Implementing zone-based firewall with DMZ using CCP

Implementing zone-based firewall using the CCP comes with alot of benefit such as the comfort of simplicity as compared to command line interface.

 

To begin, go to the Configure tab with the big gear icon on it. Expand the Security folder and click on Firewall and ACL. We should now be able see the Basic and Advanced firewall options. Select the Advanced Firewall and click Launch the selected task.

 

The Firewall Wizard should appear and you can read through the description and features of the advanced firewall. Click Next after reading.

Select the correct zones for the interface and click Next. If you want to access the CCP from outside the network, tick Allow secure Cisco CP access from outside interfaces.

 

Click Next after verifying the settings. If you did not tick Allow secure Cisco CP access from outside interfaces, you’ll be warned that access from outside will be denied after the firewall wizard’s completion. Click OK.

On this page, we’ll be able to add the services that we’re hosting in the DMZ zone that we want people from outside the network to connect to. In our case, we have a web server.

Click on Add and enter the ip address or the range of the web server. Select TCP/UDP and enter the service that we have. For web server, we’re going to add http and https.

 

 

Click Next after verifying the settings.

On the next page, we can select the level of security that we want to implement on the firewall.

For High Security

• The router identifies inbound and outbound Instant Messaging and Peer-to-Peer traffic and drops it.
• The router checks inbound and outbound HTTP traffic and e-mail traffic for protocol compliance, and drops noncompliant traffic.
• Returns traffic for other TCP and UDP applications if the session was initiated inside the firewall.
• Choose this option if you want to prevent use of these applications on the network.

For Medium Security

• The router identifies inbound and outbound Instant Messaging and Peer-to-Peer traffic, and checks inbound and outbound HTTP traffic and e-mail traffic for protocol compliance.
• Returns TCP and UDP traffic on sessions initiated inside the firewall.
• Choose this option if you want to track use of these applications on the network.

For Low Security

• The router does not identify application-specific traffic. Returns TCP and UDP traffic on sessions initiated inside the firewall.
• Choose this option if you do not need to track use of these applications on the network.

Select the level of security according to your needs. For my case, I’m going to go with the medium level as I would like to monitor some of the application usage of the users inside the network.

Click on Preview Commands and verify the configurations that will be sent to the router.

Click Next.

Enter the IP address of the DNS Server and click Next.

Verify the summary and click Finish.

Tick Save running config. to device’s startup config to save the configuration to theNVRAM. Deliver.