Cisco 887 Firewall on FastEthernet

Joost Lauwen · ‎11-05-2015

Hello,

I've a question about an Cisco 887. Recently our ISP has updated the DSL to VDSL, so they provided an new ISP-modem.

I've configured the cisco 887 to act between ISP Router and Local Network.

The ISP is connected to FA0 and internal network to FA3. How can i activate the firewall on incoming traffic on FA0?

ISP Router

|

Cisco 887 (Firewall)

|

Local Network

Best regards,

Joost Lauwen

HQuest · ‎11-07-2015

You can use the old school way of access control lists, or go the new way of zone based firewalls - which is way more intelligent and easier to maintain. You can add multiple interfaces to each zone, or you can create multiple zones and have each of them their own set of rules.

Remember, you don't need to specify a rule for the data return: if the router receives data from the WAN interface, and it knows it started from the LAN interface, it will handle it naturally.

Assuming all you want to do is allow your LAN clients to reach the WAN side:

!
! define the target zones
!
zone security LAN
zone security WAN
!
! set the interfaces (either physical or virtual) on their zone
!
interface Fa3
zone-member security LAN
interface Fa0
zone-member security WAN
!
! create some service and network objects
!
object-group service allow-lan-wan_svc
ip
object-group network allow-lan-wan_src_net
any
object-group network allow-lan-wan_dst_net
any
!
! create an extended access list over these objects
!
ip access-list extended allow-lan-wan_acl
permit object-group allow-lan-wan_svc object-group allow-lan-wan_src_net object-group allow-lan-wan_dst_net
!
! create a class map for the access list you just created
!
class-map type inspect match-all allow-lan-wan
match access-group name allow-lan-wan_acl
!
! create the policy map to group all classes for the zone pair
! if you ever need to apply other rules (let's say, QoS), create their objects, access lists and class maps,
! then enter them at this policy map IF they belong to LAN traffic towards WAN interface
!
! if you need traffic from another zone (let's say, WAN to DMZ), just create a new policy map, repeat the rules
! as of the above, and you are almost set
!
policy-map type inspect LAN-WAN-POLICY
class type inspect allow-lan-wan
inspect
class class-default
drop log
!
! define which policy map will be enforced for this zone pair as a service policy
!
zone-pair security LAN-WAN source LAN destination WAN
service-policy type inspect LAN-WAN-POLICY
!
! done. However, if you need NAT, then add these lines as well
!
! have your NAT objects set. if you have multiple networks, just add each network as a new line
!
object-group network local_lan_subnets
10.1.1.0 255.255.255.0
192.168.0.0 255.255.255.0
!
! make the access list
!
ip access-list extended nat-list
permit ip object-group local_lan_subnets any
deny ip any any
!
! Apply the NAT rules on the WAN interface.
! the overload is mainly to make all connections share the same IP address as of the interface
!
ip nat inside source list nat-list interface Fa0 overload
!
! Tell the system which interface is what
!
int Fa0
ip nat outside
int Fa3
ip nat inside
!
! done
!

barnesp · ‎11-07-2015

You could also use CBAC - which was the precursor to ZBF - potentially easier to configure - but slightly less flexible.

In this situation you apply inbound ACL denying all traffic. CBAC support self generated traffic now. Then apply inspection outbound.

The inbound ACL is dynamically update for each inspected connection outbound. An example here

CBAC