Solved: Re: Basic Firewall Configuration With DMZ, help! - Page 2

richarddowna · ‎04-20-2011

Hello

I am trying to set up my Cisco 520 router with a firewall that will:

DMZ

- Allow port 80 traffic to the vlan 20

- Block all other incomming ports to vlan 20 (unless initalised from inside)

- Allow all outgoing ports on vlan 20

- Block all access from vlan 20 to vlan 10 (unless initalised from vlan 10)

General Network

- Block all incomming ports to vlan 10 (unless initalised from inside)

- Allow all outgoing ports on vlan 10

- Allow all access from vlan 10 to vlan 20

I have read some articles on this, and i need a bit of help understanding some things.

Ill post my understanding so far with some questions.

Any help and or corrections would be greatly appreciated!

First, configure basic firewall with no port 80 access

Router(config)# access-list 103 deny ip any any

Router(config)# access-list 103 permit host 200.1.1.1 eq isakmp any (1. Why 200.1.1.1? what does this command do?)

Inspect Rules (2. Are all these necessary? are there more than this?)

Router(config)# ip inspect name firewall tcp

Router(config)# ip inspect name firewall rtsp

Router(config)# ip inspect name firewall h323

Router(config)# ip inspect name firewall netshow

Router(config)# ip inspect name firewall ftp

Router(config)# ip inspect name firewall sqlnet

Apply Access List to Interface

Router(config)# interface vlan 10

Router(config-if)# ip inspect firewall in

Router(config-if)# exit

Router(config)# interface vlan 20

Router(config-if)# ip inspect firewall in

Router(config-if)# exit

Router(config)# interface (3. ATM? ATM.0? Dialer0?) - Note I am using ADSL over PPPoA with ATM ATM.0 and Dialer0 interfaces

Router(config-if)# ip access-group 103 in

Router(config-if)# exit

Configure VLAN10 to VLAN20 rules

int vlan 10

desc General Network

ip access-group 100 in

ip nat inside

int vlan 20

desc DMZ

ip access-group 101 in

ip nat inside

ip nat inside source list 1 interface Dialer0 overload

access-list 1 remark Permited Subnets to go out to the Internet

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 100 remark Restricted Inside network Access

access-list 100 permit tcp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 100 permit udp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 eq 53

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 100 permit ip 192.168.10.0 0.0.0.255 any

access-list 101 remark Restricted DMZ network Access

access-list 101 permit tcp 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 established

access-list 101 permit udp 192.168.20.0 0.0.0.255 eq 53 192.168.10.0 0.0.0.255

access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip 192.168.20.0 0.0.0.255 any

(4. Do the above VLAN10 and VLAN20 rules seem correct?)

(5. How do i now forward incomming HTTP port 80 traffic to 192.168.20.0?)

(6. Even better, can i forward the HTTP traffic from a different mapped port other than 80? And can this be forwarded to a specific IP address eg. 192.168.20.254?)

Thanks in advance for any help

Regards

Richard

richarddowna · ‎04-21-2011

Excellent! That worked!

Thank you Alain for your help

and Thank you Naidu for your access lists, these worked perfectly.

I just have one last access list tweak!

I need 192.168.10.0 to be able to ssh via port 22 into 192.168.20.254

currently it says:

Connection refused.

Thanks

Latchum Naidu · ‎04-21-2011

Hi Richard,

Try with the below one should do that...
Router(config)# access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.20.254 0.0.0.255 eq 22

Please rate the all helpfull posts.
Regards,
Naidu.

richarddowna · ‎04-21-2011

I am getting this error:

Router(config)# access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.20.254 0.0.0.255 eq 22

^

% Invalid input detected at '^' marker.

at 'eq'

thanks

cadet alain · ‎04-21-2011

access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.20.254 0.0.0.255 eq 22

replace ip by tcp like this: access-list 100 permit tcp 192.168.10.0 0.0.0.255 192.168.20.254 0.0.0.255 eq 22

Regards.

Alain.

Don't forget to rate helpful posts.

Latchum Naidu · ‎04-21-2011

Hi Richard,

Router(config)# access-list 100 permit tcp 192.168.10.0 0.0.0.255 eq 22 host host 192.168.20.254 eq 22

Please rate the all helpfull posts.
Regards,
Naidu.

richarddowna · ‎04-21-2011

Hello,

Neither commands worked!

The last one tired to lookup the dns for a hostname hehe!

I tried

access-list 100 permit tcp 192.168.10.0 0.0.0.255 eq 22 host host 192.168.20.254 eq 22

but still connection refused. do i need to try on port 54321 instead since i have mapped 22 to it?

Thanks

cadet alain · ‎04-21-2011

Hi,

Can you try this one: access-list 100 permit tcp 192.168.10.0 0.0.0.255 host 192.168.20.254 eq 22

Regards.

Alain.

Don't forget to rate helpful posts.

richarddowna · ‎04-21-2011

still connection refused.

just to confirm this is

from 192.168.10.0 network

to 192.168.20.254 server

via 22

thanks again

cadet alain · ‎04-21-2011

Hi,

Can you add the log keyword at the end of the ACL and try again. make sure logging is enabled on console with the show login command.

if there is a log then the ACL is fine and there must be something else, can you post the ssh command you are doing as well as netstat command on the server( if it's a linux do netstat | grep ssh)

Regards.

Alain.

Don't forget to rate helpful posts.

richarddowna · ‎04-21-2011

Hi Alain,

Nothing shows up on the router with the logging.

Nothing shows up from the netstat | grep ssh

I am using mac terminal to log into the linux server via this command:

ssh user@192.168.20.254

ssh connect to host 192.168.20.254 port 22: Connection refused

I CAN however log in to ssh from the outside of the network. For example from my cell phone while not on the local network.

Also, if I connect the server back up to the old network with the old router, it allows ssh! So i dont think the server is the issue

Cheers

cadet alain · ‎04-22-2011

Hi,

How are you connected on the router? if you shut/noshut an interface are you seeing a log message

Regards.

Alain.

Don't forget to rate helpful posts.

Latchum Naidu · ‎04-21-2011

Hi Richard,

Router(config)# access-list 100 permit ip 192.168.10.0 0.0.0.255 host 192.168.20.254
And try ssh...

Please rate the all helpfull posts.
Regards,
Naidu.

richarddowna · ‎04-21-2011

Hi Naidu,

This did not work, still connection refused.

Interesting it happens even with the server unplugged from the network.

I will try your suggestion next Alain, and post results.

Thanks

cadet alain · ‎04-22-2011

Hi Richard,

This did not work, still connection refused.

Interesting it happens even with the server unplugged from the network.

How can you connect to a service if the server is not on the network? So that is normal behaviour.

Regards.

Alain.

Don't forget to rate helpful posts.

Latchum Naidu · ‎04-22-2011

Hi Richard,

Please connect the server in Network.
Once you connect try to ping the server from the allowed network, if it is able to ping then the telnet on port 22 should work.

Good luck...

Please rate the all helpfull posts.
Regards,
Naidu.