Solved: Re: Basic Firewall Configuration With DMZ, help!

richarddowna · ‎04-20-2011

Hello

I am trying to set up my Cisco 520 router with a firewall that will:

DMZ

- Allow port 80 traffic to the vlan 20

- Block all other incomming ports to vlan 20 (unless initalised from inside)

- Allow all outgoing ports on vlan 20

- Block all access from vlan 20 to vlan 10 (unless initalised from vlan 10)

General Network

- Block all incomming ports to vlan 10 (unless initalised from inside)

- Allow all outgoing ports on vlan 10

- Allow all access from vlan 10 to vlan 20

I have read some articles on this, and i need a bit of help understanding some things.

Ill post my understanding so far with some questions.

Any help and or corrections would be greatly appreciated!

First, configure basic firewall with no port 80 access

Router(config)# access-list 103 deny ip any any

Router(config)# access-list 103 permit host 200.1.1.1 eq isakmp any (1. Why 200.1.1.1? what does this command do?)

Inspect Rules (2. Are all these necessary? are there more than this?)

Router(config)# ip inspect name firewall tcp

Router(config)# ip inspect name firewall rtsp

Router(config)# ip inspect name firewall h323

Router(config)# ip inspect name firewall netshow

Router(config)# ip inspect name firewall ftp

Router(config)# ip inspect name firewall sqlnet

Apply Access List to Interface

Router(config)# interface vlan 10

Router(config-if)# ip inspect firewall in

Router(config-if)# exit

Router(config)# interface vlan 20

Router(config-if)# ip inspect firewall in

Router(config-if)# exit

Router(config)# interface (3. ATM? ATM.0? Dialer0?) - Note I am using ADSL over PPPoA with ATM ATM.0 and Dialer0 interfaces

Router(config-if)# ip access-group 103 in

Router(config-if)# exit

Configure VLAN10 to VLAN20 rules

int vlan 10

desc General Network

ip access-group 100 in

ip nat inside

int vlan 20

desc DMZ

ip access-group 101 in

ip nat inside

ip nat inside source list 1 interface Dialer0 overload

access-list 1 remark Permited Subnets to go out to the Internet

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 100 remark Restricted Inside network Access

access-list 100 permit tcp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 100 permit udp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 eq 53

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 100 permit ip 192.168.10.0 0.0.0.255 any

access-list 101 remark Restricted DMZ network Access

access-list 101 permit tcp 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 established

access-list 101 permit udp 192.168.20.0 0.0.0.255 eq 53 192.168.10.0 0.0.0.255

access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip 192.168.20.0 0.0.0.255 any

(4. Do the above VLAN10 and VLAN20 rules seem correct?)

(5. How do i now forward incomming HTTP port 80 traffic to 192.168.20.0?)

(6. Even better, can i forward the HTTP traffic from a different mapped port other than 80? And can this be forwarded to a specific IP address eg. 192.168.20.254?)

Thanks in advance for any help

Regards

Richard

cadet alain · ‎04-21-2011

Hi,

Can you try this one: access-list 100 permit tcp 192.168.10.0 0.0.0.255 host 192.168.20.254 eq 22

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎04-21-2011

Hi,

First, configure basic firewall with no port 80 access

Router(config)# access-list 103 deny ip any any

Router(config)# access-list 103 permit host 200.1.1.1 eq isakmp any (1. Why 200.1.1.1? what does this command do?)

Your second line will never get hit as you are denying everything in your first line so you should get rid of this line 1 and leave the implicit deny all

There is also an error in line 2: it should say access-list 103 permit udp host 200.1.1.1 eq isakmp any

It will permit initiation of phase 1 from the other end router in IPSec VPN creation, that's why you have a public ip address which should be the WAN ip address of the other router.


Inspect Rules (2. Are all these necessary? are there more than this?)

Yes ther are a lot more but I would inspect udp also

Router(config)# interface (3. ATM? ATM.0? Dialer0?)

I would apply on Dialer0 but I'm not 100% sure.

(4. Do the above VLAN10 and VLAN20 rules seem correct?)

as you're using CBAC there is no need for the established keyword anymore

access-list 1 permit 192.168.10.0 0.0.0.255 shouldn't it be 192.168.20.0 ?

(5. How do i now forward incomming HTTP port 80 traffic to 192.168.20.0?)

you must use static pat: ip nat inside source static tcp 192.168.20.254 80 interface Dialer0 80

This is only a 1-1 relationship.

6. Even better, can i forward the HTTP traffic from a different mapped port other than 80? And can this be forwarded to a specific IP address eg. 192.168.20.254?)

Yes of course: ip nat inside source static tcp 192.168.20.254 80 interface Dialer0 8080 or ip nat inside source static tcp 192.168.20.254 8080 interface Dialer0 80

Regards.

Alain.

Don't forget to rate helpful posts.

richarddowna · ‎04-21-2011

Thankyou Alain,

Here a the revised commands,

Please let me know if ive made any errors, cheers!!

Router(config)# access-list 103 deny ip any any

Router(config)# ip inspect name firewall tcp

Router(config)# ip inspect name firewall udp

Router(config)# ip inspect name firewall rtsp

Router(config)# ip inspect name firewall h323

Router(config)# ip inspect name firewall netshow

Router(config)# ip inspect name firewall ftp

Router(config)# ip inspect name firewall sqlnet

Router(config)# interface vlan 10

Router(config-if)# description General Network

Router(config-if)# ip access-group 100 in

Router(config-if)# ip inspect firewall in

Router(config-if)# ip nat inside

Router(config)# interface vlan 20

Router(config-if)# description DMZ

Router(config-if)# ip access-group 101 in

Router(config-if)# ip inspect firewall in

Router(config-if)# ip nat inside

Router(config)# interface Dialer 0

Router(config-if)# ip access-group 103 in

Router(config)# ip nat inside source list 1 interface Dialer0 overload

Router(config)# access-list 1 remark Permited Subnets to go out to the Internet

Router(config)# access-list 1 permit 192.168.10.0 0.0.0.255

Router(config)# access-list 1 permit 192.168.20.0 0.0.0.255

Router(config)# access-list 100 remark Restricted Inside network Access

Router(config)# access-list 100 permit tcp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

Router(config)# access-list 100 permit udp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 eq 53

Router(config)# access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

Router(config)# access-list 100 permit ip 192.168.10.0 0.0.0.255 any

Router(config)# access-list 101 remark Restricted DMZ network Access

Router(config)# access-list 101 permit tcp 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 established

Router(config)# access-list 101 permit udp 192.168.20.0 0.0.0.255 eq 53 192.168.10.0 0.0.0.255

Router(config)# access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

Router(config)# access-list 101 permit ip 192.168.20.0 0.0.0.255 any

Router(config)# ip nat inside source static tcp 192.168.20.254 80 interface Dialer0 8080

Latchum Naidu · ‎04-21-2011

Hi Richard,

This is what I done my 806 router as Basic Firewall with DMZ and hope this will help you.

DMZ interface
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip nat inside
!
ISP interface
interface Ethernet1
ip address 216.93.82.8 255.255.255.240
ip nat outside
!
!
Default route to ISP's gateway
ip route 0.0.0.0 0.0.0.0 216.93.82.1

Static route to inside filter router (internal LAN traffic)
ip route 172.17.0.0 255.255.0.0 10.10.10.2
!

Allow traffic from internal LAN out
access-list 1 permit 172.17.0.0 0.0.255.255
!
ip nat inside source list 1 interface Ethernet1 overload

Send incoming SMTP mail traffic Solaris box

ip nat inside source static tcp 10.10.10.5 21 216.93.82.8 25 extendable

Send incoming Web traffic to Debian box
ip nat inside source static tcp 10.10.10.3 80 216.93.82.8 80 extendable

Please rate the all helpfull posts.
Regards,
Naidu.

richarddowna · ‎04-21-2011

Hello thanks for that,

I have tried the configuration i posted above and well. Its not working how i intended. And im really struggling to see why

I need these rules:

DMZ

- Allow port 80 traffic to the vlan 20

- Block all other incomming ports to vlan 20 (unless initalised from inside)

- Allow all outgoing ports on vlan 20

- Block all access from vlan 20 to vlan 10 (unless initalised from vlan 10)

General Network

- Block all incomming ports to vlan 10 (unless initalised from inside)

- Allow all outgoing ports on vlan 10

- Allow all access from vlan 10 to vlan 20

But with the commands i posted two posts above,

vlan 10 cannot ping vlan 20

vlan 20 cannot ping vlan 10

Thanks

cadet alain · ‎04-21-2011

Hi,

I would permit DHCP traffic in ACL 103: permit udpany any eq bootpc otherwise you'll have no ip address from your ISP unless you have a static IP.

I would add ip inspect log drop-pkt in global config and ip inspect firewall icmp

You can get rid of established keyword in ACL 101

Then I would do testing of communication between vlans and then with internet( with pings)

Regards.

Alain.

Don't forget to rate helpful posts.

