topic Configure Cisco 1921 as Home Router in Network Security

Configure Cisco 1921 as Home Router

David Lee — Tue, 12 Mar 2019 07:54:41 GMT

Long Story short is that I have a Cisco 1921 running 15.3 that I am trying to setup as a typical home router. I want to allow all the traffic from inside to go to the internet, and I want all the traffic from the internet to to be able to get in. If the traffic originated from inside, then naturally the responding traffic needs to come back in. I thought I could do this with a few ACLs and using the IP INSPECT. Doing that, the WAN port will not get an IP address and all inside traffic does not reach the internet. i dont have much experience configuring Security on Cisco Routers that also is running NAT. If someone can point me in the right direction, that would be great. below is the running config that is not working the way I would like

DLC1921LTNTX3020#sh run
Building configuration...

Current configuration : 1798 bytes
!
! Last configuration change at 22:13:54 UTC Sat Jun 18 2016
version 15.3

ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip inspect name FWOUT tcp
ip inspect name FWOUT udp
ip inspect name FWOUT dns
ip inspect name FWOUT http
ip inspect name FWOUT https
ip inspect name FWOUT time
ip cef
no ipv6 cef

interface GigabitEthernet0/0
description LAN
ip address 192.168.205.252 255.255.255.0
ip nat inside
ip inspect FWOUT in
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN
ip address dhcp
ip access-group 5 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface Serial0/1/0
no ip address
shutdown
!
ip dns server
ip nat inside source list 10 interface GigabitEthernet0/1 overload
!
!
!
access-list 5 deny any log
access-list 10 permit 192.168.205.0 0.0.0.255
access-list 100 permit udp any any eq bootpc
access-list 100 permit udp any any eq domain
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 10 in
login local
transport input ssh
!
scheduler allocate 20000 1000
!
end

DLC1921LTNTX3020#

Hi

Francesco Molino — Sun, 19 Jun 2016 01:04:53 GMT

few things based on your config.

1. For NAT acl, I will recommend to use extended ACL instead of standard (it will allow you to details more who can have access to internet and with which protocols). Right now, it would be quite the same:

Ip access-list extended NAT

deny ip 192.168.205.0 0.0.0.255 192.168.205.0 0.0.0.255

permit ip 192.168.205.0 0.0.0.255 any

2. You are missing a default route (normally, your ISP connected on the WAN interface should give you a default-route.) In that case the command is:

ip route 0.0.0.0 0.0.0.0 dhcp

3. On your WAN interface, you're applying the ACL 5 that deny any. Why?

4. To allow the traffic back based on an acl that limit some ports, you need to use reflective acl (1st solution).

Some documentation of Reflective acl: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfreflx.html

The minding is to create a simple acl (that you will put as in on your interface) and create another that reflect the in (that you will put as out on your interface)

A sample of ACL

Extended IP access list FIREWALL-IN
10 permit udp any any eq ntp
20 permit udp any eq ntp any
30 permit icmp any any echo-reply
40 permit icmp any any traceroute
50 permit esp any any
60 permit ahp any any
70 permit udp any any eq isakmp
80 permit udp any eq isakmp any
90 permit udp any any eq non500-isakmp
100 permit udp any eq non500-isakmp any
110 permit udp any any eq bootps
120 permit udp any any eq bootpc
130 evaluate FIREWALL-REFLEX-IN

Extended IP access list FIREWALL-OUT
10 permit ip any any reflect FIREWALL-REFLEX-IN

4 bis. You can even use inspect, however your issue don't seems to be related to the INSPECT rule. Usually, we apply the inspect on the WAN interface as out to allow that return traffic is allowed.

See here some doc: https://learningnetwork.cisco.com/docs/DOC-7832

5. You said that your WAN is not getting IP even if it has been configured as DHCP. You have an acl denying everything. Remove that acl first and try it again

Hope that's clear.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue