Firewall rule help on Cisco 837?

Unanswered Question
Nov 10th, 2007
User Badges:

Hi, I have this config on my Cisco 837, is it secure from the "outside" world? I can't see any rules that block anyone accessing my network, can you? I want the inside to have full access to the outside world, but the outside to have no access into my network.


version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ADSL

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable password 7 ****

!

no aaa new-model

!

resource policy

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.2.1 192.168.2.10

!

ip dhcp pool client

import all

network 192.168.2.0 255.255.255.0

default-router 192.168.2.100

dns-server 190.x.x.197 187.186.189.16

lease 0 2

!

!

no ip cef

!

!

!

username *** password ***

!

!

!

!

!

interface Ethernet0

ip address 192.168.2.100 255.255.255.0

no ip unreachables

ip nat inside

ip virtual-reassembly

hold-queue 100 out

!

interface Ethernet2

no ip address

shutdown

hold-queue 100 out

!

interface ATM0

no ip address

no ip unreachables

no ip mroute-cache

atm vc-per-vp 64

no atm ilmi-keepalive

dsl operating-mode auto

cdp enable

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

!

interface FastEthernet1

duplex auto

speed auto

!

interface FastEthernet2

duplex auto

speed auto

!

interface FastEthernet3

duplex auto

speed auto

!

interface FastEthernet4

duplex auto

speed auto

!

interface Dialer1

ip address negotiated

no ip unreachables

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname ***

ppp chap password ***

ppp pap sent-username *** password ***

ppp ipcp dns request

ppp ipcp wins request

!

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

no ip http secure-server

!

ip nat inside source list 102 interface Dialer1 overload

!

logging trap debugging

logging facility local4

logging source-interface Ethernet0

access-list 102 permit ip 192.168.2.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

control-plane

!

!

line con 0

no modem enable

transport output telnet

line aux 0

transport output telnet

line vty 0 4

exec-timeout 5 0

login local

transport input telnet ssh

transport output all

!

scheduler max-task-time 5000

end



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
whiteford Sun, 11/11/2007 - 02:03
User Badges:

Thanks, what exactly is my current config doing to block external traffic?


Do I need add a deny inbound to all traffic to stock hackers?

thotsaphon Sun, 11/11/2007 - 02:22
User Badges:
  • Gold, 750 points or more

Hi Andy

I'm not 100% sure your IOS being supported firewall functions.If you can then I would recommend you to do *firewall* on it. As per your requirement you can do "Inspect" traffics you want allow from inside to outside and then you can do "deny all" from outside to inside. That's why I recommend "Inspect functions" because it's state-full.


Please check this link out!

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a008009445f.shtml


Hopes this helps

Thot



whiteford Sun, 11/11/2007 - 02:56
User Badges:

Thanks, the 837 has a full firewall feature.


Are the inspect rules from inside to outside like allow rules then? If so I take I would allow http, https, dns?


eg

ip inspect name outbound tcp

ip inspect name outbound udp

ip inspect name outbound ftp

ip inspect name outbound http

ip inspect name outbound icmp


ip access-list extended inbound_acl

deny ip any any


interface Dialer1

ip access-group inbound_acl in


interface Ethernet0

ip inspect outbound in

Richard Burts Mon, 11/12/2007 - 20:16
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


In a different thread we have had a discussion about firewall rules and about ip inspect. Has that sufficiently cleared things up or do you still have questions?


HTH


Rick

whiteford Mon, 11/12/2007 - 22:44
User Badges:

Its all good on this post, I have added the log file on the other one you asked for.

Richard Burts Tue, 11/13/2007 - 03:44
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


I seem to have lost track of a thread. Can you point me to the one you added the log file for?


HTH


Rick

whiteford Tue, 11/13/2007 - 04:00
User Badges:

Damn, my last post isn't there with the log, I'll try and get it and post.

Actions

This Discussion