Cisco Systems, Inc.(R)    Cisco | Profile | Contacts & Feedback | Help
Cisco SMB Support Assistant
Set Up Your Cisco Router
Home > Welcome to the Cisco SMB Support Assistant Client > Software Download > Set Up Internet Security on a Cisco Router  
 

Set Up Internet Security on a Cisco Router

    Step 1:   SMB Support Assistant Site Survey
    Step 2:   Set Up Your 800 or SB 100 Router Hardware
                  Set Up Your 1700 Series Router Hardware
                  Set Up Your 1700 Series Router Hardware
                  Set Up Your 1800 Series Router Hardware
                  Set Up Your 1800 Series Router Hardware
                  Set Up Your 2600 Series Router Hardware
                  Set Up Your 2600 Series Router Hardware
                  Set Up Your 2800 Series Router Hardware
                  Set Up Your 3800 Series Router Hardware
    Step 3:   Download and Install Security Device Manager
    Step 4:   Configure Your Router with Security Device Manager
    Step 5:   Configure Wireless Security on an Integrated Services Router (ISR Only)
    Step 6:   Add or Remove a Wireless User on an Integrated Services Router (ISR Only)
    Step 7:   Set Up an ADSL Internet Connection
                  Set Up an Ethernet Internet Connection
                  Set Up an Ethernet Internet Connection
                  Set Up an ISDN Internet Connection
                  Set Up an ISDN Internet Connection
                  Set Up a T1, E1, or Serial Internet Connection
                  Set Up a T1, E1, or Serial Internet Connection
                  
                  
    Step 8:  Set Up Internet Security on a Cisco Router
                      Introduction
                      Requirements
                      Configure Firewall Inspection Rules
                      Add Access Control List Rules
                           Apply an ACL Rule to the Outgoing WAN Interface
                           Apply an ACL Rule to the Incoming LAN Interface
                      Configure Network Address Translation
                           Set Up NAT with Dynamic WAN IP Address
                           Set Up NAT with Static WAN IP Address
                      Next Step
                      Troubleshoot the Procedure
                      Related Information

Download PDF


 		 Set Up Internet Security on a Cisco Router 


 		 Set Up Your Cisco Router 


Introduction

This document explains how to set up Internet Security on your router. The instructions demonstrate how to set up these security measures:

  • Dynamic firewall inspection rules for multimedia applications

  • Access Control List (ACL) rules

  • Network Address Translation (NAT)


Back to Top


Requirements


Back to Top


Configure Firewall Inspection Rules

To configure firewall inspection rules, follow these steps:

  1. Open a web browser and type http://router-IP-address in the Address field. Use the IP address that you entered in the LAN Addressing Worksheet (field L6A). Press Enter to launch SDM.

    Note: For further information about how to launch SDM, refer to Configure Your Router with Security Device Manager.

  2. Click Configure.

    firewall_sdm_conf.gif

  3. Click the Firewall and ACL tab.

    firewallawiza.gif

  4. Choose Advanced Firewall and click Launch the Selected Task.

    firewallawiz-1b.gif

  5. Click Next at the Advanced Firewall Configuration Wizard screen.

  6. Select your inside (trusted) and outside (untrusted) interfaces. The outside (untrusted) interface is your Internet connection, and the inside (trusted) interface is your LAN interface. Do not select a DMZ interface.

    Note: The Firewall Wizard automatically creates access control list (ACL) rules to block incoming traffic from IP non-public IP addresses such as 192.168.0.0, 172.0.0.0, and 10.0.0.0. If your Internet Service Provider (ISP) uses non-public IP address inside its network, you need to modify the router ACL rules to allow incoming traffic from private IP address ranges.

    Note: To determine if your ISP uses non-public IP addresses, review the addresses in the ISP Address Assignments section of the Internet Worksheet or contact your ISP.

    firewallawiz2a.gif

  7. Click OK to confirm the SDM firewall warning message.

  8. Click Next to use the default Firewall Inspection Rules.

    firewallawiz4a.gif

  9. Review the summary of the Firewall inspection rules and click Finish to complete the Wizard. Click OK to confirm the Commands Delivery Status. Click OK again to exit the Wizard.


Back to Top


Add Access Control List Rules

To add Access Control List (ACL) rules to the router for additional security, follow these steps:

Apply an ACL Rule to the Outgoing WAN Interface

To apply an Access Control List (ACL) rule to the outgoing WAN interface, follow these steps:

  1. Click Edit Firewall Policy/ACL.

  2. In the From interface, select your LAN interface and click Go. In the To interface select your WAN interface.

    firewall10e.gif

  3. Click Originating Traffic.

  4. Create an ACL rule to block outbound traffic that does not originate from the router WAN IP address.

    1. Click Edit Firewall Policy/ACL.

    2. Next to Services, click Add > Insert After.

      firewall4b.gif

    3. Next to Select an action, choose Permit.

      firewall5b.gif

    4. Next to Source Host/Network, choose A Host Name or IP Address.

      firewall18b.gif

    5. Next to Hostname/IP, enter the Router IP address you entered in the Internet Worksheet (B46).

      firewall19b.gif

    6. Next to Destination Host/Network, choose Any IP Address.

      firewall20b.gif

    7. Next to Protocol and Service, choose IP.

      firewall8b.gif

    8. In IP Protocol, click the details button (...) and select any. Click OK to select the service, and click OK to confirm the rule.

      firewall21b.gif

Apply an ACL Rule to the Incoming LAN Interface

To apply an Access Control List (ACL) rule to the incoming WAN interface, follow these steps:

  1. In the From interface, select your LAN interface and click Go. In the To interface select your WAN interface.

    firewall10b.gif

  2. Click Returning Traffic.

  3. Create an ACL rule to block traffic from LAN that does not have a valid LAN IP address.

    1. Next to Services, click Add > Insert After.

    2. Next to Select an action, choose Permit.

    3. Under Source Host/Network, choose A Network.

    4. Next to IP Address, enter the subnet that you entered in the LAN Addressing Worksheet (L1A), and next to Wildcard Mask choose 0.0.0.255.

