Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Unsecured firewall?

Hi,

This has to be an easy one...

I have it connected to DSL on a subnet 255.255.255.248.

The main IP (113) needs to be stealthed with ssh open, 114 need asterisk on tcp 5060 open, everything else stealthed, 118 has a web server.

After 10 very difficult days with a new 877, I still cannot get the firewall to stealth mode only all ports closed. Also I cannot seem to be able to allow any 80 or 5060 traffic in.

The bits of my config are:

interface Dialer0

description Internet

ip address 1.2.3.113 255.255.255.248

ip access-group 150 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname mylogin@adsllogin.co.uk

ppp chap password 7 mypassword

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 192.168.7.114 5060 1.2.3.114 5060 extendable

ip nat inside source static tcp 192.168.7.118 80 1.2.3.118 80 extendable

logging trap debugging

access-list 1 remark NAT ACCESS

access-list 1 permit 192.168.7.0 0.0.0.255

access-list 23 remark MANAGEMENT LIST

access-list 23 permit 192.168.7.0 0.0.0.255

access-list 150 remark INBOUND CONNECTIONS

access-list 150 permit tcp any host 1.2.3.118 eq www

access-list 150 permit ip any host 1.2.3.114

access-list 150 deny ip 10.0.0.0 0.255.255.255 any

access-list 150 deny ip 172.16.0.0 0.15.255.255 any

access-list 150 deny ip 192.168.0.0 0.0.255.255 any

access-list 150 deny ip 127.0.0.0 0.255.255.255 any

access-list 150 deny ip host 255.255.255.255 any

access-list 150 deny ip host 0.0.0.0 any

access-list 150 permit ip any any

dialer-list 1 protocol ip permit

no cdp run

(I still cannot find any docs on cisco.com that are in any way comprehensible)

BTW, SDM doesn't seem to work so I am forced into the rather cryptic CLI

Thanks,

David

1 REPLY
Bronze

Re: Unsecured firewall?

Basically what you will need to do varies a little depending on your setup but you will need to set up access-list to allow ports 5060,80, 137, 138, and 139 through the PIX. Here is a design guide on it

http://www.cisco.com/warp/public/110/pixnetbios.html

On your config I take it is probally your WINS. I'm not sure who is the pdc and who is the wins Your acls are a little confusing beacuse you have the same network in both parts of the acl

Since I can not open the VSD's that you sent I am not sure what you are referenceing with the addresses

116
Views
0
Helpful
1
Replies