Home > Articles > Certification > Cisco Certification > CCNP Security / CCSP

  • Print
  • + Share This
This chapter is from the book

Configuration Tasks

The majority of the tasks that you perform in Firewall MC involves configuration tasks. Configuration settings control individual features of a firewall device. When defining these settings, you can apply them either to a specific firewall or to all of the firewalls in a group by selecting a group instead of an individual firewall. The scope of the changes that you make depends on the object that you select using the Object Selector before making the configuration changes (see the section entitled “Object Selector” earlier in this chapter). These tasks can be broken down into the following categories, each of which is discussed in detail in this section:

  • Configuring device settings

  • Defining access rules

  • Defining translation rules

  • Creating building blocks

  • Generating and viewing configuration information

Configuring Device Settings

Through the Firewall MC, you can configure many device-specific properties on your managed firewalls. Following are the majority of the device settings that you can configure through Firewall MC:

  • PIX operating system version

  • Interfaces

  • Failover

  • Routing

  • PIX Firewall administration

  • Logging

  • Servers and services

  • Advanced security

  • Firewall MC controls

One common task is changing the properties of the interfaces on the firewalls managed by the Firewall MC software. If you configure a firewall using Setup, it configures only the inside interface. Before you can define the access or translation rules, you must configure the rest of the interfaces on the firewall.

Defining Access Rules

Access rules, which control the traffic that flows through your firewall, are used to define your network security policy. Each access rule is a member of an order list of rules that Firewall MC stores in a table. Rules are processed from first to last. A firewall uses the first matching rule to determine whether the traffic is permitted or denied.

You can configure the following three types of access rules (see Figure 14-10):

  • Firewall rules

  • Authentication, authorization, and accounting (AAA) rules

  • Web filter rules

Figure 10Figure 14-10 Access Rules

In Firewall MC, you can view a list of access rules that spans all of the different interfaces (see Figure 14-10). Each access rule shown is converted into a single entry in an access control list (ACL) on a specific interface for the managed firewall.

Defining Translation Rules

Translation rules enable you to configure and view the address translations that you are using on the network. You can configure the following types of translation rules using Firewall MC:

  • Static translation rules

  • Dynamic translation rules

  • Translation exception rules (NAT 0 ACL)

NOTE

Firewall MC supports both Network Address Translation (NAT) and Port Address Translation (PAT).

Static translation rules permanently map an internal IP address to a publicly accessible global IP address. These rules assign a host on a higher-security-level interface to a global IP address on a lower-security interface. This enables the hosts from the lower-security zone to communicate with the host from the higher-security zone. Figure 14-11 shows a static translation rule that assigns the local address of a protected host (10.10.10.20/32 on the inside interface) to a global address (192.168.10.20/32 on the outside) that is accessible by external systems.

Figure 11Figure 14-11 Static Translation Rules

Unlike static translation rules, dynamic translation rules do not permanently map an internal IP address to a global IP address. These rules dynamically map an internal IP address to a global IP address from a pool of IP addresses when using NAT or to a single IP address when using PAT. Figure 14-12 shows a dynamic translation rule that translates traffic from any address on the inside interface to a global address using the address translation pool named public for outbound traffic.

Figure 12Figure 14-12 Dynamic Translation Rules

Before you can configure a dynamic translation rule, however, you need to define the appropriate address translation pool. This pool identifies which addresses can be temporarily associated with outbound traffic from a specific internal host. For more information on address translation pools, refer to the following section, “Creating Building Blocks.”

Creating Building Blocks

Building blocks enable you to optimize your configuration. Building blocks define groups of objects such as hosts, protocols, or services. You can then issue a command that affects every item in the group by specifying the name of the group. Basically, you can use the names of the building blocks in place of corresponding data values when configuring device settings or defining rules. You can configure the following types of building blocks, each of which is described within this section:

  • Network objects

  • Service definitions

  • Service groups

  • AAA server groups

  • Address translation pools

Network Objects

Network objects enable you to group a range of network addresses specified by an IP address and a network mask. These network objects can then be used in access rules and translation rules. In Figure 14-13, the network object named DMZ is associated with the Class C network 172.16.10.0/24.

Figure 13Figure 14-13 Network Objects

You can use DMZ in access and translation rules by clicking the Select button whenever you normally specify an IP address (see Figure 14-14). The Selecting Network Objects window is displayed (see Figure 14-15). To use one of the list objects, click the object name, and then click Select=> to move the name to the Selected Objects column.

Figure 14Figure 14-14 Creating a Static Translation Rule

Figure 15Figure 14-15 Selecting Network Objects

Service Definitions

Service definitions enable you to define objects that associate IP protocols, Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) source and destination ports, and Internet Control Message Protocol (ICMP) message types with a specific name (see Figure 14-16). These service definitions are then used in firewall device protocol groups, service groups, and ICMP-type groups, respectively.

Figure 16Figure 14-16 Service Definitions

Similar to other building blocks, you can use service definitions whenever you would normally specify a service (such as defining firewall rules) by clicking the Add button. This opens the Selecting Services window (see Figure 14-17), enabling you to select the appropriate service definition.

Figure 17Figure 14-17 Selecting Services

Service Groups

Service groups enable you to define objects that associate a name with a group of service definitions (see Figure 14-18). For instance, you can create a service group that permits both HTTPS and Secure Shell (SSH) traffic.

Figure 18Figure 14-18 Service Groups

AAA Server Groups

AAA server groups enable you to define separate groups of Terminal Access Controller Access Control System Plus (TACACS+) and Remote Authentication Dial-In User Service (RADIUS) servers that are used for different types of traffic. Traffic will attempt to authenticate with the fist server in the AAA server group. If this server is inaccessible, the next server in the group is tried.

NOTE

You can define 14 AAA server groups, each containing 14 distinct AAA servers, supporting a total of 196 AAA servers.

Address Translation Pools

Address translation pools enable you to associate a name with a group of addresses that will be used to create dynamic address translations for outbound traffic. When defining an address translation pool, you need to specify the parameters shown in Table 14-6.

Table 14.6 Address Translation Pool Parameters

Parameter

Description

Pool Name

Name used when applying the pool to a dynamic translation rule.

Interface

Logical name of the interface where the pool will be used.

PAT: Use interface address for closing PAT Check Box

Select this check box to indicate that the IP address of the interface will be used as the PAT address when all of the other addresses in the pool have been used.

Address Range(s)/Mask (optional)

Set of addresses (in addition to the interface address) that will be used for dynamic translations.


For address translation pools, PAT is used when you have more internal addresses than external addresses. The firewall automatically uses the last available address to perform PAT. If you select the PAT check box (see Figure 14-19) when defining the address translation pool, after all of the addresses in the pool are used, the interface address is used for PAT.

Figure 19Figure 14-19 Defining an Address Translation Pool

Generating and Viewing Configuration Information

Selecting Configuration > View Config > Generate Config allows you to generate the configuration for a specific device. The Scope bar indicates for which device the configuration will be generated. Once the configuration is generated, you can then view the information in the content area (see Figure 14-20).

Figure 20Figure 14-20 Viewing Generated Configuration

MC Settings

Selecting Configuration > MC Settings allows you to control how Firewall MC operates when it discovers commands configured outside of Firewall MC or unsupported and error commands imported into Firewall MC. It also identifies the directories in which imported and deployed configurations will be placed.

When configuring the MC settings, you have the following options:

  • Management

  • Deployment

  • Import

  • Feature Tracking

  • Object Grouping

NOTE

When configuring the AUS, you use the Deployment option to redirect configuration updates to the AUS instead of sending them directly to the managed device.

  • + Share This
  • 🔖 Save To Your Account