Saturday, November 27, 2010

Using Firewall Builder To Configure Router Access Lists - PT 1

Firewall Builder is a firewall configuration and management GUI that supports configuring a wide range of firewalls from a single application. Supported firewalls include Linux iptables, BSD pf, Cisco ASA/PIX, Cisco router access lists and many more. The complete list of supported platforms along with downloadable binary packages and soure code can be found at
This tutorial is the first in a series of howtos that will walk through the basic steps of using Firewall Builder to configure each of the supported firewall platforms. In this tutorial we will configure Access Control Lists (ACL) on a Cisco router.
The diagram below shows a simple 2 interface router configuration with the router acting as a gateway to the Internet for a private LAN network.

We will use Firewall Builder to implement the following basic rules as access lists on the router.
  • Allow inside traffic ( through the router to any Internet address for the HTTP and HTTPS protocols
  • Allow inside traffic ( through the router to a specific IP address ( for the POP3 protocol.
  • Allow inside traffic ( to the router's inside interface (FastEthernet0/1) for the SSH protocol.
  • Block all incoming traffic to the rotuer's outside interface FastEthernet0/0.
Note that Cisco router access lists have an implicit deny all at the end of every access list, so anything that we do not setup a rule to explicitly permit will be denied.
The NAT configuration on the router is as follows:
interface FastEthernet0/0
ip nat outside

interface FastEthernet0/1
ip nat inside

access-list 1 permit

ip nat inside source list 1 interface FastEthernet0/0 overload

Step 1: Create Network Objects

We are going to start by creating the objects that will be used in the rules. Firewall Builder includes hundreds of predefined objects, including most standard protocols, so to implement the rules above we will only need to create the objects that are specific to our network. For our rules this means we need to create objects for the internal network and for the POP3 server with an IP address of
Click here to find out more!


No comments:

Post a Comment