Setting up CBAC for an Internet Connected Cisco Lab
I want to setup CBAC as my basis for firewall rules / filtering on a home lab. High level description of the setup is as follows (diagram attached):
ISP Router / Modem (SpeedTouch 780) supplied by ISP and flashed with their firmware / image, so locked down to "normal user" mode (i.e. - basic changes only). Has a LAN side switch with static IP of 192.168.1.254 /24 which is the Gateway of Last Resort for the 2811 Router
Cisco 2811 Router:
Fa0/0 (192.168.1.200 /24) is connected to LAN Side switch of the ISP Router Modem
Gi0/0/0 (no IP address at port level) is split into several sub-interfaces, 1 for each VLAN on the private network, each of which have an IP address used as the Default Gateway for devices on its respective VLAN
Provides DHCP to each of the VLANs
NAT's each of the VLANs to the IP address of Fa0/0 so that the ISP Router Modem can pass internet destined traffic onwards - necessary as static routes back to the VLANs is not possible because the ISP Router Modem is locked down (many thanks to @Jon Marshall for all his help with that!)
Question 1: If I want to apply CBAC in this situation, my assumption is that I would create the first acl on Fa0/0 in on the 2811 to block incoming traffic, and then acls on each of the VLAN sub-interfaces on Gi0/0/0 (e.g. Gi0/0/0.10 in) to control and check traffic coming out of each of them that is destined for the internet. Is my assumption correct? If so, then:
Question 2: Does this affect the inter-vlan routing that is (presumably) happening on the 2811 Gi0/0/0 port between each of the VLAN's?
Yes you need ACLs on outside interface with direction in to block incoming traffic and you need inspect out command to check outgoing connections and allow reverse packets
For sub-interfaces its not mandatory to apply ACLs but recommended. This isn't needed for inspecting internet traffic but for securing connections from clients in general. It will affect intervlan routing
For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot b...
Automation and programmability for networking and security are increasingly important topics. Every release since ISE 1.2 has included new REST API capabilities to better automate and integrate ISE with the rest of your network, appli...
The latest iteration (v2.3.4) of the Cisco Secure Firewall Migration Tool adds public beta support for S2S VPN migrations from ASA:
Policy-based (crypto map) Pre-Shared key authentication type VPN configuration to Firepower Management Center
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.
We make improvement...
This document presents the ISE data limiting best practices that can dramatically improve the system performance on ISE.
Your deployment may be impacted if the alarms tab on ISE shows High load average, high CPU or high memoy usage alarm...