https://community.cisco.com/t5/network-security/setting-up-cbac-for-an-internet-connected-cisco-lab/m-p/3788175#M1049173 <P>Hi All,</P><P>&nbsp;</P><P>I want to setup CBAC as my basis for firewall rules / filtering on a home lab. High level description of the setup is as follows (diagram attached):</P><P>&nbsp;</P><UL><LI><STRONG>ISP Router / Modem</STRONG> (SpeedTouch 780) supplied by ISP and flashed with their firmware / image, so locked down to "normal user" mode (i.e. - basic changes only). Has a LAN side switch with static IP of 192.168.1.254 /24 which is the Gateway of Last Resort for the 2811 Router</LI><LI><STRONG>Cisco 2811 Router</STRONG>:<UL><LI>Fa0/0 (192.168.1.200 /24) is connected to LAN Side switch of the ISP Router Modem</LI><LI><STRONG>Gi0/0/0</STRONG> (no IP address at port level) <STRONG>is split into several sub-interfaces</STRONG>, 1 for each VLAN on the private network, each of which have an IP address used as the Default Gateway for devices on its respective VLAN</LI><LI><STRONG>Provides DHCP</STRONG> to each of the VLANs</LI><LI><STRONG>NAT's each of the VLANs to the IP address of Fa0/0</STRONG> so that the ISP Router Modem can pass internet destined traffic onwards - necessary as static routes back to the VLANs is not possible because the ISP Router Modem is locked down (many thanks to&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/324049">@Jon Marshall</a>&nbsp;for all his help with that!)</LI></UL></LI></UL><P>&nbsp;</P><P><STRONG>Question 1</STRONG>: If I want to apply CBAC in this situation, my assumption is that I would create the first acl on <STRONG>Fa0/0 in</STRONG> on the 2811 to block incoming traffic, and then acls on each of the VLAN sub-interfaces on Gi0/0/0 (e.g. <STRONG>Gi0/0/0.10 in</STRONG>) to control and check traffic coming out of each of them that is destined for the internet. Is my assumption correct? If so, then:</P><P>&nbsp;</P><P><STRONG>Question 2</STRONG>:&nbsp;Does this affect the inter-vlan routing that is (presumably) happening on the 2811 Gi0/0/0 port between each of the VLAN's?</P><P>&nbsp;</P><P>&nbsp;</P><P>Many thanks in advance for all and any help!</P> Fri, 21 Feb 2020 16:42:21 GMT LeeSteventon 2020-02-21T16:42:21Z https://community.cisco.com/t5/network-security/setting-up-cbac-for-an-internet-connected-cisco-lab/m-p/3788175#M1049173 <P>Hi All,</P><P>&nbsp;</P><P>I want to setup CBAC as my basis for firewall rules / filtering on a home lab. High level description of the setup is as follows (diagram attached):</P><P>&nbsp;</P><UL><LI><STRONG>ISP Router / Modem</STRONG> (SpeedTouch 780) supplied by ISP and flashed with their firmware / image, so locked down to "normal user" mode (i.e. - basic changes only). Has a LAN side switch with static IP of 192.168.1.254 /24 which is the Gateway of Last Resort for the 2811 Router</LI><LI><STRONG>Cisco 2811 Router</STRONG>:<UL><LI>Fa0/0 (192.168.1.200 /24) is connected to LAN Side switch of the ISP Router Modem</LI><LI><STRONG>Gi0/0/0</STRONG> (no IP address at port level) <STRONG>is split into several sub-interfaces</STRONG>, 1 for each VLAN on the private network, each of which have an IP address used as the Default Gateway for devices on its respective VLAN</LI><LI><STRONG>Provides DHCP</STRONG> to each of the VLANs</LI><LI><STRONG>NAT's each of the VLANs to the IP address of Fa0/0</STRONG> so that the ISP Router Modem can pass internet destined traffic onwards - necessary as static routes back to the VLANs is not possible because the ISP Router Modem is locked down (many thanks to&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/324049">@Jon Marshall</a>&nbsp;for all his help with that!)</LI></UL></LI></UL><P>&nbsp;</P><P><STRONG>Question 1</STRONG>: If I want to apply CBAC in this situation, my assumption is that I would create the first acl on <STRONG>Fa0/0 in</STRONG> on the 2811 to block incoming traffic, and then acls on each of the VLAN sub-interfaces on Gi0/0/0 (e.g. <STRONG>Gi0/0/0.10 in</STRONG>) to control and check traffic coming out of each of them that is destined for the internet. Is my assumption correct? If so, then:</P><P>&nbsp;</P><P><STRONG>Question 2</STRONG>:&nbsp;Does this affect the inter-vlan routing that is (presumably) happening on the 2811 Gi0/0/0 port between each of the VLAN's?</P><P>&nbsp;</P><P>&nbsp;</P><P>Many thanks in advance for all and any help!</P> Fri, 21 Feb 2020 16:42:21 GMT https://community.cisco.com/t5/network-security/setting-up-cbac-for-an-internet-connected-cisco-lab/m-p/3788175#M1049173 LeeSteventon 2020-02-21T16:42:21Z https://community.cisco.com/t5/network-security/setting-up-cbac-for-an-internet-connected-cisco-lab/m-p/3788446#M1049189 Hi,<BR /><BR />Yes you need ACLs on outside interface with direction in to block incoming<BR />traffic and you need inspect out command to check outgoing connections and<BR />allow reverse packets<BR /><BR />For sub-interfaces its not mandatory to apply ACLs but recommended. This<BR />isn't needed for inspecting internet traffic but for securing connections<BR />from clients in general. It will affect intervlan routing<BR /> Sat, 26 Jan 2019 03:49:57 GMT https://community.cisco.com/t5/network-security/setting-up-cbac-for-an-internet-connected-cisco-lab/m-p/3788446#M1049189 Mohammed al Baqari 2019-01-26T03:49:57Z