    5. In Destination Host/Network, choose Any IP Address.

    6. In Protocol and Service, choose IP.

    7. Next to IP Protocol, click the details button (...) and select any. Click OK to select the service, and click OK to confirm the rule.

  4. Create an ACL rule to allow broadcast traffic from LAN in order to allow DHCP.

    1. Next to Services, click Add > Insert After.

    2. Next to Select an action, choose Permit.

    3. In Source Host/Network, choose A Network.

    4. Next to IP Address, enter the subnet that you entered in the LAN Addressing Worksheet (L1A). Next to Wildcard Mask select 0.0.0.255.

    5. Next to Destination Host/Network, choose Any IP Address and enter 255.255.255.255.

    6. In Protocol and Service, choose IP.

    7. Under IP Protocol, click the details button (...) and select any. Click OK to select the service, and click OK to confirm the rule.

  5. Click Apply Firewall.

    firewall11a.gif


Back to Top


Configure Network Address Translation

Network Address Translation (NAT) uses an internal address scheme to provide additional security for your network. In order to set up NAT, you need to know whether your WAN connection uses a static or dynamic IP address. Refer to the Internet Worksheet (B45, B46) for more information.

Set Up NAT with Dynamic WAN IP Address

To set up NAT with a dynamic WAN IP address, follow these steps:

  1. Click the NAT tab.

    firewallnat8a.gif

  2. Click Edit NAT Configuration tab.

    Note: If you use the old version of SDM you are unable to view the EDIT NAT Configuration screen. Instead you can see the screen as shown in step 3.

    firewallnat8a1.gif

  3. Click Designate NAT Interface tab.

    firewallnat1b.gif

  4. Check the Inside (Trusted) and Outside(Untrusted) interfaces and click OK.

    Note: Designate your WAN interface as the outside/untrusted interface.

    firewallnat2.gif

  5. Click Add to add a new translation rule.

    firewallnat3b.gif

  6. At the Add Address Translation Rule screen, choose Dynamic. Next to Direction, choose From inside to outside.

    firewallnat4dyna.gif

  7. Click the ACL Rule details button and click Select an existing rule (ACL)....

    firewallnat5c.gif

  8. In the Rules Category box, choose Access Rules.

    firewallnat6.gif

  9. Select the Access Rule that is used by your FastEthernet or Ethernet interface and click OK.

    firewallnat7.gif

  10. Go to the Translate to interface area and next to Type choose Interface. Next to Interface choose your WAN interface. Click OK to confirm.

    firewallnat4dynb.gif

  11. Click File > Write to Startup Config to save your configuration.

Set Up NAT with Static WAN IP Address

To set up NAT with a static WAN IP address, follow these steps:

  1. Click the NAT tab.

    firewallnat8a.gif

  2. Click Edit NAT Configuration tab.

    Note: If you use the old version of SDM you are unable to view the EDIT NAT Configuration screen. Instead you can view the screen as shown in step 3.

    firewallnat8a1.gif

  3. Click Designate NAT Interfaces tab.

    firewallnat1b.gif

  4. Check the Inside (Trusted) and Outside(Untrusted) interfaces and click OK.

    Designate WAN interface you just set up as the outside/untrusted interface.

    firewallnat2.gif

  5. Click Add to add a new translation rule.

    firewallnat3b.gif

  6. At the Add Address Translation Rule screen, choose Static. Next to Direction, choose From inside to outside.

    firewallnat4stata.gif

  7. Under Inside Interface(s), enter the Router IP Address that you entered in the LAN Addressing Worksheet (L6A). Leave the Network Mask blank.

    firewallnat4statb.gif

  8. Under Outside Interface(s), enter the Router IP Address you entered in the Internet Worksheet (B46).

    firewallnat4statc.gif

  9. Click OK to confirm.

  10. Click File > Write to Startup Config to save your configuration.


Back to Top


Next Step

You have now configured a firewall on your router.

To make further changes to your router, refer to the Router Support Page.

To configure other devices in your network, refer to the Configuration Overview Page.


Back to Top


Troubleshoot the Procedure

This section provides information about common problems that you may encounter. If this information does not solve your problem, contact the SMB Technical Assistance Center (SMB TAC) for assistance.

Problem

Cause(s) and Suggested Solution(s)

You added a new firewall rule and you are unable to access the router.

Contact the SMB Technical Assistance Center (SMB TAC) for assistance.


Back to Top


Related Information
Service Requests

  Open a service request
  Update a service request

Feedback

Please rate this site:
++ + +/- - --

Suggestions for improvement:




If Cisco may contact you for more details
or for future feedback opportunities,
please enter your contact information:
Full Name:
Email:



© 1992-2006 Cisco Systems, Inc. All rights reserved. Terms and Conditions, Privacy Statement, Cookie Policy and Trademarks of Cisco Systems, Inc.