Hello,

 

here is a sample config of the zone based firewall, configured to achieve what you are requiring:

 

version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ISR1111
!
boot-start-marker
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
!
zone security INSIDE
zone security OUTSIDE
!
multilink bundle-name authenticated
!
license udi pid CISCO1921/K9 sn FTX1520037Y
!
username admin privilege 15 password 0 cisco
!
interface GigabitEthernet0/0/0
description ISP_INTERNET
ip address dhcp
ip nat outside
zone-member security OUTSIDE
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan1
description LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
zone-member security INSIDE
ip virtual-reassembly in
duplex auto
speed auto
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match protocol http
match protocol https
match protocol ftp
match protocol dns
match protocol udp
match protocol tcp
match protocol pop3
match protocol smtp
match protocol icmp
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop log
!
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end

Hi,
Thanks for your help. Please see below for the relevant parts of my configuration:
version 17.6
service config
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname CiscoRouter
!
boot-start-marker
boot system bootflash:c1100-universalk9.17.06.01a.SPA.bin
boot system bootflash:c1100-universalk9.17.05.01a.SPA.bin
boot-end-marker
!
!
!
no aaa new-model
clock timezone GMT 1 0
!
!
!
!
ip nbar http-services
!
!
!
!
!
ip name-server 8.8.8.8 8.8.4.4
ip domain name localdomain.local
ip dhcp excluded-address 192.168.1.0 192.168.1.99
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
lease 7
!
diagnostic bootup level minimal
!
username admin privilege 15 password 0 default
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-all IN-TO-OUT
match access-group name IN-TO-OUT_acl
class-map type inspect match-all OUT-TO-IN
match access-group name OUT-TO-IN_acl
!
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect IN-TO-OUT
inspect
class class-default
drop log
policy-map type inspect OUTSIDE-INSIDE-POLICY
class type inspect OUT-TO-IN
inspect
class class-default
drop log
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-INSIDE-POLICY
!
interface GigabitEthernet0/0/0
ip dhcp client client-id ascii FGXXXXXXX
ip address dhcp
ip nbar protocol-discovery
ip nat outside
zone-member security OUTSIDE
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
zone-member security OUTSIDE
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
zone-member security INSIDE
!
interface GigabitEthernet0/1/1
zone-member security INSIDE
!
interface GigabitEthernet0/1/2
zone-member security INSIDE
!
interface GigabitEthernet0/1/3
zone-member security INSIDE
!
interface GigabitEthernet0/1/4
zone-member security INSIDE
!
interface GigabitEthernet0/1/5
zone-member security INSIDE
!
interface GigabitEthernet0/1/6
zone-member security INSIDE
!
interface GigabitEthernet0/1/7
zone-member security INSIDE
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
ip nat inside
zone-member security INSIDE
!
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip forward-protocol nd
ip dns server
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
!
!
ip access-list extended IN-TO-OUT_acl
10 permit ip any any
ip access-list extended OUT-TO-IN_acl
10 permit ip any any
!
ip access-list standard 1
1 permit 192.168.1.0
!

Do I really need the ip access-list standard 1? Will the server be reachable via HTTP(s) on the OUTSIDE interface?
Thanks!

Hello,

 

with your current configuration, all traffic inbound from the Internet is allowed, is this what you want ?

 

Access list 1 is necessary for NAT.

Hi,
No, I would change the OUT-TO-IN to "drop" as default action, but would that not drop any return traffic from request originating on the inside?
Even after changing this to "drop" I can still access the web interface on the outside interface...how can I deny this access?
Thanks for your help, greatly appreciated!

Hello,

 

if you just want to deny all traffic from the outside, just delete all the outside config marked in bold:

 

version 17.6
service config
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname CiscoRouter
!
boot-start-marker
boot system bootflash:c1100-universalk9.17.06.01a.SPA.bin
boot system bootflash:c1100-universalk9.17.05.01a.SPA.bin
boot-end-marker
!
no aaa new-model
clock timezone GMT 1 0
!
ip nbar http-services
!
ip name-server 8.8.8.8 8.8.4.4
ip domain name localdomain.local
ip dhcp excluded-address 192.168.1.0 192.168.1.99
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
lease 7
!
diagnostic bootup level minimal
!
username admin privilege 15 password 0 default
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
class-map type inspect match-all IN-TO-OUT
match access-group name IN-TO-OUT_acl
--> no class-map type inspect match-all OUT-TO-IN
match access-group name OUT-TO-IN_acl
!
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect IN-TO-OUT
inspect
class class-default
drop log
--> no policy-map type inspect OUTSIDE-INSIDE-POLICY
class type inspect OUT-TO-IN
inspect
class class-default
drop log
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
--> no zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-INSIDE-POLICY
!
interface GigabitEthernet0/0/0
ip dhcp client client-id ascii FGXXXXXXX
ip address dhcp
ip nbar protocol-discovery
ip nat outside
zone-member security OUTSIDE
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
zone-member security OUTSIDE
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
zone-member security INSIDE
!
interface GigabitEthernet0/1/1
zone-member security INSIDE
!
interface GigabitEthernet0/1/2
zone-member security INSIDE
!
interface GigabitEthernet0/1/3
zone-member security INSIDE
!
interface GigabitEthernet0/1/4
zone-member security INSIDE
!
interface GigabitEthernet0/1/5
zone-member security INSIDE
!
interface GigabitEthernet0/1/6
zone-member security INSIDE
!
interface GigabitEthernet0/1/7
zone-member security INSIDE
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
ip nat inside
zone-member security INSIDE
!
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip forward-protocol nd
ip dns server
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
!
ip access-list extended IN-TO-OUT_acl
10 permit ip any any
--> no ip access-list extended OUT-TO-IN_acl
10 permit ip any any
!
ip access-list standard 1
1 permit 192.168.1.0

Thanks for the help and sorry for the late reply! I have deleted the access-lists above, but I am still able to access the web interface on the outside interface...

Additionally, on the web interface, there are not ACLs configured for g0/0/0 - does the firewall config supersede the individual ACLs or do I need to add this to the interface?

 

Hello,

 

make the changes marked in bold:

 

version 17.6
service config
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname CiscoRouter
!
boot-start-marker
boot system bootflash:c1100-universalk9.17.06.01a.SPA.bin
boot system bootflash:c1100-universalk9.17.05.01a.SPA.bin
boot-end-marker
!
no aaa new-model
clock timezone GMT 1 0
!
ip nbar http-services
!
ip name-server 8.8.8.8 8.8.4.4
ip domain name localdomain.local
ip dhcp excluded-address 192.168.1.0 192.168.1.99
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
lease 7
!
diagnostic bootup level minimal
!
username admin privilege 15 password 0 default
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
class-map type inspect match-any IN-TO-OUT
match protocol http
match protocol ftp
match protocol icmp
match protocol https
match protocol dns
match protocol smtp
match protocol pop3
match protocol tcp
match protocol udp
!
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect IN-TO-OUT
inspect
class class-default
drop
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
!
interface GigabitEthernet0/0/0
ip dhcp client client-id ascii FGXXXXXXX
ip address dhcp
ip nbar protocol-discovery
ip nat outside
zone-member security OUTSIDE
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
zone-member security OUTSIDE
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
zone-member security INSIDE
!
interface GigabitEthernet0/1/1
zone-member security INSIDE
!
interface GigabitEthernet0/1/2
zone-member security INSIDE
!
interface GigabitEthernet0/1/3
zone-member security INSIDE
!
interface GigabitEthernet0/1/4
zone-member security INSIDE
!
interface GigabitEthernet0/1/5
zone-member security INSIDE
!
interface GigabitEthernet0/1/6
zone-member security INSIDE
!
interface GigabitEthernet0/1/7
zone-member security INSIDE
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
ip nat inside
zone-member security INSIDE
!
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip forward-protocol nd
ip dns server
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
!
access-list 1 permit 192.168.1.0 0.0.0.255

Thanks - see below for the show run output. Some lines have been added by the WebGUI. Unfortunately, I am still able to connect to the webinterface and ssh on the external interface (which, since this is facing the internet, is not a good idea). Any ideas what I am doing wrong?

 

version 17.6

[...]
!
!
!
!
ip name-server 8.8.8.8 8.8.4.4
ip domain name localdomain.local
ip dhcp excluded-address 192.168.1.0 192.168.1.99
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
lease 7
!
!
!
login on-success log
!

!
subscriber templating
!

!
multilink bundle-name authenticated
!
[...]
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-any IN-TO-OUT
match access-group name IN-TO-OUT_acl
match protocol http
match protocol ftp
match protocol icmp
match protocol https
match protocol dns
match protocol smtp
match protocol pop3
match protocol tcp
match protocol udp
!
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect IN-TO-OUT
inspect
class class-default
drop log
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
!

