I have setup NAT and firewall on my C1111-8w8p router and I believe it is correct. Let me know if you see any other problems here. I am still learning. But now I need to block access to the router. Port scan of public ip shows 22, 80, 443, and 1720 open. Not sure how to do that the best way. Please help. Here is my configuration:
Sat Dec 30 2023 20:20:06 GMT-0600 (Central Standard Time)
===================================================================================
#sh run
Building configuration...
Current configuration : 9958 bytes
!
! Last configuration change at 02:18:43 UTC Sun Dec 31 2023 by admin
! NVRAM config last updated at 00:16:50 UTC Sun Dec 31 2023 by admin
!
version 17.9
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname Edge_Router
!
boot-start-marker
boot system bootflash:c1100-universalk9.17.09.04a.SPA.bin
boot system bootflash:c1100-universalk9_ias.16.10.01b.SPA.bin
boot-end-marker
!
!
aaa new-model
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
ip name-server 8.8.8.8 1.1.1.1
ip domain name lewishome.local
ip dhcp excluded-address 192.168.1.0
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.200 192.168.1.255
!
ip dhcp pool default
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 1.1.1.1
lease infinite
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
vtp version 1
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-2829415558
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2829415558
revocation-check none
rsakeypair TP-self-signed-2829415558
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-2829415558
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32383239 34313535 3538301E 170D3233 31303331 30333530
31365A17 0D333030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38323934
31353535 38308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
0A028201 0100D4C8 D205F41D 87D75235 3BF6112F A419AA75 DD5BEBA3 F65A51E0
F9D66305 D7D3EFEA AFE0CE68 B51807E7 ABAD93C8 7D2CB2F0 127DDD3A 81D0A65C
28D4AAED 6C723B45 BD33EC5E 4CA33DC0 013E4C52 1912A7B0 3D7DB305 1C3B0C6B
C1CBBC69 D36E5C8F 561A2334 57BC4BA4 F96E74C9 26C1DF87 8A72BB74 E41675D0
1BC7179F 4E1AC770 9C168634 BBA41693 4197748B 17348D43 E56D3E5F A92BCC94
449D42D1 C8CA05FE DBD014C2 F5E87F73 8FFD1F87 16A46317 1AB5A4F6 BDEF2A13
9091FDAC 4674D656 D0011D59 01D72939 FF7BE161 AE4861DA 27288373 3ECDBB9A
D3224C19 F57D213F 1E66E96A 134CC8C3 459566A9 1603B84A 475A4242 B2B4CC78
DAE84745 0F670203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
301F0603 551D2304 18301680 148196B9 201E83D1 82D6F51B C348A36B FC92075D
AC301D06 03551D0E 04160414 8196B920 1E83D182 D6F51BC3 48A36BFC 92075DAC
300D0609 2A864886 F70D0101 05050003 82010100 53BA30C3 805BB3D6 30F9E106
38A164A3 9B6B48D0 5DFD2DA9 940A9F79 945B4E20 A878F406 CCE22730 63C7F7ED
3657AADE 2AB34739 1EA13AF6 49E40C27 C3E8BC1B 50B5F0F0 CEB49998 CA0ECE1E
AFE2B08A 6B011A4C B4579FCF 7CE42025 AE227792 08141E61 99C90838 AA135E4C
D2D29867 7CDA5B54 7E66A31A AA6BDC3D 027327F9 CAF90986 3ED52D07 69A86D69
B48E3F2A 4ACDFD93 9784B856 27C122A5 E01CACFB AEE35360 432CC6E5 35A5EF6C
DA17AA22 AB79F9DD 40AA1110 0D32B60A FF386552 9254FEC4 389B1E6C C9C0A4A6
E08CC317 D3FC7267 2C0ADD07 096DFB7E E3070723 78D056D0 FF2226C5 C0E5BEEC
9C091A72 CFBA7897 A588FD2F 53E91932 7C56826A
quit
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
!
crypto pki certificate pool
cabundle nvram:ios_core.p7b
!
!
no license feature hseck9
license udi pid C1111-8PWB sn
license boot level securityk9
memory free low-watermark processor 66007
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
enable secret 9
!
username admin privilege 15 secret 9
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-any INSIDE-TO-OUTSIDE_cmap_app
match protocol http
match protocol https
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all INSIDE-TO-OUTSIDE_cmap
match access-group name INSIDE-TO-OUTSIDE_acl
match class-map INSIDE-TO-OUTSIDE_cmap_app
!
policy-map type inspect INSIDE-TO-OUTSIDE_policy
class type inspect INSIDE-TO-OUTSIDE_cmap
inspect
class class-default
drop log
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone-pair security INSIDE-TO-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE_policy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description WAN 1
ip address xxx.xxx.xxx.xxx 255.255.255.252
ip nat outside
zone-member security OUTSIDE
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
zone-member security OUTSIDE
media-type rj45
negotiation auto
!
interface GigabitEthernet0/1/0
description To Core Switch
switchport access vlan 250
zone-member security INSIDE
!
interface GigabitEthernet0/1/1
zone-member security INSIDE
!
interface GigabitEthernet0/1/2
zone-member security INSIDE
!
interface GigabitEthernet0/1/3
zone-member security INSIDE
!
interface GigabitEthernet0/1/4
zone-member security INSIDE
!
interface GigabitEthernet0/1/5
zone-member security INSIDE
!
interface GigabitEthernet0/1/6
zone-member security INSIDE
!
interface GigabitEthernet0/1/7
zone-member security INSIDE
!
interface Wlan-GigabitEthernet0/1/8
zone-member security INSIDE
!
interface Vlan1
description Default
ip address 192.168.1.1 255.255.255.0
zone-member security INSIDE
!
interface Vlan250
description WAN
ip address 192.168.250.10 255.255.255.0
ip nat inside
zone-member security INSIDE
!
ip http server
ip http authentication local
ip http secure-server
ip forward-protocol nd
ip nat inside source list NAT_acl interface GigabitEthernet0/0/0 overload
ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 71.37.144.146
ip route 192.168.10.0 255.255.255.0 192.168.250.1
ip route 192.168.40.0 255.255.254.0 192.168.250.1
ip route 192.168.50.0 255.255.255.0 192.168.250.1
ip route 192.168.60.0 255.255.255.0 192.168.250.1
ip route 192.168.70.0 255.255.255.0 192.168.250.1
ip route 192.168.80.0 255.255.255.0 192.168.250.1
ip route 192.168.100.0 255.255.255.0 192.168.250.1
!
!
ip access-list extended INSIDE-TO-OUTSIDE_acl
1 permit ip 192.168.1.0 0.0.0.255 any
10 permit ip 192.168.10.0 0.0.0.255 any
40 permit ip 192.168.40.0 0.0.1.255 any
50 permit ip 192.168.50.0 0.0.0.255 any
60 permit ip 192.168.60.0 0.0.0.255 any
70 permit ip 192.168.70.0 0.0.0.255 any
80 permit ip 192.168.80.0 0.0.0.255 any
100 permit ip 192.168.100.0 0.0.0.255 any
250 permit ip 192.168.250.0 0.0.0.255 any
ip access-list extended NAT_acl
1 permit ip 192.168.1.0 0.0.0.255 any
10 permit ip 192.168.10.0 0.0.0.255 any
40 permit ip 192.168.40.0 0.0.1.255 any
50 permit ip 192.168.50.0 0.0.0.255 any
60 permit ip 192.168.60.0 0.0.0.255 any
70 permit ip 192.168.70.0 0.0.0.255 any
80 permit ip 192.168.80.0 0.0.0.255 any
100 permit ip 192.168.100.0 0.0.0.255 any
250 permit ip 192.168.250.0 0.0.0.255 any
!
!
route-map track-primary-if permit 1
match ip address 197
set interface GigabitEthernet0/0/0
!
!
!
!
!
control-plane
!
banner login ^CLewis Home Edge Router^C
!
line con 0
transport input none
stopbits 1
line vty 0 4
length 0
transport input ssh
line vty 5 14
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
ntp server 0.ciscome.pool.ntp.org
ntp server 1.ciscome.pool.ntp.org
ntp server 2.ciscome.pool.ntp.org
!
!
!
!
!
!
end