How to Configure a Cisco Router With a Firewallby Travis Wampler
A Cisco router with a software-based firewall offers some of the networking industry's best security features. The configuration of a Cisco router with a firewall is similar to configuration of a router without a firewall. The only addition is the inclusion of security-based commands that restrict access across external interfaces. In either case, configuration is challenging for users not familiar with the Cisco Internetwork Operating System (IOS) and Cisco Command Line Interface (CLI). Therefore, configuration, both custom and standard, should only be attempted by a qualified network administrator.
Configuring a Cisco Router with Cisco IOS Firewall
On the admin workstation, install the terminal emulation software; typically, this is located on your router’s installation CD. If you prefer to use third-party applications, many choices are available for free on the Internet.
Connect the router to the workstation’s available serial COM port by using the RS-232 serial-cable.
On the workstation, start the terminal emulation software. Power on the router; the initial boot sequence will begin. If the router was previously configured, then a prompt will appear, such as “hostname>”; otherwise, on a non-configured router it will state “Router>”.
Type “en” or “enable” at the initial command-line and press “Enter." A password prompt will appear. Enter your password, thereby switching you to privileged mode. Your command prompt will change to “Router#”.
Type “conf t”. Press “Enter”. This will place you in the global configuration mode. Your prompt will change to “Router (config) #”.
Determine if your current router is equipped with IOS Firewall by typing “IP inspect ?”. Press “Enter”. If the router contains the IOS Firewall, a list of commands appears that are specifically designed for firewall configuration. If not, then “% Unrecognized Command” appears. If you need to install the Cisco IOS Firewall, links are provided in the Resource section.
If you need to configure specific interfaces--thereby restricting access and network traffic--type “interface [NAME]”, substituting the name of the configurable interface for [NAME]. Press “Enter.” The command prompt changes to “Router (config-if) #”.
Begin inputting your router’s new configuration. Press “Enter” after each command line entry. Use the link provided in the Resource section of this article to determine which firewall configuration is best for your network needs. In many cases, a network administrator must design a custom configuration due to the intricacy of the network.
After entering all configuration commands, type “CNTL/Z” and press “Enter,” thereby returning the command line to privileged mode.
Type “show IP route” or “show IP arp” and press “Enter.” A list of the IP addresses of network neighbors will be shown, indicating your router is configured correctly and communicating with known neighbors with the new configuration.
At the command prompt, type “show running-config” and press “Enter.” Your new running configuration displays.
Save your new configuration to the router. Type “copy running-config startup-config” and press “Enter.” This will copy your current configuration to your start-up configuration, saving it into the router’s memory.
- It’s always best to alter configuration files on a test router that is not in live production. This prevents any live mistakes.
- Gather all necessary IP and network maps prior to beginning your router configuration, thus creating a faster configuration experience.
- Never alter the configuration of your router without first backing up your existing configuration using TFTP on your admin workstation.
- Never enter the configuration menu of a Cisco router unless you are the network administrator and have knowledge of the network's design.