!
interface GigabitEthernet0/0/0
ip dhcp client client-id ascii XXXX
ip address dhcp
ip nbar protocol-discovery
ip nat outside
zone-member security OUTSIDE
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
zone-member security OUTSIDE
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
zone-member security INSIDE
!
interface GigabitEthernet0/1/1
zone-member security INSIDE
!
interface GigabitEthernet0/1/2
zone-member security INSIDE
!
interface GigabitEthernet0/1/3
zone-member security INSIDE
!
interface GigabitEthernet0/1/4
zone-member security INSIDE
!
interface GigabitEthernet0/1/5
zone-member security INSIDE
!
interface GigabitEthernet0/1/6
zone-member security INSIDE
!
interface GigabitEthernet0/1/7
zone-member security INSIDE
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
zone-member security INSIDE
!
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip forward-protocol nd
ip dns server
ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/0 overload
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
!
!
ip access-list extended IN-TO-OUT_acl
10 permit ip any any
!
ip access-list standard 1
11 permit 192.168.1.0 0.0.0.255
!
route-map track-primary-if permit 1
match ip address 197
set interface GigabitEthernet0/0/0

Thanks! That helped, but encountered some strange behaviour of the router. For instance, when I add the commands above from the CLI (via ssh), the new policies are not displayed when accessing the router via WebUI. So I reverted back to the previous configuration and tried to configure everything via webui. The layout of my network is as follows:

 

|ISP|---(DHCP)----|Router|---(DHCP)---|Clients|

 

On the router, interface g0/0/0 (and later possibly g0/0/1, once I get fiber) are the external interfaces. They need to be able to acquire an IP via DHCP (as the ISP is handing them out this way), but every unsolicited traffic should be blocked. In particular, traffic to the webui or the ssh port should be blocked. 

The router is acting as a DHCP server for the clients, who should be able to access the internet (using any protocol), but any unsolicited traffic originating on the outside/internet should be dropped at the router.

 

I have managed to restrict access to the webui/ssh on the external interfaces, but despite my configuration, dhcp seems also to be blocked and the router does not acquire an IP from the ISP. Please see below for my config:

 

 

version 17.6
!
!
ip name-server 8.8.8.8 8.8.4.4
ip domain name localdomain.local
ip dhcp excluded-address 192.168.1.0 192.168.1.99
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
lease 7
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-any DHCP_app
match protocol udp
class-map type inspect match-any IN-TO-OUT
match access-group name IN-TO-OUT_acl
match protocol http
match protocol ftp
match protocol icmp
match protocol https
match protocol dns
match protocol smtp
match protocol pop3
match protocol tcp
match protocol udp
class-map type inspect match-all Drop_but_DHCP
match access-group name Drop_but_DHCP_acl
class-map match-any DHCP_nbar_app
match protocol dhcp
class-map type inspect match-all DHCP
match class-map DHCP_app
match access-group name DHCP_acl
!
policy-map type inspect avc DHCP_app_policy
class DHCP_nbar_app
allow
class class-default
allow
policy-map type inspect OUTSIDE-SELF-POLICY
class type inspect DHCP
inspect
service-policy avc DHCP_app_policy
class type inspect Drop_but_DHCP
drop
class class-default
drop log
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect IN-TO-OUT
inspect
class class-default
drop log
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
zone-pair security OUTSIDE-SELF source OUTSIDE destination self
service-policy type inspect OUTSIDE-SELF-POLICY
!

!
interface GigabitEthernet0/0/0
ip dhcp client client-id ascii XXXX
ip address dhcp
ip nbar protocol-discovery
ip nat outside
zone-member security OUTSIDE
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
zone-member security OUTSIDE
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
zone-member security INSIDE
!
interface GigabitEthernet0/1/1
zone-member security INSIDE
!
[...]
interface GigabitEthernet0/1/7
zone-member security INSIDE
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
zone-member security INSIDE
!
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip forward-protocol nd
ip dns server
ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/0 overload
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
!
!
ip access-list extended DHCP_acl
10 permit ip any any
ip access-list extended Drop_but_DHCP_acl
10 permit ip any any
ip access-list extended IN-TO-OUT_acl
10 permit ip any any
!
ip access-list standard 1
11 permit 192.168.1.0 0.0.0.255
!
route-map track-primary-if permit 1
match ip address 197
set interface GigabitEthernet0/0/0
!