Hi,

by default with ZBF traffic destined to self-zone or coming from self-zone is permitted so he'll have to configure a policy for traffic coming to self-zone from outside zone.

Regards.

Alain

Don't forget to rate helpful posts.

I wouldn't reccomend ZBF in that case because it's too complicated. CBAC would be more then enough.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Here is my current running config.

What do you suggest to do.. for now i've forwarded 53 port to dummy IP address.

I have SEC license.

Technology Package License Information for Module:'c1900'

-----------------------------------------------------------------

Technology    Technology-package           Technology-package

              Current       Type           Next reboot

------------------------------------------------------------------

ipbase        ipbasek9      Permanent      ipbasek9

security      securityk9    Permanent      securityk9

data          None          None           None

!

! Last configuration change at 23:47:03 CEST Fri Oct 5 2012 by admin

! NVRAM config last updated at 23:47:04 CEST Fri Oct 5 2012 by admin

! NVRAM config last updated at 23:47:04 CEST Fri Oct 5 2012 by admin

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

!

hostname r0

!

boot-start-marker

boot system flash:c1900-universalk9-mz.spa.151-4.m5.bin

boot-end-marker

!

!

enable secret 4 g0rpmgGc.WRIwoCfStjriwwUU8l80hSfH.a65o75m0g

!

aaa new-model

!

!

aaa authentication login default local

!

!

!

!

!

aaa session-id common

!

clock timezone CET 1 0

clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00

!

no ipv6 cef

no ip source-route

no ip gratuitous-arps

ip cef

!

!

!

ip dhcp excluded-address 192.168.10.1 192.168.10.100

ip dhcp excluded-address 192.168.10.254

!

ip dhcp pool vlan10

network 192.168.10.0 255.255.255.0

dns-server 192.168.10.1

default-router 192.168.10.1

lease 3

!

!

no ip bootp server

ip host www.mydomain.net 192.168.20.2

ip name-server 84.255.209.79

ip name-server 84.255.210.79

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

!

license udi pid CISCO1921/K9 sn FCZ1606C28X

!

!

username admin secret 4 g0rpmgGc.WRIwoCfStjriwwUU8l80hSfH.a65o75m0g

!

redundancy

!

!

!

!

!

!

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address 255.255.0.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/1.10

description HOME VLAN

encapsulation dot1Q 10

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1.20

description SERVERS VLAN

encapsulation dot1Q 20

ip address 192.168.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1.30

description VM VLAN

encapsulation dot1Q 30

ip address 192.168.30.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1.40

description MANAGEMENT VLAN

encapsulation dot1Q 40

ip address 192.168.40.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip dns server

ip nat inside source list 100 interface GigabitEthernet0/0 overload

ip nat inside source static tcp 192.168.20.2 22 22 extendable

ip nat inside source static tcp 1.1.1.1 53 53 extendable

ip nat inside source static tcp 192.168.20.2 80 80 extendable

ip nat inside source static tcp 192.168.20.2 443 443 extendable

ip route 0.0.0.0 0.0.0.0

!

access-list 100 permit ip 192.168.10.0 0.0.0.255 any

access-list 100 permit ip 192.168.20.0 0.0.0.255 any

access-list 100 permit ip 192.168.30.0 0.0.0.255 any

access-list 100 permit ip 192.168.40.0 0.0.0.255 any

!

no cdp run

!

!

!

!

!

!

!

control-plane

!

!

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

exec-timeout 0 0

no exec

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

exec-timeout 0 0

logging synchronous

transport input ssh

!

scheduler allocate 20000 1000

ntp server 193.2.1.117

end

How do i incorporate that into my config i need 22, 80 and 443 forwarded to 192.168.20.2 ? i mean opened.

If i do:

ip access-list extended INTERNET-IN

permit tcp any host 192.168.20.2 eq 22

permit tcp any host 192.168.20.2 eq 80

permit tcp any host 192.168.20.2 eq 443

deny ip any any

Would that make those ports open from outside to server on inside which has IP 192.168.20.2?

karsten, I've applied your settings.. it works like charm! :>

anyway in ACL list i had to use my static outside IP.. and not the internal NAT one :>

I've deleted nat forwarding of port 53 to dummy address... now when I do portscan from outside.. 53 seems closed.

Here is config:

ip access-list extended INTERNET-IN

permit tcp any host MY_STATIC_OUTSIDE_IP eq 22

permit tcp any host MY_STATIC_OUTSIDE_IP eq 80

permit tcp any host MY_STATIC_OUTSIDE_IP eq 443

deny ip any any

Cheers!

anyway in ACL list i had to use my static outside IP.. and not the internal NAT one

yes, that's caused by the order of operation in IOS:

http://www.cisco.com/en/US/partner/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

When the packet enters the router, then the ACL is inspected before the NAT is done on the packet.

Have fun with your new firewall ... ;-)

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi

I have another question.. now i've added to inspect incoming http, https, ssh traffic... but i'm not really sure do i get any benefit of doing so? Is it worth it? :> Below is the current running config.

ip inspect name CBAC-OUT tcp router-traffic

ip inspect name CBAC-OUT udp router-traffic

ip inspect name CBAC-OUT icmp router-traffic

ip inspect name CBAC-OUT ftp

ip inspect name CBAC-IN http

ip inspect name CBAC-IN https

ip inspect name CBAC-IN ssh

!

!

!

!

interface GigabitEthernet0/0

ip address 255.255.0.0

ip access-group INBOUND in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect CBAC-IN in

ip inspect CBAC-OUT out

ip virtual-reassembly in

duplex auto

speed auto

!

!

ip access-list extended INBOUND

permit tcp any host eq 22

permit tcp any host eq www

permit tcp any host eq 443

There are two reasons for activating the inspections:

1) Make the traffic work. Thats the case for FTP or other multi-channel protocols. The router must look into the traffic to find the ports on which the data-channel will be established.

2) Apply an extra protection for the traffic. Thats the caes with http, pop3, imap,  and so on. These are only needed if you want to filter your traffic based on upper-layer information.

So if your traffic works, you don't need any more inspections.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

So basically I'm not gaining anything by inspecting incoming traffic to my HTTPS server?

Thanks for clarifying things up.. i've removed that inbound inspection rules marked with red.