Firewall setup on a 2921 router

gnicklaw · ‎06-28-2011

I just purchased thie Cisco 2921 router and have all the configuration completed except the Firewall and NAT. We have 4 supnets at our location on the router each with a DHCP handed from the router to our network. Any examples for the Firewall and Nat configurations?

Thanks

andrew.prince · ‎06-28-2011

Gary,

That is a tricky question - so some clarification is required:-

1) Do you want to use the CBAC Firewall

2) Do you want to use the Zone Based Firewall

3) Do you have any VPN's

4) Are you hosting external services on internal machines

5) Do you require a DMZ

gnicklaw · ‎06-28-2011

I want to use the CBAC firewall with NATing

We do have VPN access but it is through our DPC

We will have Data, internal wireless for AC control, Wireless for access to our system and outside word and a Guest wireless for only internet connections

Thanks

andrew.prince · ‎06-29-2011

Well with CBAC it's relativly easy - for example:-

fa0/0 - | R1 | - fa0/1

fa 0/0 "LAN" and 0/1 "Internet facing", I would configure:-

access-list 100 deny ip any any

ip inspect name cbac-fw tcp

ip inspect name cbac-fw udp

ip inspect name cbac-fw icmp

int fa 0/1

ip access-group 100 in

ip inspect cbac-fw out

This would deny all traffic initiated from the internet, and permit all returning statefull traffic initiated from the LAN to the internet.

This is a very basic example and can get very complicated - read the below:-

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

HTH>

garynicklaw · ‎06-29-2011

how would the NAT setup be configured thwi the CBAC

andrew.prince · ‎06-29-2011

That all depends on what IP ranges you have and what you need to/want to NAT.

vivargas · ‎06-29-2011

Gary,

Please see the following document:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

NAT is always perform before CBAC