topic CISCO Advanced Firewall on 2911 router using CCP in Network Security

CISCO Advanced Firewall on 2911 router using CCP

orahman99 — Tue, 12 Mar 2019 00:41:59 GMT

Guys I am using a cisco 2911 router with three interfaces: Gi0/0 connected through a switch to all my servers and Gi0/2 which will connect to another server, and Gi0/1 is my outside interface connecting through a switch to two ISP's.

I have webservers and Terminal servers/File Servers with 10.0.0.0 network address connected throught My Gi0/0 interface.

Now I want to implement a Cisco Advanced firewall for security on my router using CCP.I want the firewall to work such that it allows external users to access the servers on Gi0/0 through ports 80,23,25,20,21,53, 110,3389. and to access the SIP server on Gi0/2. My issue is do I put both Gi0/0 and Gi0/2 in the inside zone or do i have to just create two DMZ's for both interface Gi0/0 and Gi0/2 without creating an inside zone and Gi0/1 as outside zone as my internal traffic is mostly server based and the users connect remotely through terminal server to access resourcess using RDP, secondly how do I open the relevant ports.I have checked alot and all I have seen is just basic process on using the wizard I have no idea how to go about this issue.

Would appreciate some assistance on this.

CISCO Advanced Firewall on 2911 router using CCP

Henrik Grankvist — Sun, 30 Dec 2012 17:10:38 GMT

Hey

I would put G0/0 and G0/2 in two different zones because it sounds like they have no reason to be in the same, it's always safer to have more zones and to be able to control what traffic is permitted.

For the seconds problem I'm may not be the best person to ask because I've never used CCP, I only know how to do this through th CLI.

CISCO Advanced Firewall on 2911 router using CCP

Julio Carvajal — Sun, 30 Dec 2012 22:39:26 GMT

Hello Obaid,

I would encourage you to configure this on the long but GOOD way using the CLI..

I know CCP is faster witch is good but the thing is that it could be way more restrictive than you want and you want to use the approach they want while if you do it manually you could do it however you want,

I can definetly help you setting this up via CLI

Regards,

Julio

Re: CISCO Advanced Firewall on 2911 router using CCP

orahman99 — Mon, 31 Dec 2012 03:30:37 GMT

I did some research on ZBFand came up with the following configuration on my router for Outside users to be able to access my inside network resources through the opened ports. would apreciate if someone could look at it and see if it is ok.

Zone security out-zone
zone security in-zone

interface gi0/1
Zone-member security out-zone

interface gi0/0
zone-member security in-zone

interface gi0/2
zone-member security in-zone
exit

zone-pair security OUT-IN source out-zone destination in-zone

ip access-list extended OUTSIDE-TO-INSIDE

permit tcp any host 10.0.0.50 eq www

permit tcp any host 10.0.0.50 eq 20:21

permit tcp any host 10.0.0.50 eq 25

permit tcp any host 10.0.0.50 eq 53

permit tcp any host 10.0.0.50 eq 110

permit tcp any host 10.0.0.50 eq 143

permit tcp any host 10.0.0.50 eq 443

permit tcp any host 10.0.0.50 eq 3389

permit tcp any host 10.0.0.50 eq www

permit tcp any host 10.0.0.52 eq www

permit tcp any host 10.0.0.52 eq 20:21

permit tcp any host 10.0.0.52 eq 25

permit tcp any host 10.0.0.52 eq 53

permit udp any host 10.0.0.52 eq 53

permit tcp any host 10.0.0.52 eq 110

permit tcp any host 10.0.0.52 eq 143

permit tcp any host 10.0.0.52 eq 443

permit tcp any host 10.0.0.52 eq 3389

permit tcp any host 10.0.0.52 eq www

permit tcp any host 10.0.0.23 eq www

permit tcp any host 10.0.0.23 eq 20:21

permit tcp any host 10.0.0.23 eq 25

permit tcp any host 10.0.0.23 eq 53

permit udp any host 10.0.0.23 eq 53

permit tcp any host 10.0.0.23 eq 110

permit tcp any host 10.0.0.23 eq 143

permit tcp any host 10.0.0.23 eq 443

permit tcp any host 10.0.0.23 eq 3389

permit tcp any host 10.0.0.23 eq www

permit tcp any host 10.0.0.23 eq 8080

permit tcp any host 10.0.0.59 eq www

permit tcp any host 10.0.0.59 eq 20:21

permit tcp any host 10.0.0.59 eq 25

permit tcp any host 10.0.0.59 eq 53

permit udp any host 10.0.0.59 eq 53

permit tcp any host 10.0.0.59 eq 110

permit tcp any host 10.0.0.59 eq 143

permit tcp any host 10.0.0.59 eq 443

permit tcp any host 10.0.0.59 eq 3389

permit tcp any host 10.0.0.61 eq www

permit tcp any host 10.0.0.61 eq 20:21

permit tcp any host 10.0.0.61 eq 25

permit tcp any host 10.0.0.61 eq 53

permit udp any host 10.0.0.61 eq 53

permit tcp any host 10.0.0.61 eq 110

permit tcp any host 10.0.0.61 eq 143

permit tcp any host 10.0.0.61 eq 443

permit tcp any host 10.0.0.61 eq 3389

permit tcp any host 10.0.0.228 eq www

permit tcp any host 10.0.0.228 eq 20:21

permit tcp any host 10.0.0.228 eq 25

permit tcp any host 10.0.0.228 eq 53

permit udp any host 10.0.0.228 eq 53

permit tcp any host 10.0.0.228 eq 110

permit tcp any host 10.0.0.228 eq 143

permit tcp any host 10.0.0.228 eq 443

permit tcp any host 10.0.0.228 eq 3389

permit tcp any host 10.0.0.58 eq 3389

permit tcp any host 10.0.0.33 eq 3389

permit tcp any host 10.0.0.25 eq 3389

permit tcp any host 10.0.0.44 eq 3389

permit tcp any host 10.0.0.251 eq 3389

permit tcp any host 10.0.0.21 eq 3389

permit tcp any host 10.0.0.22 eq 3389

permit tcp any host 10.0.0.24 eq 3389

permit tcp any host 10.0.0.16 eq 80

permit tcp any host 10.0.0.30 eq www

permit tcp any host 10.0.0.30 eq 3389

permit tcp any host 10.0.0.230 eq 3389

permit tcp any 10.0.3.254 0.0.0.0 eq www
permit tcp any 10.0.3.254 0.0.0.0 eq 3389
permit tcp any 10.0.3.254 0.0.0.0 eq 5060
permit tcp any 10.0.3.254 0.0.0.0 eq 5061

class-map type inspect match-all OUTSIDE-INSIDE-CLASS
match access-group name inside OUTSIDE-TO-INSIDE

policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class-type inspect OUTSIDE-T0-INSIDE-CLASS
inspect
class class-default
drop log

zone-pair security OUT-IN source out-zone destination in-zone
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY