01-02-2013 05:08 AM - edited 03-04-2019 06:33 PM
Cisco 887VA, IOS 15.2(4)M2
ADSL 20/1 Mb/s
WAN: Fixed IP
LAN: 10.1.0.0 /16
Connection is up and running without any access-lists blocking/allowing traffic.
I'd like to modify the config, so it allows users only to http/https and domain, which works by attaching this access-list:
ip access-list extended inet
permit udp any any eq domain
permit tcp any any eq domain
permit tcp any any eq www
permit tcp any any eq 443
to the Dialer0 interface:
ip access-group test inet
Now, I actually like to also allow everything for one specific internal host, f.e. 10.1.10.1
Adding permit ip host 10.1.10.1 any to the access-list is not going to work. How should this be done? Thanks in advance!
Here are the important parts of my config:
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/48
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface Vlan1
ip address 10.1.0.1 255.255.0.0
ip nat inside
ip virtual-reassembly in
interface Dialer0
ip address negotiated
ip access-group test inet
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp pap sent-username <my username> password 0 <my password>
no cdp enable
ip nat inside source list 101 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip access-list extended inet
permit udp any any eq domain
permit tcp any any eq domain
permit tcp any any eq www
permit tcp any any eq 443
access-list 101 permit ip 10.1.0.0 0.0.255.255 any
dialer-list 1 protocol ip permit
Solved! Go to Solution.
01-02-2013 07:14 PM
Hi,
I notice you are configuring this on a C887. Therefore I would recommend using CCP(Cisco Configuration Professional) the express edition is installed on your router or you can download the full edition if you have access from your CCO.
Anyway... I would use the CCP to configure ZBF(Zone Based Firewall) this will lock down your router and does an extreamly good job at it. You simply define your inside(LAN) outside(WAN) next, next, Finish!
Now a quick side note, if this "host 10.1.10.1" is going to be accessed from the outside interface I would place this in a DMZ. again the GUI will walk you through this just ensure that specific host is plugged into the port you assign to the DMZ. Additionally if you are running a specific application on the host e.g. its a FTP/HTTP server I would then use an access list on that specific port to only allow FTP/HTTP traffic.
The great advantage of doing the above is the router will inspect traffic leaving your routers outside interface and allow return traffic. However if outside traffic trys to initiate a connection with the router it will be dropped. If the outside initiates a connection with 10.1.10.1 it will be allowed assuming correct config/NAT etc. Finally you will have to allow the inside hosts access to the DMZ I believe this will be denied by default.
P.S. if this is a home router be careful with how thoroughly you set the ZBF to inspect the traffic as it will deny commen applications like Yahoo, MSN servers. to block Instant messengers. I personally have mine set to "medium" via the GUI and I have not had a issue yet.
HTH
Kind Regards,
Liam
01-02-2013 07:14 PM
Hi,
I notice you are configuring this on a C887. Therefore I would recommend using CCP(Cisco Configuration Professional) the express edition is installed on your router or you can download the full edition if you have access from your CCO.
Anyway... I would use the CCP to configure ZBF(Zone Based Firewall) this will lock down your router and does an extreamly good job at it. You simply define your inside(LAN) outside(WAN) next, next, Finish!
Now a quick side note, if this "host 10.1.10.1" is going to be accessed from the outside interface I would place this in a DMZ. again the GUI will walk you through this just ensure that specific host is plugged into the port you assign to the DMZ. Additionally if you are running a specific application on the host e.g. its a FTP/HTTP server I would then use an access list on that specific port to only allow FTP/HTTP traffic.
The great advantage of doing the above is the router will inspect traffic leaving your routers outside interface and allow return traffic. However if outside traffic trys to initiate a connection with the router it will be dropped. If the outside initiates a connection with 10.1.10.1 it will be allowed assuming correct config/NAT etc. Finally you will have to allow the inside hosts access to the DMZ I believe this will be denied by default.
P.S. if this is a home router be careful with how thoroughly you set the ZBF to inspect the traffic as it will deny commen applications like Yahoo, MSN servers. to block Instant messengers. I personally have mine set to "medium" via the GUI and I have not had a issue yet.
HTH
Kind Regards,
Liam
01-03-2013 04:27 AM
Thanks, I've used CCP before but was not too familiar with the product.
Anyway, I've installed it on Windows 8 (needed some tweaks, run as admin en press F12 to switch to compat. mode)
So, I did a write erase and a reload, some basic config so I could connect to the router with CCP.
From there I configured everyhting using wizards , my DSL connection, the NAT setup and the Firewal. A little bit more tweaking and everything is working as I wanted. So thanks for pointing me to the wizards
All the best,
Barry
01-03-2013 04:33 AM
No Problem at all Glad all is running as you wanted.
A tip bit on CCP is that if you go into the settings somewere you can actually set an option to preview commands before you write them to the device. I find this an invaluable learning tool .
For example VPN configuration, choose all your settings then you can preview the CLI before you apply it. I copy this to notepad and then like to then go to the CLI and configure it step by step using context sensitive help.
HTH
Kind Regards,
Liam
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide