UGTS Document #52 - Last Modified: 8/29/2015 3:23 PM
Cisco Firewall Pitfalls
Cisco firewalls can be daunting to configure because they have a command line (IOS) interface which (though it has become the industry standard)
is very complex. This command line interface and the associated configuration file is the underlying way to configure the equipment - all other
interfaces to the equipment ultimately reduce to this language, and it is the method of choice for Cisco professionals.
However, the IOS is not the only interface available. Beginners can use a GUI called the SDM. This connects to the equipment in a web
browser, launching a Java program to provide a simpler interface. The complexity is still there, and you still need to understand basic concepts,
but you don't have to remember command syntax and functional arguments like you would at the command line.
There are a few things to remember when working with a Cisco firewall:
- Startup vs Running - There is a startup config and a running config. The changes you make during operation affect only the running config
and are visible immediately in the operation of the device. However, the next time you restart the device, the running config is wiped out
and replaced with the startup config. So, if you want your changes to persist across a restart, you must save the running config to the startup
config. This is a safety feature. Otherwise, you could add a breaking change to your device, and then have no easy way to recover. With
the running/startup model, you can at least power cycle your device to do a 'rollback'. This model also means that if you don't save your changes
to the startup config, you will unintentionally do a rollback the next time you restart. This happens a lot, even to professionals. Changes
get made, but not saved, and three weeks later the device is restarted, and suddenly everything is broken. Don't let it happen to you!
Use the Save button in the SDM.
- NAT vs ACL - Like a lot of other firewall software (including Wolverine and ISA Server),
Cisco has a NAT list, and an Access Control List (ACL). In order for a server publishing rule to work, it must be defined in BOTH lists, so
that the traffic is first allowed through the ACL, and then that the address is translated correctly from a public to a private address.
A common mistake for beginners is to define the rule only on the NAT side and then wonder why nothing works. The ACL entry must be present also.
The big firewall vendors all do it this way because it allows a rule to be
created and defined ahead of time but left in a disabled state in the ACL
except when it is needed. It makes adjustment of security easier when
the network is under attack.
- Logging - Cisco firewalls have internal logging,
but they are stored in internal memory and there isn't much of it
available. The logs will wrap-around and overwrite eventually.
If you want to view the logs without having to connect to the device,
and you want to store the logs so that you don't lose information,
you'll need to turn on syslogging. The PRTG Network Monitor is a
great tool for Windows Servers to collect and search syslogs. The
free version permits up to 10 sensors. If you want to view
internal device logs, launch the SDM, and go to Monitor, Logs, Firewall
Log. The firewall log can show you when an ACL (or lack of an ACL
entry) is causing a request to be blocked. If your device's
internal log has filled up and you want to start over, press the Clear
button on the Syslog tab.
- System Time - The system time on a Cisco device
(like any other computing device) must be synchronized with an external
time source to be correct. The system time is displayed in the
lower right corner of the SDM windows. To manually update the
system time through the SDM, go to Configure, Additional Tasks, Router
Properties, Date/Time, Change Settings. To configure your Cisco
device to update itself automatically, go to Router Properties,
NTP/SNTP, and add the server hostname 'pool.ntp.org' (or whatever else