Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3367
Views
85
Helpful
35
Replies

Basic Firewall Configuration With DMZ, help!

Go to solution
richarddowna
Level 1
Level 1

‎04-20-2011 06:22 PM - edited ‎03-04-2019 12:08 PM

Hello

I am trying to set up my Cisco 520 router with a firewall that will:

DMZ

- Allow port 80 traffic to the vlan 20

- Block all other incomming ports to vlan 20 (unless initalised from inside)

- Allow all outgoing ports on vlan 20

- Block all access from vlan 20 to vlan 10 (unless initalised from vlan 10)

General Network

- Block all incomming ports to vlan 10 (unless initalised from inside)

- Allow all outgoing ports on vlan 10

- Allow all access from vlan 10 to vlan 20

I have read some articles on this, and i need a bit of help understanding some things.

Ill post my understanding so far with some questions.

Any help and or corrections would be greatly appreciated!

First, configure basic firewall with no port 80 access

Router(config)# access-list 103 deny ip any any

Router(config)# access-list 103 permit host 200.1.1.1 eq isakmp any (1. Why 200.1.1.1? what does this command do?)

Inspect Rules (2. Are all these necessary? are there more than this?)

Router(config)# ip inspect name firewall tcp

Router(config)# ip inspect name firewall rtsp

Router(config)# ip inspect name firewall h323

Router(config)# ip inspect name firewall netshow

Router(config)# ip inspect name firewall ftp

Router(config)# ip inspect name firewall sqlnet

Apply Access List to Interface

Router(config)# interface vlan 10

Router(config-if)# ip inspect firewall in

Router(config-if)# exit

Router(config)# interface vlan 20

Router(config-if)# ip inspect firewall in

Router(config-if)# exit

Router(config)# interface (3. ATM? ATM.0? Dialer0?) - Note I am using ADSL over PPPoA with ATM ATM.0 and Dialer0 interfaces

Router(config-if)# ip access-group 103 in

Router(config-if)# exit

Configure VLAN10 to VLAN20 rules

int vlan 10

desc General Network

ip access-group 100 in

ip nat inside

int vlan 20

desc DMZ

ip access-group 101 in

ip nat inside

ip nat inside source list 1 interface Dialer0 overload

access-list 1 remark Permited Subnets to go out to the Internet
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 remark Restricted Inside network Access
access-list 100 permit tcp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 permit udp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 eq 53
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 101 remark Restricted DMZ network Access
access-list 101 permit tcp 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 established
access-list 101 permit udp 192.168.20.0 0.0.0.255 eq 53 192.168.10.0 0.0.0.255
access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit ip 192.168.20.0 0.0.0.255 any
(4. Do the above VLAN10 and VLAN20 rules seem correct?)
(5. How do i now forward incomming HTTP port 80 traffic to 192.168.20.0?)
(6. Even better, can i forward the HTTP traffic from a different mapped port other than 80? And can this be forwarded to a specific IP address eg. 192.168.20.254?)
Thanks in advance for any help
Regards
Richard

Labels:
0 Helpful
35 Replies 35

Go to solution
richarddowna
Level 1
Level 1
In response to Latchum Naidu

‎04-22-2011 06:12 PM

Hi Naidu,

Here are the ping results from the mac to the server.

I will also post my current access lists.

Macbook 192.168.10.254

Cannot ping 192.168.10.1

Can ping 192.168.10.254 (self)

Cannot ping 192.168.20.1

Can ping 192.168.20.254 (server)

Cannot ssh user@192.168.20.254 - connection refused.

Server 192.168.20.254

Cannot ping 192.168.20.1 - Destination host unreachable

Can ping 192.168.20.254 (self)

Cannot ping 192.168.10.1 - Packet Filtered

Cannot ping 192.168.10.254 - Packet Filtered

Access-lists

Router(config)# access-list 101 remark Restricted DMZ network Access

Router(config)# access-list 101 deny tcp any 192.168.20.0 0.0.0.255

Router(config)# access-list 101 deny udp any 192.168.20.0 0.0.0.255

Router(config)# access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

Router(config)# access-list 101 permit tcp 192.168.20.0 0.0.0.255 any

Router(config)# access-list 101 permit udp 192.168.20.0 0.0.0.255 any

Router(config)# access-list 100 remark Restricted Inside network Access

Router(config)# access-list 100 deny tcp any 192.168.20.0 0.0.0.255

Router(config)# access-list 100 deny udp any 192.168.20.0 0.0.0.255

Router(config)# access-list 100 permit ip any 192.168.20.0 0.0.0.255

Router(config)# access-list 100 permit tcp 192.168.10.0 0.0.0.255 any

Router(config)# access-list 100 permit udp 192.168.10.0 0.0.0.255 any

Router(config)# access-list 100 permit tcp 192.168.10.0 0.0.0.255 host 192.168.20.254 eq 22

Could it have anything to do with the way my VLANS are setup?

Router(config)# interface vlan 10

Router(config-if)# description General Network

Router(config-if)# ip access-group 100 in

Router(config-if)# ip inspect firewall in

Router(config-if)# ip nat inside

Router(config)# interface vlan 20

Router(config-if)# description DMZ

Router(config-if)# ip access-group 101 in

Router(config-if)# ip inspect firewall in

Router(config-if)# ip nat inside

Thanks.

0 Helpful

Go to solution
richarddowna
Level 1
Level 1
In response to richarddowna

‎04-22-2011 10:45 PM

=== Update ===

It is now working with the command:

access-list 100 permit tcp 192.168.10.0 0.0.0.255 host 192.168.20.254 eq 22

I did try this before, but it seems the order the ACL is entered does matter.

It needs to be the first thing entered.

Does this mean every time i want to make a rule change i need to redo all the ACL rules?

Thanks

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to richarddowna

‎04-22-2011 11:45 PM

Hi,

ACLs are read from top to bottom and when you add an entry it is automatically added at the end of the ACL just before the implicit deny.

But there is a way to insert a line where you want: when you do a show access-list you'll see numbers in front of the lines, by default it starts at 10 with increments of 10.So let's suppose you have line 10  in ACL 100 and you want to change it:

-ip access-list extended 101

- no 10

- 10 permit .....

if you want to insert then you can put a good line number eg you want between 10 and 20 then use any number in between.

Regards.

Alain.

Don't forget to rate helpful posts.

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to cadet alain

‎04-24-2011 05:23 AM

Hi Richard,

I am Glad to see that your problem resolved it seems.
Hence I would request you to click on the correct answer which will encourage others in this forum which is great.

Please click on the correct answer.
Regards,
Naidu.

0 Helpful

Go to solution
richarddowna
Level 1
Level 1
In response to Latchum Naidu

‎04-24-2011 06:05 AM

Hi there,

Yes! done that now, although this topic contains a bunch of questions and answers,

I will post a full config, every step ive done to get my setup working.

Thanks everyone for all the help.

Extreemly appreciated.

0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to richarddowna

‎04-24-2011 06:28 AM

Hi Richard,

But you have not accepted my question as correct answer as you have not clicked on correct answer on any of my post...

Please rate the all helpfull posts.
Regards,
Naidu.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card