My traffic that goes outside , will have to come back in, can this kind of stateful filtering happen with this ACL ?

I want to block everything else from internet. I am fine with just icmp and ntp being allowed.

Hello,

as far as I can tell, the below will block everything outgoing and incoming except for ICMP and NTP:

ip access-list extended outside_acl

10 permit icmp any any echo-reply
20 permit icmp any any unreachable
30 permit udp any eq ntp any

interface <Outside interface>

ip access-group outside_acl in

The zone based firewall is designed to allow exactly what you are after, which is one way traffic in or out...

I can have zone based firewall but I am not very sure how to implement it. can you please guide ?

Thanks!

Hello,

below is a sample configuration which allows ICMP in, and https, dns, udp, tcp, pop3, smtp, icmp out. This is of course very generic. If possible, post the current running configuration of your router, so we can better fill in the missing parts...

Current configuration : 2974 bytes
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$/hAl$Ss9kl2uQJDdLqLaiOMcW0/
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
ip dhcp excluded-address 192.168.1.0 192.168.1.99
!
ip dhcp pool My_LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1 192.168.1.126 8.8.4.4 8.8.8.8
!
zone security INSIDE
zone security OUTSIDE
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3717087716
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3717087716
revocation-check none
!
crypto pki certificate chain TP-self-signed-3717087716
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373137 30383737 3136301E 170D3139 30313038 30333130
33335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313730
38373731 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E3D5 5810CB05 BF672910 AE996732 46FC1975 9038FBD6 DF06EB36 0908C676
50B91EDD 79A92883 E2B8D94E 1301616E 28922E1F 598F6E12 C06E7063 C8751AF5
EF3583AA 6B3AA41B 010F680C A2DE2368 D8678380 D66AB62A 15B4A439 6D3FBCF0
AF97018E 12911CE4 A3DBB4C7 06CEACF7 2DD62171 1ED21000 9A007576 11F2E1E2
844B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1477EE54 03D1A4E8 0B8887A5 C90F3ABB FD9DA944 60301D06
03551D0E 04160414 77EE5403 D1A4E80B 8887A5C9 0F3ABBFD 9DA94460 300D0609
2A864886 F70D0101 04050003 81810063 B8217894 BC166613 7F143A06 3B1E3F38
BDDE424D BEF20015 F248666B 15B8B5A9 2A37E753 3A8202D0 F40BEB06 4C34F325
89F81660 02FD2CCE 63C5FE76 B8965DFE E7235FD1 D7AEC8BD 87295B0F 1D06B12A
324540ED 0EC01011 15F1AC96 B8AF65E3 4002896A 0B67ECD6 086CB431 1681F2B8
2EA0E3AE 81CD005D CFB48F6B 0DA3F6
quit
license udi pid CISCO1921/K9 sn FTX1520037Y
!
username stefon secret 5 $1$Rdrn$lJ4RSvvKiTQmEXnBUU8uQ/
!
interface GigabitEthernet0/0
description INTERNET
ip address dhcp
ip access-group MY_WAN in
ip nat outside
zone-member security OUTSIDE
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description My LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
zone-member security INSIDE
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
!
interface GigabitEthernet0/0/1
!
interface GigabitEthernet0/0/2
!
interface GigabitEthernet0/0/3
!
interface Vlan1
no ip address
!
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match protocol https
match protocol dns
match protocol udp
match protocol tcp
match protocol pop3
match protocol smtp
match protocol icmp
!
ip access-list extended OUTSIDE-TO-INSIDE
permit icmp any 192.168.1.0 0.0.0.255
!
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop log
!
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
pass
class class-default
drop log
!
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
!
ip nat inside source ist 1 interface GigabitEthernet0/0 overload
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end

Hi,

Thanks a lot for your help.

I have added my config and added all the requirements 

1. Have ISR router to the main switch over a trunk port.
2. Allow vlan 18 over that trunk
3. ACL on router outside interface and block inbound traffic from the internet
4. NAT traffic going to the internet
5. ACL for traffic to the internet and allow 80, 443, DNS and icmp.
6. interface for VLAN 18 and IP 
7.  ALG on the router disabled.

--------------------------------

Current configuration : 2974 bytes
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$/hAl$Ss9kl2uQJDdLqLaiOMcW0/
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
ip dhcp excluded-address 192.168.1.0 192.168.1.99 -> Here , can I use the vlan 18 gateway ?
!
ip dhcp pool My_LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1 192.168.1.126 8.8.4.4 8.8.8.8
!
zone security INSIDE
zone security OUTSIDE
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3717087716
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3717087716
revocation-check none
!
crypto pki certificate chain TP-self-signed-3717087716
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373137 30383737 3136301E 170D3139 30313038 30333130
33335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313730
38373731 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E3D5 5810CB05 BF672910 AE996732 46FC1975 9038FBD6 DF06EB36 0908C676
50B91EDD 79A92883 E2B8D94E 1301616E 28922E1F 598F6E12 C06E7063 C8751AF5
EF3583AA 6B3AA41B 010F680C A2DE2368 D8678380 D66AB62A 15B4A439 6D3FBCF0
AF97018E 12911CE4 A3DBB4C7 06CEACF7 2DD62171 1ED21000 9A007576 11F2E1E2
844B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1477EE54 03D1A4E8 0B8887A5 C90F3ABB FD9DA944 60301D06
03551D0E 04160414 77EE5403 D1A4E80B 8887A5C9 0F3ABBFD 9DA94460 300D0609
2A864886 F70D0101 04050003 81810063 B8217894 BC166613 7F143A06 3B1E3F38
BDDE424D BEF20015 F248666B 15B8B5A9 2A37E753 3A8202D0 F40BEB06 4C34F325
89F81660 02FD2CCE 63C5FE76 B8965DFE E7235FD1 D7AEC8BD 87295B0F 1D06B12A
324540ED 0EC01011 15F1AC96 B8AF65E3 4002896A 0B67ECD6 086CB431 1681F2B8
2EA0E3AE 81CD005D CFB48F6B 0DA3F6
quit
license udi pid CISCO1921/K9 sn FTX1520037Y
!
username cisco privilege 15 password $1$Rdrn$lJ4RSvvKiTQmEXnBUU8uQ/
!
interface GigabitEthernet0/0/0
description INTERNET
ip address <public IP>
ip access-group WAN in --> I don't see this acl applied in config
ip nat outside
zone-member security OUTSIDE
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1/0
description LAN
switchport mode trunk -> Requirement is to have this as trunk port
switchport trunk allowed vlan 18, 50 -> Allow vlan 18 over that trunk
ip nat inside
zone-member security INSIDE
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
!
interface GigabitEthernet0/0/1
!
interface GigabitEthernet0/0/2
!
interface GigabitEthernet0/0/3
!
interface Vlan1
no ip address
!
interface vlan18 ==> This I am using for voice and this will act as a gateway for phones
ip address 10.x.x.253 255.255.255.0
!
interface Vlan50 ==> I am using as management vlan
ip address 10.x.x.x 255.255.255.0
!
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match protocol https
match protocol dns
match protocol udp
match protocol tcp
match protocol pop3
match protocol smtp
match protocol icmp
!
ip access-list extended OUTSIDE-TO-INSIDE
permit icmp any 10.x.x.0 0.0.0.255
!
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop log
!
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
pass
class class-default
drop log
!
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
!

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 <public IP>
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login
transport input ssh

!
scheduler allocate 20000 1000
end

@Georg Pauwen , Hello,

Can you please take a look at the config and advise. I really appreciate it.

Thank you.

I'll have a look and get back with you...

Hello,

a few things are unclear:

1. You have defined a DHCP pool, but there is no interface configured with the IP address of the default touter specified in the pool

2. Which IP addresses do you want to NAT ?

I have made some changes to your config (marked in bold):

Current configuration : 2974 bytes
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$/hAl$Ss9kl2uQJDdLqLaiOMcW0/
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
ip dhcp excluded-address 192.168.1.0 192.168.1.99 -> Here , can I use the vlan 18 gateway ?
!
ip dhcp pool My_LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1 192.168.1.126 8.8.4.4 8.8.8.8
!
zone security INSIDE
zone security OUTSIDE
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3717087716
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3717087716
revocation-check none
!
crypto pki certificate chain TP-self-signed-3717087716
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373137 30383737 3136301E 170D3139 30313038 30333130
33335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313730
38373731 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E3D5 5810CB05 BF672910 AE996732 46FC1975 9038FBD6 DF06EB36 0908C676
50B91EDD 79A92883 E2B8D94E 1301616E 28922E1F 598F6E12 C06E7063 C8751AF5
EF3583AA 6B3AA41B 010F680C A2DE2368 D8678380 D66AB62A 15B4A439 6D3FBCF0
AF97018E 12911CE4 A3DBB4C7 06CEACF7 2DD62171 1ED21000 9A007576 11F2E1E2
844B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1477EE54 03D1A4E8 0B8887A5 C90F3ABB FD9DA944 60301D06
03551D0E 04160414 77EE5403 D1A4E80B 8887A5C9 0F3ABBFD 9DA94460 300D0609
2A864886 F70D0101 04050003 81810063 B8217894 BC166613 7F143A06 3B1E3F38
BDDE424D BEF20015 F248666B 15B8B5A9 2A37E753 3A8202D0 F40BEB06 4C34F325
89F81660 02FD2CCE 63C5FE76 B8965DFE E7235FD1 D7AEC8BD 87295B0F 1D06B12A
324540ED 0EC01011 15F1AC96 B8AF65E3 4002896A 0B67ECD6 086CB431 1681F2B8
2EA0E3AE 81CD005D CFB48F6B 0DA3F6
quit
license udi pid CISCO1921/K9 sn FTX1520037Y
!
username cisco privilege 15 password $1$Rdrn$lJ4RSvvKiTQmEXnBUU8uQ/
!
interface GigabitEthernet0/0/0
description INTERNET
ip address <public IP>
--> no ip access-group WAN in --> I don't see this acl applied in config
ip nat outside
zone-member security OUTSIDE
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1/0
description LAN
switchport mode trunk -> Requirement is to have this as trunk port
switchport trunk allowed vlan 18, 50 -> Allow vlan 18 over that trunk
--> no ip nat inside
--> no zone-member security INSIDE
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
!
interface GigabitEthernet0/0/1
!
interface GigabitEthernet0/0/2
!
interface GigabitEthernet0/0/3
!
interface Vlan1
--> ip address 192.168.1.1 255.255.255.0
--> ip nat inside
--> zone-member security INSIDE
!
interface vlan18 ==> This I am using for voice and this will act as a gateway for phones
ip address 10.x.x.253 255.255.255.0
!
interface Vlan50 ==> I am using as management vlan
ip address 10.x.x.x 255.255.255.0
!
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match protocol https
match protocol dns
match protocol udp
match protocol tcp
match protocol pop3
match protocol smtp
match protocol icmp
!
ip access-list extended OUTSIDE-TO-INSIDE
permit icmp any 10.x.x.0 0.0.0.255
!
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop log
!
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
pass
class class-default
drop log
!
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 <public IP>
!
--> access-list 1 permit 192.168.1.0 0.0.0.255
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login
transport input ssh

!
scheduler allocate 20000 1000
end

Hello @Georg Pauwen 

Thank you for your response. Please find my answers.

1. The DHCP IP range is  10.10.18.0/24 for phones and they will be on vlan18 . Gateway for phones will be 10.10.18.253 

I believe this should be applied on interface vlan 18,

ip dhcp excluded-address 10.10.18.253 10.10.18.254 => .253 will be phone gateway and .254 is in use.

ip dhcp pool My_PhoneDHCP
network 10.10.18.0 255.255.255.0
default-router 10.10.18.253
dns-server   8.8.4.4 8.8.8.8

2. vlan 18 IP range should be NAT

-----------------------------------

Another question for vlan 1 - I am not using it 

nterface Vlan1
--> ip address 192.168.1.1 255.255.255.0
--> ip nat inside
--> zone-member security INSIDE

So, is this correct ?-

interface vlan 18

ip address 10.10.18.253 255.255.255.0

ip nat inside

zone-member security INSIDE

And, I'll modify acces-list for NAT

access-list 1 permit 10.10.18.0 0.0.0.255

Thanks!

Hello @Georg Pauwen 

Thank you for all your help. I am on the last phase of implementation.

I have configured the router with zone based firewall and I understand now that we need this for stateful filtering .

Now, after configuring , I checked with command -

packets are dropping from inside network . I am pinging for this machine 10.10.18.250 from internal ip address that starts with 10.30.40.x and the router drops the tcp packets due to INSIDE-OUTSIDE class policy.

it works when I remove zone from Interface vlan 18.

Can you please advise ?

--------------------------------------------------------------------------------------------

Current configuration : 9672 bytes
!
! Last configuration change at 12:22:41 EST Thu Apr 30 2020 by 
! NVRAM config last updated at 10:33:05 EST Thu Apr 30 2020 by 
!
version 16.10
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname 
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable secret 
!
no aaa new-model
clock timezone EST -4 0
!
ip name-server 4.2.2.5 8.8.8.8
ip domain name 
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-1147266811
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1147266811
revocation-check none
rsakeypair TP-self-signed-1147266811
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-1147266811
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313437 32363638 3131301E 170D3230 30343230 31373034
32335A17 0D333030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31343732
36363831 31308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
0A028201 01008911 C285A90B EF3B6BF9 5D3D82D8 BFC3C237 E38FE2F3 B55E0D2F
D02427C7 20B57DA4 C82F8D56 9D797218 BA8B25C8 AC565497 ABA4BA66 31A8493F
303BE351 65E2DB11 DA168026 3C81001F 80289A74 5C3E53BA 3EE1D287 F4E1148B
92EB69DC 51F52D78 5E91A935 E1B507AF F1DECF2B 7AE8495D 3D2E87E9 651C9A43
9C31D219 116D8E1A 53250E1F 841DB86D CB9142F4 F23B7AA4 C786ADED C90EDC98
1687493E CF262702 9556C3A5 501D7D00 AE6B8421 C3F04C1C 89E91E4F 552E2C3D
AC20B132 1FC45DDE 530C259C C4BB1EEF 00410D9F 26AAE393 E4DEF2F5 84F49FC2
A20276BD ECAA87AA 1AF1A60F F533A8B9 3BAF0BF0 4167FBDC 68DBD0EE 6264EAEE
177FBD3A 7B850203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
301F0603 551D2304 18301680 14E03F97 403200E4 ECB41F6D B3F55AAB 10FF8FE2
4C301D06 03551D0E 04160414 E03F9740 3200E4EC B41F6DB3 F55AAB10 FF8FE24C
300D0609 2A864886 F70D0101 05050003 82010100 2F443E34 F64D5572 F5275089
1119BA40 7B377412 639ED70B E2C2FB85 E8EF1514 E1F2AF81 C3535B5A BBD468E3
DE2F0EBD 96B234D7 44E2D6A2 32873EA0 451E98F9 253B78D8 4CA84B70 60B09BC0
009F1BFC 835A5716 341EE79C 61CA8C3A 8AC554CE A0A8299E BA040ACD 56A9B465
D036B544 BF329812 73C0EA76 72D7D5CA B007D733 7FB224D0 1E2B7923 A502FBC9
69CA6CA2 A6D3ECEB A6C4E832 B6A23F69 CAC2AD52 992603B7 EEB909F9 AC6E9E8C
A3554945 149BD11D 077F14F3 1C412A88 324DECF3 9B081F0F 8D3F51F1 50E81077
5CDE417C 24A79D73 578AEA5B 9D168F5A C654A671 AA6EDF8C 2D7AF498 73A82D8B
504313DF 4DC88CBF 555EE3F8 FB2B16CC 2B659B4A
quit
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
!
no license feature hseck9
license udi pid C1101-4P sn FGL2414LPLX
license boot level securityk9
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
username 

!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match protocol sip
match protocol dns
match protocol udp
match protocol smtp
match protocol tcp
match protocol icmp
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop log
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
pass
class class-default
drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description Link to ISP
<public IP>
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
zone-member security OUTSIDE
ip tcp adjust-mss 1300
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/1/0
description INSIDE INTERFACE
switchport mode trunk
zone-member security INSIDE
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
no ip address
shutdown
!
interface Vlan18
description Voice VLAN
ip address 10.10.18.253 255.255.255.0
ip helper-address 10.11.10.243
no ip redirects
ip nat inside
zone-member security INSIDE
!
interface Vlan50
ip address 10.10.50.123 255.255.255.0
!
ip default-gateway 10.10.50.254
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 <public IP>
ip route 10.0.0.0 255.0.0.0 10.10.50.112
ip route 10.10.50.254 255.255.255.255 10.10.50.112
!
!
ip access-list extended OUTSIDE-TO-INSIDE
permit icmp any 10.10.18.0 0.0.0.255
i
access-list 1 permit 10.10.18.0 0.0.0.255
!
!
!
!
control-plane
!
banner motd ^CC
**************************************************
**************************************************
** **
** WARNING! WARNING! WARNING! **
** **
**************************************************
**************************************************
Unauthorized access to this system is strictly prohibited
Unauthorized access will be subject to legal action
If you are not authorized to access this system
D I S C O N N E C T I M M E D I A T E L Y !R
^C
!
line con 0
transport input none
stopbits 1
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input ssh
!
ntp server <public ip> source GigabitEthernet0/0/0
end