04-20-2011 06:22 PM - edited 03-04-2019 12:08 PM
Hello
I am trying to set up my Cisco 520 router with a firewall that will:
DMZ
- Allow port 80 traffic to the vlan 20
- Block all other incomming ports to vlan 20 (unless initalised from inside)
- Allow all outgoing ports on vlan 20
- Block all access from vlan 20 to vlan 10 (unless initalised from vlan 10)
General Network
- Block all incomming ports to vlan 10 (unless initalised from inside)
- Allow all outgoing ports on vlan 10
- Allow all access from vlan 10 to vlan 20
I have read some articles on this, and i need a bit of help understanding some things.
Ill post my understanding so far with some questions.
Any help and or corrections would be greatly appreciated!
First, configure basic firewall with no port 80 access
Router(config)# access-list 103 deny ip any any
Router(config)# access-list 103 permit host 200.1.1.1 eq isakmp any (1. Why 200.1.1.1? what does this command do?)
Inspect Rules (2. Are all these necessary? are there more than this?)
Router(config)# ip inspect name firewall tcp
Router(config)# ip inspect name firewall rtsp
Router(config)# ip inspect name firewall h323
Router(config)# ip inspect name firewall netshow
Router(config)# ip inspect name firewall ftp
Router(config)# ip inspect name firewall sqlnet
Apply Access List to Interface
Router(config)# interface vlan 10
Router(config-if)# ip inspect firewall in
Router(config-if)# exit
Router(config)# interface vlan 20
Router(config-if)# ip inspect firewall in
Router(config-if)# exit
Router(config)# interface (3. ATM? ATM.0? Dialer0?) - Note I am using ADSL over PPPoA with ATM ATM.0 and Dialer0 interfaces
Router(config-if)# ip access-group 103 in
Router(config-if)# exit
Configure VLAN10 to VLAN20 rules
int vlan 10
desc General Network
ip access-group 100 in
ip nat inside
int vlan 20
desc DMZ
ip access-group 101 in
ip nat inside
ip nat inside source list 1 interface Dialer0 overload
access-list 1 remark Permited Subnets to go out to the Internet
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 remark Restricted Inside network Access
access-list 100 permit tcp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 permit udp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 eq 53
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 101 remark Restricted DMZ network Access
access-list 101 permit tcp 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 established
access-list 101 permit udp 192.168.20.0 0.0.0.255 eq 53 192.168.10.0 0.0.0.255
access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit ip 192.168.20.0 0.0.0.255 any
Solved! Go to Solution.
04-22-2011 06:12 PM
Hi Naidu,
Here are the ping results from the mac to the server.
I will also post my current access lists.
Macbook 192.168.10.254
Cannot ping 192.168.10.1
Can ping 192.168.10.254 (self)
Cannot ping 192.168.20.1
Can ping 192.168.20.254 (server)
Cannot ssh user@192.168.20.254 - connection refused.
Server 192.168.20.254
Cannot ping 192.168.20.1 - Destination host unreachable
Can ping 192.168.20.254 (self)
Cannot ping 192.168.10.1 - Packet Filtered
Cannot ping 192.168.10.254 - Packet Filtered
Access-lists
Router(config)# access-list 101 remark Restricted DMZ network Access
Router(config)# access-list 101 deny tcp any 192.168.20.0 0.0.0.255
Router(config)# access-list 101 deny udp any 192.168.20.0 0.0.0.255
Router(config)# access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
Router(config)# access-list 101 permit tcp 192.168.20.0 0.0.0.255 any
Router(config)# access-list 101 permit udp 192.168.20.0 0.0.0.255 any
Router(config)# access-list 100 remark Restricted Inside network Access
Router(config)# access-list 100 deny tcp any 192.168.20.0 0.0.0.255
Router(config)# access-list 100 deny udp any 192.168.20.0 0.0.0.255
Router(config)# access-list 100 permit ip any 192.168.20.0 0.0.0.255
Router(config)# access-list 100 permit tcp 192.168.10.0 0.0.0.255 any
Router(config)# access-list 100 permit udp 192.168.10.0 0.0.0.255 any
Router(config)# access-list 100 permit tcp 192.168.10.0 0.0.0.255 host 192.168.20.254 eq 22
Could it have anything to do with the way my VLANS are setup?
Router(config)# interface vlan 10
Router(config-if)# description General Network
Router(config-if)# ip access-group 100 in
Router(config-if)# ip inspect firewall in
Router(config-if)# ip nat inside
Router(config)# interface vlan 20
Router(config-if)# description DMZ
Router(config-if)# ip access-group 101 in
Router(config-if)# ip inspect firewall in
Router(config-if)# ip nat inside
Thanks.
04-22-2011 10:45 PM
=== Update ===
It is now working with the command:
access-list 100 permit tcp 192.168.10.0 0.0.0.255 host 192.168.20.254 eq 22
I did try this before, but it seems the order the ACL is entered does matter.
It needs to be the first thing entered.
Does this mean every time i want to make a rule change i need to redo all the ACL rules?
Thanks
04-22-2011 11:45 PM
Hi,
ACLs are read from top to bottom and when you add an entry it is automatically added at the end of the ACL just before the implicit deny.
But there is a way to insert a line where you want: when you do a show access-list you'll see numbers in front of the lines, by default it starts at 10 with increments of 10.So let's suppose you have line 10 in ACL 100 and you want to change it:
-ip access-list extended 101
- no 10
- 10 permit .....
if you want to insert then you can put a good line number eg you want between 10 and 20 then use any number in between.
Regards.
Alain.
04-24-2011 05:23 AM
Hi Richard,
I am Glad to see that your problem resolved it seems.
Hence I would request you to click on the correct answer which will encourage others in this forum which is great.
Please click on the correct answer.
Regards,
Naidu.
04-24-2011 06:05 AM
Hi there,
Yes! done that now, although this topic contains a bunch of questions and answers,
I will post a full config, every step ive done to get my setup working.
Thanks everyone for all the help.
Extreemly appreciated.
04-24-2011 06:28 AM
Hi Richard,
But you have not accepted my question as correct answer as you have not clicked on correct answer on any of my post...
Please rate the all helpfull posts.
Regards,
Naidu.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide