11-10-2007 12:39 PM - edited 03-03-2019 07:29 PM
Hi, I have this config on my Cisco 837, is it secure from the "outside" world? I can't see any rules that block anyone accessing my network, can you? I want the inside to have full access to the outside world, but the outside to have no access into my network.
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ADSL
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable password 7 ****
!
no aaa new-model
!
resource policy
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.10
!
ip dhcp pool client
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.100
dns-server 190.x.x.197 187.186.189.16
lease 0 2
!
!
no ip cef
!
!
!
username *** password ***
!
!
!
!
!
interface Ethernet0
ip address 192.168.2.100 255.255.255.0
no ip unreachables
ip nat inside
ip virtual-reassembly
hold-queue 100 out
!
interface Ethernet2
no ip address
shutdown
hold-queue 100 out
!
interface ATM0
no ip address
no ip unreachables
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
cdp enable
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
no ip unreachables
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ***
ppp chap password ***
ppp pap sent-username *** password ***
ppp ipcp dns request
ppp ipcp wins request
!
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
ip nat inside source list 102 interface Dialer1 overload
!
logging trap debugging
logging facility local4
logging source-interface Ethernet0
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
exec-timeout 5 0
login local
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
end
11-10-2007 05:45 PM
Take a look at filtering acls at the edge, this is an enterprise example but the principle can be applied in small networks.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
HTH
Jorge
11-11-2007 02:03 AM
Thanks, what exactly is my current config doing to block external traffic?
Do I need add a deny inbound to all traffic to stock hackers?
11-11-2007 02:22 AM
Hi Andy
I'm not 100% sure your IOS being supported firewall functions.If you can then I would recommend you to do *firewall* on it. As per your requirement you can do "Inspect" traffics you want allow from inside to outside and then you can do "deny all" from outside to inside. That's why I recommend "Inspect functions" because it's state-full.
Please check this link out!
Hopes this helps
Thot
11-11-2007 02:56 AM
Thanks, the 837 has a full firewall feature.
Are the inspect rules from inside to outside like allow rules then? If so I take I would allow http, https, dns?
eg
ip inspect name outbound tcp
ip inspect name outbound udp
ip inspect name outbound ftp
ip inspect name outbound http
ip inspect name outbound icmp
ip access-list extended inbound_acl
deny ip any any
interface Dialer1
ip access-group inbound_acl in
interface Ethernet0
ip inspect outbound in
11-12-2007 08:16 PM
Andy
In a different thread we have had a discussion about firewall rules and about ip inspect. Has that sufficiently cleared things up or do you still have questions?
HTH
Rick
11-12-2007 10:44 PM
Its all good on this post, I have added the log file on the other one you asked for.
11-13-2007 03:44 AM
Andy
I seem to have lost track of a thread. Can you point me to the one you added the log file for?
HTH
Rick
11-13-2007 04:00 AM
Damn, my last post isn't there with the log, I'll try and get it and post.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: