cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
708
Views
0
Helpful
2
Replies

help config cisco firewall

malai.joseph
Level 1
Level 1

Hi

Am new to cisco but able to learn new things very fast,pls help on conf router as a firewall,below is my conf of router and switch and all vlans are able to browse,i want my router to be secured pls

//cisco router 1921
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1921
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$mhnT$R2weEBZ4l3mQI7W5Q80xr1
!
no aaa new-model
!
!
!
clock timezone EST 3
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
no ip bootp server
no ip domain lookup
ip name-server 196.46.k.t
ip name-server 196.46.d.t
!
multilink bundle-name authenticated
!
!
!

!
!
!
redundancy
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
description connection to LAN
ip address 10.10.10.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex full
speed 1000
ntp disable
!
!
interface GigabitEthernet0/1
description connection to INTERNET
ip address 196.43.x.p 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
ntp disable
!
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
no ip http secure-server
ip flow-export source GigabitEthernet0/1
!
ip nat inside source list NAT interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 196.43.x.y
ip route 192.168.3.0 255.255.255.0 10.10.10.2
ip route 192.168.5.0 255.255.255.0 10.10.10.2
!
ip access-list extended NAT
permit ip 10.0.0.0 0.0.0.3 any
permit ip 192.168.3.0 0.0.0.255 any
permit ip 192.168.5.0 0.0.0.255 any
!
!
no cdp run

!
!
!
!
!
control-plane
!
!
banner motd ^CThis is an official computer system and is the property of the ORGANIZATION. It is for authorized users only. Unauthorized users are prohibited. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or
^C
!
line con 0
line aux 0
line vty 0 4
password 7 09594C000B0C101B1105426063
login
line vty 5 15
password 7 09594C000B0C101B1105426063
login local
!
scheduler allocate 20000 1000
end

//switch switch 3560G conf

version 12.0
Switch-A> en
Switch-A#hostname Switch-A
Switch-A# conf t
Switch-A(config)#banner motd $This is an official computer system and is the property of the ORGANIZATION. It is for authorized users only. Unauthorized users are prohibited. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system may be subject to one or more of the following actions: interception, monitoring, recording, auditing, inspection and disclosing to security personnel and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign. By using this system, the user consents to these actions. Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. By accessing this system you indicate your awareness of and consent to these terms and conditions of use. Discontinue access immediately if you do not agree to the conditions stated in this notice.
$
Switch-A(config)# ip routing

Switch-A(config)# enable secret $$$$$$$
Switch-A(config)#service password-encription
Switch-A(config)#no service tcp-small-servers
Switch-A(config)#no service udp-small-servers
Switch-A(config)#no ip bootp server
Switch-A(config)#no ip finger
Switch-A(config)#no service finger
Switch-A(config)#no service config
Switch-A(config)#no boot host
Switch-A(config)#no boot network
Switch-A(config)#no boot system
Switch-A(config)#no service pad

Switch-A(config)#ip name-server 196.46.k.t
Switch-A(config)#ip name-server 196.46.d.t
Switch-A(config)#no ip domain-lookup
Switch-A(config)#no ip http server
Switch-A(config)#no snmp-server community
Switch-A(config)#no snmp-server enable traps
Switch-A(config)#no snmp-server system-shutdown
Switch-A(config)#no snmp-server
Switch-A(config)#no cdp run

Switch-A(vlan)# vlan 4
Switch-A(vlan)# vlan 6

Switch-A# conf t
Switch-A(config)#no cdp run
Switch-A(config)# interface vlan1
Switch-A(config)# description *** DEFAULT VLAN - Do NOT Use! ***
Switch-A(config-if)# no ip address
Switch-A(config-if)# shutdown

Switch-A(config)# interface vlan4
Switch-A(config-if)#description server's farm
Switch-A(config-if)# ip address 192.168.3.1 255.255.255.0
Switch-A(config-if)#ip access group vlan4
Switch-A(config-if)# no shutdown

Switch-A(config)# interface vlan6
Switch-A(config-if)#description  SECURITY
Switch-A(config-if)# ip address 192.168.5.1 255.255.255.0
Switch-A(config-if)#ip access group vlan6
Switch-A(config-if)# no shutdown

Switch-A(config)# ip route 0.0.0.0 0.0.0.0 10.10.10.1

Switch-A(config)# interface  G0/1
Switch-A(config)#description connection to router
Switch-A(config-if)# no switchport
Switch-A(config-if)# 10.10.10.2 255.255.255.252
Switch-A(config-if)# no shutdown
Switch-A(config-if)# exit


Switch-A(config)# interface range G0/6-8
Switch-A(config)#description security
Switch-A(config-if)# switchport mode access
Switch-A(config-if)# switchport access vlan 6
Switch-A(config-if)# no shutdown
Switch-A(config-if)# exit

Switch-A(config)# interface range G0/10-24
Switch-A(config)#description SERVER'S FARM
Switch-A(config-if)# switchport mode access
Switch-A(config-if)# switchport access vlan 4
Switch-A(config-if)# no shutdown
Switch-A(config-if)# exit
Switch-A(config)#wr

thx

joe

1 Accepted Solution

Accepted Solutions

Maykol Rojas
Cisco Employee
Cisco Employee

Hi,

There is no really a method to say that the router is secure, first, we need to know which traffic is going to be allowed in/out meaning, if you are going to have incoming traffic to this router or if it is just going to be for internet access, etc.

Basic firewall would be like this:

ip inspect name fw tcp

ip inspect name fw udp

Ip inspect name fw icmp

Access-list 170 deny IP any any

interface GigabitEthernet0/1

ip inspect fw out

ip access-group 170 in

That would deny any traffic to go inside your network while having packet inspection at layer 4, if you want to be more granular, you can use the specific protocol you want to inspect at the application layer, such as smtp, that way, you should add a protocol to the inspection rule already define:

ip inspect name fw smtp

Hope this helps

Document for reference:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

Mike

Mike

View solution in original post

2 Replies 2

Maykol Rojas
Cisco Employee
Cisco Employee

Hi,

There is no really a method to say that the router is secure, first, we need to know which traffic is going to be allowed in/out meaning, if you are going to have incoming traffic to this router or if it is just going to be for internet access, etc.

Basic firewall would be like this:

ip inspect name fw tcp

ip inspect name fw udp

Ip inspect name fw icmp

Access-list 170 deny IP any any

interface GigabitEthernet0/1

ip inspect fw out

ip access-group 170 in

That would deny any traffic to go inside your network while having packet inspection at layer 4, if you want to be more granular, you can use the specific protocol you want to inspect at the application layer, such as smtp, that way, you should add a protocol to the inspection rule already define:

ip inspect name fw smtp

Hope this helps

Document for reference:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

Mike

Mike

thanks very much Mike

Review Cisco Networking for a $25 gift card