07-17-2010 03:23 AM - edited 03-11-2019 11:12 AM
Hi all,
I am very new to Cisco, and routing/ firewalls in general.
I brought my self a Cisco 1812. Its connected via Fe/0 to an ADSL modem in pure bridge mode. So the 1812 is doing all the PPP auth.
I've been following this guide Zone-Based Policy Firewall Design and Application Guide . So far I've got everything set up. PPP works, F/W works I have a single port forward working and I've port scanned the router to ensure that only the ports I've allowed are open.
I am quite stuck now. I have created a DMZ zone. I have allowed SSH and HTTPS from my LAN-zone into my DMZ-zone. This works with out a hitch. The dmz is on a diffrent subnet. and hangs off Fa/6.
Where I am suck is I want full access from the WAN-zone into the DMZ-zone. I can't seem to get this to work.
Each host in the DMZ hsa there own firewall so I don't want the Cisco to do anything.
I have attached my current runnign config.
Thanks
Solved! Go to Solution.
07-18-2010 10:57 PM
will it be possible for you to attach the config, so that we can look at the whole config
to isolate the issue further you can disable firewall on wan and dmz for a min by removing the zone security command and try to get to internet from dmz hosts, but be careful as you will end up disturbing traffic from lan to wan
so wht u can do is for a min you can remove zone security commands from all interfaces and test dmz-wan connectivity
i understand tihs might not be possible, so if its ok with you could you please attach the config so that we can take a look at everything
07-18-2010 11:04 PM
jathaval,
Config is attached to my orignal post, in a zip file.
I can not pull the firewall off, its a PROD enviroment. Anything else I can try?
07-18-2010 11:17 PM
you do not have ip nat inside on vlan 90
and also include this network in 101 acl
07-19-2010 02:06 AM
Solved
As soon as I added the ip nat inside and updated ACL 101 it worked!
Its always the simple things, its a learning experience after all.
Thanks everyone.
07-19-2010 03:33 AM
Brendan,
Glad its solved, Just a quick answer to your previous example:
You wrote:
Thanks Mohamed,
I think this is right?
!
zone-pair security WAN-DMZ source WAN destination DMZ
service-policy type inspect WAN-to-DMZ-policy
zone-pair security DMZ-WAN source DMZ destination WAN
service-policy type inspect WAN-to-DMZ-policy
!
policy-map type inspect WAN-to-DMZ-policy
class type inspect DMZ-class
pass
class class-default
!
class-map type inspect match-any DMZ-class
match access-group 130
!
access-list 130 remark DMZ access all
access-list 130 permit ip any any
!
If thats right... Then i must have something else wrong as my machine in the DMZ still cna't access any services on the internet.
Quick question, the default gateway on machines on the Vlan90 should be 192.168.90.254 (fe/6) or should it be 192.168.0.254 (fe/1)?
If you set the pass action on the policy map , then you have to create another pair and policy that permits the return traffic from DMZ to WAN. otherwise, my example should solve your problem if you need WAN Access to DMZ which will inspect the traffic and will permit the return traffic as its stateful.
HTH
Mohamed
07-19-2010 02:41 PM
Mohamed,
I did change it to inspect. So I should only need WAN-to-DMZ policy and not a DMZ-to-WAN ?
I am still getting my head around inspect and pass ect..
For now I will leave this as is, I'll do some more reading.
Thanks for all your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide