type the following:
Router> enable
You will notice that the router prompt is now router# meaning you are now in privileged mode. The privileged mode contains a set of commands to configure the firewall and other components of the network (in case you are using a network). The privileged mode has several sub-modes. You can enter into any of the sub-mode to configure a particular component using the router# command.
You can easily know where you are when you look at the prompt. The command prompt displays the sub-mode
as router (sub-mode)#. An example can be the configuration mode: router(configure)#.
To enter the configure mode or any other mode, type router#<sub-mode>. For example, if you wish to enter the configuration mode, type router# Config and press Enter. After applying commands, when you wish to return to the parent mode (the top level), press CTRL+Z or type exit until you reach the router# prompt.
To know what all commands are available under any sub-mode, type router(sub-mode)# show ?
The above command will list what all Cisco router configuration commands are available under that mode.
For Cisco router firewall configuration, you need to designate a DNS and then set restrictions so that unauthorized packets cannot cross the DNS. To achieve this, type the following:
router(config)#ip name-server aaa.bbb.ccc.ddd, where aaa.bbb.ccc.ddd is the IP address of the computer that you wish to set up as DNS. The next step would be to setup a password for the DNS.
Typerouter(config)#enable secret <yourpassword> and press Enter. It is here that you configure the firewall by determining what all IP addresses to allow and which ones to block.
For outgoing, you will use the list of IP numbers for each computer. For incoming connections, you normally check the type of packets. Use access-list command with 101 and 102 to allow outgoing and incoming respectively.
access-list 101 permit ip any, allows all computers to access the external network;
access-list 101 permit aaa.bbb.ccc.ddd, allows only the computer with IP address aaa.bbb.ccc.ddd;
access-list 101 deny aaa.bbb.ccc.ddd denies outgoing from the computer aaa.bbb.ccc.ddd
Now we'll configure the Cisco router for incoming connections.
access-list 102 permit icmp any administratively-prohibited
access-list 102 permit tcp any host <IP of DNS server> eq www
access-list 102 permit tcp any <IP of DNS server> eq 53
access-list 102 permit udp any host <IP of DNS server> eq 53
Note that the first command will stop access to websites denied by the network administrator.
Press CTRL +Z to save the access-list once you are done with router configuration. Reach the parent mode (router#) using CTRL+Z or by typing exit at each prompt.
NOTE: This article helps you understand the basics of Cisco router firewall configuration using the command line commands. As such, the commands given here are not comprehensive. You can go for advanced configuration if you know the Cisco IOS commands. If you feel uncomfortable with the command line, you can select the GUI option that walks you step-by-step for configuring Cisco router.
No comments:
Post a Comment