Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
703
Views
0
Helpful
12
Replies

Configure access control and zone-based firewall

Go to solution
an_ho
Beginner
Beginner

‎10-02-2021 05:53 AM

Hi everyone,

I am still working on getting my cisco router (C1111X-8P, ip base and sec licenses) up and working. I have managed to configure DHCP and NAT for my clients, but I am having trouble setting up firewall and access control.

Interface configuration:

G0/0/0 -> ISP

G0/1/0-7 -> LAN

For the firewall, I want all traffic from the clients in the LAN to be passed through/inspected by the firewall (including return traffic), but unsolicited traffic from the internet arriving at g0/0/0 should be dropped. 

In addition, no router services should be accessible from the internet/g0/0/0.

 

Can anyone help me on how to configure this?

 

Thanks a lot! 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP Master VIP Master
VIP Master
In response to an_ho

‎10-23-2021 02:51 PM

Hello,

 

add the lines marked in bold:

 

version 17.6
!
ip name-server 8.8.8.8 8.8.4.4
ip domain name localdomain.local
ip dhcp excluded-address 192.168.1.0 192.168.1.99
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
lease 7
!
login on-success log
!
subscriber templating
!
multilink bundle-name authenticated
!
vlan internal allocation policy ascending
!
class-map type inspect match-any IN-TO-OUT
match access-group name IN-TO-OUT_acl
match protocol http
match protocol ftp
match protocol icmp
match protocol https
match protocol dns
match protocol smtp
match protocol pop3
match protocol tcp
match protocol udp
!
policy-map type inspect OUTSIDE-TO-SELF-POLICY
class class-default
drop log
!
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect IN-TO-OUT
inspect
class class-default
drop log
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
zone-pair security OUTSIDE-TO-SELF source OUTSIDE destination self
service-policy type inspect OUTSIDE-TO-SELF-POLICY
!
interface GigabitEthernet0/0/0
ip dhcp client client-id ascii XXXX
ip address dhcp
ip nbar protocol-discovery
ip nat outside
zone-member security OUTSIDE
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
zone-member security OUTSIDE
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
zone-member security INSIDE
!
interface GigabitEthernet0/1/1
zone-member security INSIDE
!
interface GigabitEthernet0/1/2
zone-member security INSIDE
!
interface GigabitEthernet0/1/3
zone-member security INSIDE
!
interface GigabitEthernet0/1/4
zone-member security INSIDE
!
interface GigabitEthernet0/1/5
zone-member security INSIDE
!
interface GigabitEthernet0/1/6
zone-member security INSIDE
!
interface GigabitEthernet0/1/7
zone-member security INSIDE
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
zone-member security INSIDE
!
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip forward-protocol nd
ip dns server
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
!
ip access-list standard 1
11 permit 192.168.1.0 0.0.0.255

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Georg Pauwen
VIP Master VIP Master
VIP Master

‎10-02-2021 06:00 AM

Hello,

 

are you trying to configure a zone based firewall ? Post the configuration you have so far, so we can fill in the bits and pieces...

0 Helpful

Go to solution
Georg Pauwen
VIP Master VIP Master
VIP Master
In response to Georg Pauwen

‎10-02-2021 10:43 AM

Hello,

 

here is a sample config of the zone based firewall, configured to achieve what you are requiring:

 

version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ISR1111
!
boot-start-marker
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
!
zone security INSIDE
zone security OUTSIDE
!
multilink bundle-name authenticated
!
license udi pid CISCO1921/K9 sn FTX1520037Y
!
username admin privilege 15 password 0 cisco
!
interface GigabitEthernet0/0/0
description ISP_INTERNET
ip address dhcp
ip nat outside
zone-member security OUTSIDE
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan1
description LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
zone-member security INSIDE
ip virtual-reassembly in
duplex auto
speed auto
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match protocol http
match protocol https
match protocol ftp
match protocol dns
match protocol udp
match protocol tcp
match protocol pop3
match protocol smtp
match protocol icmp
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop log
!
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end

0 Helpful

Go to solution
an_ho
Beginner
Beginner
In response to Georg Pauwen

‎10-03-2021 06:34 AM

Hi,
Thanks for your help. Please see below for the relevant parts of my configuration:
version 17.6
service config
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname CiscoRouter
!
boot-start-marker
boot system bootflash:c1100-universalk9.17.06.01a.SPA.bin
boot system bootflash:c1100-universalk9.17.05.01a.SPA.bin
boot-end-marker
!
!
!
no aaa new-model
clock timezone GMT 1 0
!
!
!
!
ip nbar http-services
!
!
!
!
!
ip name-server 8.8.8.8 8.8.4.4
ip domain name localdomain.local
ip dhcp excluded-address 192.168.1.0 192.168.1.99
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
lease 7
!
diagnostic bootup level minimal
!
username admin privilege 15 password 0 default
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-all IN-TO-OUT
match access-group name IN-TO-OUT_acl
class-map type inspect match-all OUT-TO-IN
match access-group name OUT-TO-IN_acl
!
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect IN-TO-OUT
inspect
class class-default
drop log
policy-map type inspect OUTSIDE-INSIDE-POLICY
class type inspect OUT-TO-IN
inspect
class class-default
drop log
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-INSIDE-POLICY
!
interface GigabitEthernet0/0/0
ip dhcp client client-id ascii FGXXXXXXX
ip address dhcp
ip nbar protocol-discovery
ip nat outside
zone-member security OUTSIDE
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
zone-member security OUTSIDE
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
zone-member security INSIDE
!
interface GigabitEthernet0/1/1
zone-member security INSIDE
!
interface GigabitEthernet0/1/2
zone-member security INSIDE
!
interface GigabitEthernet0/1/3
zone-member security INSIDE
!
interface GigabitEthernet0/1/4
zone-member security INSIDE
!
interface GigabitEthernet0/1/5
zone-member security INSIDE
!
interface GigabitEthernet0/1/6
zone-member security INSIDE
!
interface GigabitEthernet0/1/7
zone-member security INSIDE
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
ip nat inside
zone-member security INSIDE
!
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip forward-protocol nd
ip dns server
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
!
!
ip access-list extended IN-TO-OUT_acl
10 permit ip any any
ip access-list extended OUT-TO-IN_acl
10 permit ip any any
!
ip access-list standard 1
1 permit 192.168.1.0
!

Do I really need the ip access-list standard 1? Will the server be reachable via HTTP(s) on the OUTSIDE interface?
Thanks!


0 Helpful

Go to solution
Georg Pauwen
VIP Master VIP Master
VIP Master
In response to an_ho

‎10-03-2021 07:13 AM

Hello,

 

with your current configuration, all traffic inbound from the Internet is allowed, is this what you want ?

 

Access list 1 is necessary for NAT.

0 Helpful

Go to solution
an_ho
Beginner
Beginner
In response to Georg Pauwen

‎10-03-2021 07:29 AM

Hi,
No, I would change the OUT-TO-IN to "drop" as default action, but would that not drop any return traffic from request originating on the inside?
Even after changing this to "drop" I can still access the web interface on the outside interface...how can I deny this access?
Thanks for your help, greatly appreciated!


0 Helpful

Go to solution
Georg Pauwen
VIP Master VIP Master
VIP Master
In response to an_ho

‎10-03-2021 08:00 AM

Hello,

 

if you just want to deny all traffic from the outside, just delete all the outside config marked in bold:

 

version 17.6
service config
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname CiscoRouter
!
boot-start-marker
boot system bootflash:c1100-universalk9.17.06.01a.SPA.bin
boot system bootflash:c1100-universalk9.17.05.01a.SPA.bin
boot-end-marker
!
no aaa new-model
clock timezone GMT 1 0
!
ip nbar http-services
!
ip name-server 8.8.8.8 8.8.4.4
ip domain name localdomain.local
ip dhcp excluded-address 192.168.1.0 192.168.1.99
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
lease 7
!
diagnostic bootup level minimal
!
username admin privilege 15 password 0 default
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
class-map type inspect match-all IN-TO-OUT
match access-group name IN-TO-OUT_acl
--> no class-map type inspect match-all OUT-TO-IN
match access-group name OUT-TO-IN_acl
!
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect IN-TO-OUT
inspect
class class-default
drop log
--> no policy-map type inspect OUTSIDE-INSIDE-POLICY
class type inspect OUT-TO-IN
inspect
class class-default
drop log
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
--> no zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-INSIDE-POLICY
!
interface GigabitEthernet0/0/0
ip dhcp client client-id ascii FGXXXXXXX
ip address dhcp
ip nbar protocol-discovery
ip nat outside
zone-member security OUTSIDE
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
zone-member security OUTSIDE
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
zone-member security INSIDE
!
interface GigabitEthernet0/1/1
zone-member security INSIDE
!
interface GigabitEthernet0/1/2
zone-member security INSIDE
!
interface GigabitEthernet0/1/3
zone-member security INSIDE
!
interface GigabitEthernet0/1/4
zone-member security INSIDE
!
interface GigabitEthernet0/1/5
zone-member security INSIDE
!
interface GigabitEthernet0/1/6
zone-member security INSIDE
!
interface GigabitEthernet0/1/7
zone-member security INSIDE
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
ip nat inside
zone-member security INSIDE
!
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip forward-protocol nd
ip dns server
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
!
ip access-list extended IN-TO-OUT_acl
10 permit ip any any
--> no ip access-list extended OUT-TO-IN_acl
10 permit ip any any
!
ip access-list standard 1
1 permit 192.168.1.0

0 Helpful

Go to solution
an_ho
Beginner
Beginner
In response to Georg Pauwen

‎10-23-2021 08:05 AM

Thanks for the help and sorry for the late reply! I have deleted the access-lists above, but I am still able to access the web interface on the outside interface...

Additionally, on the web interface, there are not ACLs configured for g0/0/0 - does the firewall config supersede the individual ACLs or do I need to add this to the interface?

 

0 Helpful

Go to solution
Georg Pauwen
VIP Master VIP Master
VIP Master
In response to an_ho

‎10-23-2021 09:39 AM - edited ‎10-23-2021 09:52 AM

Hello,

 

make the changes marked in bold:

 

version 17.6
service config
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname CiscoRouter
!
boot-start-marker
boot system bootflash:c1100-universalk9.17.06.01a.SPA.bin
boot system bootflash:c1100-universalk9.17.05.01a.SPA.bin
boot-end-marker
!
no aaa new-model
clock timezone GMT 1 0
!
ip nbar http-services
!
ip name-server 8.8.8.8 8.8.4.4
ip domain name localdomain.local
ip dhcp excluded-address 192.168.1.0 192.168.1.99
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
lease 7
!
diagnostic bootup level minimal
!
username admin privilege 15 password 0 default
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
class-map type inspect match-any IN-TO-OUT
match protocol http
match protocol ftp
match protocol icmp
match protocol https
match protocol dns
match protocol smtp
match protocol pop3
match protocol tcp
match protocol udp
!
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect IN-TO-OUT
inspect
class class-default
drop
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
!
interface GigabitEthernet0/0/0
ip dhcp client client-id ascii FGXXXXXXX
ip address dhcp
ip nbar protocol-discovery
ip nat outside
zone-member security OUTSIDE
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
zone-member security OUTSIDE
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
zone-member security INSIDE
!
interface GigabitEthernet0/1/1
zone-member security INSIDE
!
interface GigabitEthernet0/1/2
zone-member security INSIDE
!
interface GigabitEthernet0/1/3
zone-member security INSIDE
!
interface GigabitEthernet0/1/4
zone-member security INSIDE
!
interface GigabitEthernet0/1/5
zone-member security INSIDE
!
interface GigabitEthernet0/1/6
zone-member security INSIDE
!
interface GigabitEthernet0/1/7
zone-member security INSIDE
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
ip nat inside
zone-member security INSIDE
!
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip forward-protocol nd
ip dns server
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
!
access-list 1 permit 192.168.1.0 0.0.0.255

0 Helpful

Go to solution
an_ho
Beginner
Beginner
In response to Georg Pauwen

‎10-23-2021 02:37 PM

Thanks - see below for the show run output. Some lines have been added by the WebGUI. Unfortunately, I am still able to connect to the webinterface and ssh on the external interface (which, since this is facing the internet, is not a good idea). Any ideas what I am doing wrong?

 

version 17.6

[...]
!
!
!
!
ip name-server 8.8.8.8 8.8.4.4
ip domain name localdomain.local
ip dhcp excluded-address 192.168.1.0 192.168.1.99
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
lease 7
!
!
!
login on-success log
!

!
subscriber templating
!

!
multilink bundle-name authenticated
!
[...]
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-any IN-TO-OUT
match access-group name IN-TO-OUT_acl
match protocol http
match protocol ftp
match protocol icmp
match protocol https
match protocol dns
match protocol smtp
match protocol pop3
match protocol tcp
match protocol udp
!
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect IN-TO-OUT
inspect
class class-default
drop log
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
!

!
interface GigabitEthernet0/0/0
ip dhcp client client-id ascii XXXX
ip address dhcp
ip nbar protocol-discovery
ip nat outside
zone-member security OUTSIDE
negotiat