Chapter 5. Troubleshooting an IOS Firewall

In addition to its primary role of routing, a router can provide security to the perimeter of the network. And depending on how you deploy it, a router can provide security to an intranet between different departments, or to an extranet between partners.

Routers provide several security services, which are commonly known as the IOS firewall feature set. The most important component of the IOS Firewall feature set is the Advanced Firewall Engine called Context-Based Access Control (CBAC), which turns a router into an effective enterprise-class firewall (FW). So, the primary focus of this chapter is CBAC, and how it interoperates with other security features such as auth-proxy, Network Address Translation (NAT), Port to Application Mapping (PAM), and so on. Cisco IOS Intrusion Prevention System (IPS), another important security feature of Cisco IOS firewall feature set that works in conjunction with CBAC, is discussed in greater detail in Chapter 16, "Troubleshooting Cisco IDS Network Module (NM-CIDS)," and is therefore not discussed here. The Case Study section looks into a rarely used IOS firewall feature called auth-proxy, which can work in conjunction with CBAC to provide user authentication of the traffic going through the firewall (the user-based firewall feature). This chapter covers all aspects of troubleshooting tools and techniques that are required to troubleshoot any issues pertaining to CBAC, followed by the Common Problems and Resolutions. The chapter concludes with best practices for implementing CBAC.