cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
608
Views
0
Helpful
8
Replies

Firewall rule help on Cisco 837?

whiteford
Level 1
Level 1

Hi, I have this config on my Cisco 837, is it secure from the "outside" world? I can't see any rules that block anyone accessing my network, can you? I want the inside to have full access to the outside world, but the outside to have no access into my network.

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ADSL

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable password 7 ****

!

no aaa new-model

!

resource policy

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.2.1 192.168.2.10

!

ip dhcp pool client

import all

network 192.168.2.0 255.255.255.0

default-router 192.168.2.100

dns-server 190.x.x.197 187.186.189.16

lease 0 2

!

!

no ip cef

!

!

!

username *** password ***

!

!

!

!

!

interface Ethernet0

ip address 192.168.2.100 255.255.255.0

no ip unreachables

ip nat inside

ip virtual-reassembly

hold-queue 100 out

!

interface Ethernet2

no ip address

shutdown

hold-queue 100 out

!

interface ATM0

no ip address

no ip unreachables

no ip mroute-cache

atm vc-per-vp 64

no atm ilmi-keepalive

dsl operating-mode auto

cdp enable

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

!

interface FastEthernet1

duplex auto

speed auto

!

interface FastEthernet2

duplex auto

speed auto

!

interface FastEthernet3

duplex auto

speed auto

!

interface FastEthernet4

duplex auto

speed auto

!

interface Dialer1

ip address negotiated

no ip unreachables

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname ***

ppp chap password ***

ppp pap sent-username *** password ***

ppp ipcp dns request

ppp ipcp wins request

!

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

no ip http secure-server

!

ip nat inside source list 102 interface Dialer1 overload

!

logging trap debugging

logging facility local4

logging source-interface Ethernet0

access-list 102 permit ip 192.168.2.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

control-plane

!

!

line con 0

no modem enable

transport output telnet

line aux 0

transport output telnet

line vty 0 4

exec-timeout 5 0

login local

transport input telnet ssh

transport output all

!

scheduler max-task-time 5000

end

8 Replies 8

JORGE RODRIGUEZ
Level 10
Level 10

Take a look at filtering acls at the edge, this is an enterprise example but the principle can be applied in small networks.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

HTH

Jorge

Jorge Rodriguez

Thanks, what exactly is my current config doing to block external traffic?

Do I need add a deny inbound to all traffic to stock hackers?

Hi Andy

I'm not 100% sure your IOS being supported firewall functions.If you can then I would recommend you to do *firewall* on it. As per your requirement you can do "Inspect" traffics you want allow from inside to outside and then you can do "deny all" from outside to inside. That's why I recommend "Inspect functions" because it's state-full.

Please check this link out!

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a008009445f.shtml

Hopes this helps

Thot

Thanks, the 837 has a full firewall feature.

Are the inspect rules from inside to outside like allow rules then? If so I take I would allow http, https, dns?

eg

ip inspect name outbound tcp

ip inspect name outbound udp

ip inspect name outbound ftp

ip inspect name outbound http

ip inspect name outbound icmp

ip access-list extended inbound_acl

deny ip any any

interface Dialer1

ip access-group inbound_acl in

interface Ethernet0

ip inspect outbound in

Andy

In a different thread we have had a discussion about firewall rules and about ip inspect. Has that sufficiently cleared things up or do you still have questions?

HTH

Rick

HTH

Rick

Its all good on this post, I have added the log file on the other one you asked for.

Andy

I seem to have lost track of a thread. Can you point me to the one you added the log file for?

HTH

Rick

HTH

Rick

Damn, my last post isn't there with the log, I'll try and get it and post.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: