UGTS Document #52 - Last Modified: 8/29/2015 3:23 PM
Cisco Firewall Pitfalls

Cisco firewalls can be daunting to configure because they have a command line (IOS) interface which (though it has become the industry standard) is very complex. This command line interface and the associated configuration file is the underlying way to configure the equipment - all other interfaces to the equipment ultimately reduce to this language, and it is the method of choice for Cisco professionals.

However, the IOS is not the only interface available. Beginners can use a GUI called the SDM. This connects to the equipment in a web browser, launching a Java program to provide a simpler interface. The complexity is still there, and you still need to understand basic concepts, but you don't have to remember command syntax and functional arguments like you would at the command line.

There are a few things to remember when working with a Cisco firewall:

  • Startup vs Running - There is a startup config and a running config. The changes you make during operation affect only the running config and are visible immediately in the operation of the device. However, the next time you restart the device, the running config is wiped out and replaced with the startup config. So, if you want your changes to persist across a restart, you must save the running config to the startup config. This is a safety feature. Otherwise, you could add a breaking change to your device, and then have no easy way to recover. With the running/startup model, you can at least power cycle your device to do a 'rollback'. This model also means that if you don't save your changes to the startup config, you will unintentionally do a rollback the next time you restart. This happens a lot, even to professionals. Changes get made, but not saved, and three weeks later the device is restarted, and suddenly everything is broken. Don't let it happen to you!  Use the Save button in the SDM.
  • NAT vs ACL - Like a lot of other firewall software (including Wolverine and ISA Server), Cisco has a NAT list, and an Access Control List (ACL). In order for a server publishing rule to work, it must be defined in BOTH lists, so that the traffic is first allowed through the ACL, and then that the address is translated correctly from a public to a private address. A common mistake for beginners is to define the rule only on the NAT side and then wonder why nothing works. The ACL entry must be present also.  The big firewall vendors all do it this way because it allows a rule to be created and defined ahead of time but left in a disabled state in the ACL except when it is needed.  It makes adjustment of security easier when the network is under attack.
  • Logging - Cisco firewalls have internal logging, but they are stored in internal memory and there isn't much of it available.  The logs will wrap-around and overwrite eventually.  If you want to view the logs without having to connect to the device, and you want to store the logs so that you don't lose information, you'll need to turn on syslogging.  The PRTG Network Monitor is a great tool for Windows Servers to collect and search syslogs.  The free version permits up to 10 sensors.  If you want to view internal device logs, launch the SDM, and go to Monitor, Logs, Firewall Log.  The firewall log can show you when an ACL (or lack of an ACL entry) is causing a request to be blocked.  If your device's internal log has filled up and you want to start over, press the Clear button on the Syslog tab.
  • System Time - The system time on a Cisco device (like any other computing device) must be synchronized with an external time source to be correct.  The system time is displayed in the lower right corner of the SDM windows.  To manually update the system time through the SDM, go to Configure, Additional Tasks, Router Properties, Date/Time, Change Settings.  To configure your Cisco device to update itself automatically, go to Router Properties, NTP/SNTP, and add the server hostname 'pool.ntp.org' (or whatever else you prefer).