Latchum Naidu · ‎04-21-2011

Hi Richard,

OK, I am assuming Vlan 10 Ip range is 192.168.10.0 and Vlan 20 range is 192.168.20.0

And follow the below config may help you.

Router(config)# access-list 101 deny tcp any 192.168.20.0 0.0.0.255
Router(config)# access-list 101 deny udp any 192.168.20.0 0.0.0.255
Router(config)# access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
Router(config)# access-list 101 permit ip any any eq 80
Router(config)# access-list 101 permit tcp 192.168.20.0 0.0.0.255 any
Router(config)# access-list 101 permit udp 192.168.20.0 0.0.0.255 any

Router(config)# access-list 100 deny tcp any 192.168.20.0 0.0.0.255
Router(config)# access-list 100 deny udp any 192.168.20.0 0.0.0.255
Router(config)# access-list 100 permit ip any 192.168.20.0 0.0.0.255
Router(config)# access-list 100 permit tcp 192.168.10.0 0.0.0.255 any
Router(config)# access-list 100 permit udp 192.168.10.0 0.0.0.255 any

Hope the above will help you.

Please rate the all helpfull posts.
Regards,
Naidu.

richarddowna · ‎04-21-2011

Hello Naidu,

Im a bit confused, wont this line deny access from 192.168.10.0 to 192.168.20.0?

Router(config)# access-list 100 deny tcp any 192.168.20.0 0.0.0.255

Router(config)# access-list 100 deny udp any 192.168.20.0 0.0.0.255

I am trying to allow all trafic initiated by 192.168.10.0 towards 192.168.20.0

and deny all traffic initiated by 192.168.20.0 towards 192.168.10.0

Since vlan 20 is my DMZ, i do not want it to be able to access vlan 10, but i do want vlan 10 to be able to access vlan 20.

Or is this command working how it should?

Thanks

Latchum Naidu · ‎04-21-2011

Hi Richard,

Im a bit confused, wont this line deny access from 192.168.10.0 to 192.168.20.0?
Router(config)# access-list 100 deny tcp any 192.168.20.0 0.0.0.255
Router(config)# access-list 100 deny udp any 192.168.20.0 0.0.0.255

I just denied tcp & udp as you want block all outgoing ports on vlan 20

Since vlan 20 is my DMZ, i do not want it to be able to access vlan 10, but i do want vlan 10 to be able to access vlan 20.

The following rule will do the needy...Router(config)# access-list 100 permit ip any 192.168.20.0 0.0.0.255

Hope the above will help you.

Please rate the all helpfull posts.
Regards,
Naidu.

richarddowna · ‎04-21-2011

Thankyou Naidu,

I will give those commands a try,

Before I do, I want to make sure ive got the commands correct to open two ports on the router and forward them to 192.168.20.254

I want port 22 open translated to port 54321 (external port) and pointing to 192.168.20.254

I want port 80 open and pointing to 192.168.20.254

This is what I have, I tried these previously and ran an external port scan, unfortunatly it showed these ports still blocked.

Router(config)# access-list 103 permit tcp any host 192.168.20.254 eq 80

Router(config)# access-list 103 permit tcp any host 192.168.20.254 eq 54321

Router(config)# ip nat inside source static tcp 192.168.20.254 22 interface Dialer0 54321

Router(config)# ip nat inside source static tcp 192.168.20.254 80 interface Dialer0 80

Thankyou for the all the help. Much appreciated

Cheers

cadet alain · ‎04-21-2011

Hi,

Router(config)# access-list 103 permit tcp any host 192.168.20.254 eq 80

Router(config)# access-list 103 permit tcp any host 192.168.20.254 eq 54321

It can't work you must use the Public IP not the private one.

To prove it, just do a show access-list and you won't see hits for these 2 lines

Regards.

Alain.

Don't forget to rate helpful posts.

richarddowna · ‎04-21-2011

Router#sh access-lists

Extended IP access list 103

10 permit tcp any host 192.168.20.254 eq www

This is showing up!

cadet alain · ‎04-21-2011

Hi,

I didn't say it wouldn't be showing up, I said you would have no matches for these lines but only matches for the implicit deny. look at the right of the ACL line.

Regards.

Alain.

Don't forget to rate helpful posts.

richarddowna · ‎04-21-2011

So should i open the port on the Dialer0 interface (my external IP)

Then use nat to forward the port to the server 192.168.20.254?

If so, how would i do this? Thanks

cadet alain · ‎04-21-2011

Yes but as you are using a public IP given with DHCP from ISP, you'll have to permit for any ip address.

Don't forget to rate helpful posts.