Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
441
Views
0
Helpful
1
Replies

Setting up CBAC for an Internet Connected Cisco Lab

LeeSteventon
Level 1
Level 1

‎01-25-2019 07:28 AM - edited ‎02-21-2020 08:42 AM

Hi All,

 

I want to setup CBAC as my basis for firewall rules / filtering on a home lab. High level description of the setup is as follows (diagram attached):

 

  • ISP Router / Modem (SpeedTouch 780) supplied by ISP and flashed with their firmware / image, so locked down to "normal user" mode (i.e. - basic changes only). Has a LAN side switch with static IP of 192.168.1.254 /24 which is the Gateway of Last Resort for the 2811 Router
  • Cisco 2811 Router:
    • Fa0/0 (192.168.1.200 /24) is connected to LAN Side switch of the ISP Router Modem
    • Gi0/0/0 (no IP address at port level) is split into several sub-interfaces, 1 for each VLAN on the private network, each of which have an IP address used as the Default Gateway for devices on its respective VLAN
    • Provides DHCP to each of the VLANs
    • NAT's each of the VLANs to the IP address of Fa0/0 so that the ISP Router Modem can pass internet destined traffic onwards - necessary as static routes back to the VLANs is not possible because the ISP Router Modem is locked down (many thanks to @Jon Marshall for all his help with that!)

 

Question 1: If I want to apply CBAC in this situation, my assumption is that I would create the first acl on Fa0/0 in on the 2811 to block incoming traffic, and then acls on each of the VLAN sub-interfaces on Gi0/0/0 (e.g. Gi0/0/0.10 in) to control and check traffic coming out of each of them that is destined for the internet. Is my assumption correct? If so, then:

 

Question 2: Does this affect the inter-vlan routing that is (presumably) happening on the 2811 Gi0/0/0 port between each of the VLAN's?

 

 

Many thanks in advance for all and any help!

Labels:
Preview file
417 KB
0 Helpful
1 Reply 1

Mohammed al Baqari
Level 11
Level 11

‎01-25-2019 07:49 PM

Hi,

Yes you need ACLs on outside interface with direction in to block incoming
traffic and you need inspect out command to check outgoing connections and
allow reverse packets

For sub-interfaces its not mandatory to apply ACLs but recommended. This
isn't needed for inspecting internet traffic but for securing connections
from clients in general. It will affect intervlan routing
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card