Cisco IOS ACL to JunOS Firewall filters

From The sin within

Jump to: navigation, search

Contents

Goal

To explain how IOS access lists can be transformed to JunOS firewall filters rules

Prerequisites

Working knowledge of Cisco IOS access lists and general theory on how packet filters work

HowTo

We'll take the following example: 

access-list 101 permit ip host 192.168.0.1 any
access-list 101 permit ip host 192.168.0.2 any
access-list 101 permit ip host 192.168.0.3 any
access-list 101 deny   ip any any

interface FastEthernet5/0
 ip address 192.168.0.10 255.255.255.0
 ip access-group 101 in
 duplex full
end

Translated to JunOS would look like this: 

[edit firewall family inet]
#show
filter first-junos-filter {
 term permit-trusted-sources {
  from {
   source-address {
    192.168.0.1;
    192.168.0.2;
    192.168.0.3;
    }
   }
  then accept;
 }
[edit interfaces fe-5/0/0]
#show
unit 0 {
 filter {
  input permit-trusted-sources;
  }
 address 192.168.0.10/24;
 }
}

In JunOS, you can apply more than one filter to an interface, as opposed to IOS access lists. This way you can write partial filters that can be combined in one actual filter after being compiled by JunOS into firewall rules that will be applied to the selected interfaces.

Like IOS, JunOS also supports stateful firewall filters that can be applied on an interface. One such filter can look like this:

IOS: 

access-list 102 permit tcp any any established
access-list 102 permit tcp 172.0.0.0 0.255.255.255 any eq 22

JunOS: 

[edit firewall family inet]
#show
filter stateful-tcp {
 term allow-established {
   from {
    protocol tcp;
    tcp-established;
    }
   then accept;
  }
 term allow-ssh {
  from {
   protocol tcp;
   destination-port ssh;
    source {
     172.16.0.0/24;
     }
    }
   then accept;
  }
 }

For this example's sake, we'll add another filter to the mix: 

filter second-junos-filter {
 term deny-bad-sources {
  from {
   source-address {
    192.168.29.1;
    192.168.30.2;
    192.168.31.3;
    }
   }
  then discard;
 }

Now, let's combine the three filters in one access list that will be applied to an interface: 

[edit interfaces fe-5/0/0]
#show
unit 0 {
 filter {
  input [ deny bad-sources permit-trusted-sources stateful-tcp];
  }
 address 192.168.0.10/24;
 }
}

In this example we combined three firewall filters into one logical filter that was then applied inbound on an interface. This kind of granularity allows one person to maintain a clear and ordered list of access lists for different kinds of access, such as:

  • allowed inbound protocols to the router
  • allowed subnets or hosts
  • denied subnets or hosts

and all this into a separate filter that can be updated without compromising the rest of the firewall filters.

Acknowledgements

This article is based on:

Retrieved from "http://www.imacandi.net/sin/wiki/Cisco_IOS_ACL_to_JunOS_Firewall_filters"
Personal tools