Solved: Re: Help on C892FSP

dm92100 · ‎01-11-2021

Hi

I need help in configuring my 892FSP that I bought secondhand (some kind of craigslist) for my mother's small business. She had a supermarket-grade router that often crashed, she doesn't want an old pc turned into a pfsense box, so I thought let's go for a cisco for their reputation. I'm a bit of a geek but definitely not a networking expert.

The model I have has an 8-port gigabit switch for lan and 2 gigabit ports for wan (one of them, gi8, is ethernet / SFP)

I need a very simple setup:

Internet --- broadband modem ---- cisco router / firewall ---- LAN

-broadband modem provides address with dhcp

-Lan contains desktop computers, and later on a wifi ap

-Lan needs to connect to the internet while being protected from what may come from it.

I have been through many tutorials without getting it right. In the beginning I used the console cable in order to set basic IP connectivity (wan and dhcp on vlan1) and then I tried to configure the router using the web-based interface showing the zone firewall.

When the firewall is configured, DHCP stops working on my lan. Also, some traffic doesn't get through (https fails sometimes) although it appears as allowed in the web interface.

I worked previously with a pfsense box at work, that matched my technical level, but here, I'm stuck.

I attached the configuration file. It contains many lines generated by CCP express (the web interface - version 3.5.3 btw, and the router IOS is 158-3.M5)

What am I doing wrong ?

Thanks for your help

DM

dm92100 · ‎01-13-2021

Hi Georg

Actually, I just remembered, the place where the router will be has a fixed IP. But it makes no difference. If I rely, for security, on an external device with an unknown configuration, I may probably miss the point of having a basic firewall.

As suggested by conspiracy theorists, I did my own research, and I finally understood how I could block those ports on WAN only. It's surprisingly simple. And nmap no longer show those ports as open.

ip access-list extended block-mgmt-ports
deny tcp any any eq www
deny tcp any any eq 443
deny tcp any any eq 22
permit ip any any
interface GigabitEthernet8
ip access-group block-mgmt-ports in

Thanks a lot for your patience and your help. I learned something on this occasion.

The resulting configuration is attached (except for the fixed wan ip address), if anybody comes across a similar problem.

Best regards

DM

View solution in original post

paul driver · ‎01-11-2021

Hello
As its look like you only have two zbfw security zones applied the below config should at least provide you internet access:

no class-map type inspect match-any INTERNAL_DOMAIN_FILTER
no class-map type inspect match-any Others_app
no class-map type inspect match-any Web_app
no class-map type inspect match-all Others
no class-map type inspect match-all Web
no policy-map type inspect LAN-WAN-POLICY

class-map type inspect match-any LAN
match protocol tcp
match protocol udp
match protocol icmp

policy-map type inspect LAN_pm
class type inspect LAN
inspect

zone-pair security LAN-WAN source LAN destination WAN
service-policy type inspect LAN_pm

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

dm92100 · ‎01-12-2021

Hi Paul

Thanks for your answer. I felt more comfortable with using Georg's answer. I still don't know if I made the right choice, but so far it's working ^^.

I will still give it a try and see how it perfoms.

Regards

DM

Georg Pauwen · ‎01-11-2021

Hello,

the reason your DHCP traffic is dropped is because it needs to 'pass' (and not 'inspect') to the self zone. In additon, inbound ACLs and ZBF do not work well together, as the inbound ACLs are evaluated first.

I made some changes/additions (marked in bold) to your configuration, see if you get it to work this way:

! Last configuration change at 12:55:49 UTC Mon Jan 11 2021
!
version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
ip dhcp excluded-address 192.168.50.250 192.168.50.254
!
ip dhcp pool dhcp-lan
import all
network 192.168.50.0 255.255.255.0
default-router 192.168.50.254
--> dns-server 8.8.8.8 8.8.4.4
!
ip cef
no ipv6 cef
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
parameter-map type inspect global
max-incomplete low 18000
max-incomplete high 20000
nbar-classify
!
multilink bundle-name authenticated
!
license udi pid C892FSP-K9 sn FCZ211292Q6
!
object-group service INTERNAL_UTM_SERVICE
!
object-group network Others_dst_net
any
!
object-group network Others_src_net
any
!
object-group service Others_svc
ip
!
object-group network Web_dst_net
any
!
object-group network Web_src_net
any
!
object-group service Web_svc
ip
!
object-group network local_cws_net
!
object-group network local_lan_subnets
192.168.50.0 255.255.255.0
!
object-group network vpn_remote_subnets
any
!
redundancy
!
--> class-map type inspect match-any Self-To-WAN-CM
--> match access-group 101
--> class-map type inspect match-any WAN-To-Self-CM
--> match access-group 102
!
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
match protocol msnmsgr
match protocol ymsgr
class-map type inspect match-any Others_app
match protocol https
match protocol smtp
match protocol pop3
match protocol imap
match protocol sip
match protocol ftp
match protocol dns
match protocol icmp
class-map type inspect match-any Web_app
match protocol http
class-map type inspect match-all Others
match class-map Others_app
match access-group name Others_acl
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
--> policy-map type inspect WAN-To-Self-PM
--> class type inspect WAN-To-Self-CM
--> pass
--> class class-default
--> drop
!
--> policy-map type inspect Self-To-WAN-PM
--> class type inspect Self-To-WAN-CM
--> pass
--> class class-default
--> drop
!
policy-map type inspect LAN-WAN-POLICY
class type inspect Others
inspect
class type inspect Web
inspect
class type inspect INTERNAL_DOMAIN_FILTER
inspect
class class-default
drop log
!
zone security LAN
zone security WAN
--> no zone security VPN
--> no zone security DMZ
zone-pair security LAN-WAN source LAN destination WAN
service-policy type inspect LAN-WAN-POLICY
--> zone-pair security WAN-To-Self-ZP source WAN destination self
--> service-policy type inspect WAN-To-Self-PM
--> zone-pair security Self-To-WAN-ZP source self destination WAN
--> service-policy type inspect Self-To-WAN-PM
!
crypto isakmp policy 1
!
interface GigabitEthernet0
description LanSwitch
no ip address
!
interface GigabitEthernet1
description LanSwitch
no ip address
!
interface GigabitEthernet2
description LanSwitch
no ip address
!
interface GigabitEthernet3
description LanSwitch
no ip address
!
interface GigabitEthernet4
description LanSwitch
no ip address
!
interface GigabitEthernet5
description LanSwitch
no ip address
!
interface GigabitEthernet6
description LanSwitch
no ip address
!
interface GigabitEthernet7
description LanSwitch
no ip address
!
interface GigabitEthernet8
description PrimaryWANDesc_WanPrimaire
ip address dhcp hostname Routeur
ip nat outside
ip virtual-reassembly in
zone-member security WAN
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet9
no ip address
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.50.254 255.255.255.0
--> no ip access-group nat-list in
ip nbar protocol-discovery
ip flow monitor application-mon input
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security LAN
load-interval 30
!
ip forward-protocol nd
ip http server
ip http upload enable path flash:
ip http upload overwrite
ip http authentication local
ip http secure-server
!
ip nat inside source list nat-list interface GigabitEthernet8 overload
--> ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 dhcp
!
--> access-list extended 101
--> 10 permit udp any any eq 67
!
--> access-list extended 102
--> 10 permit udp any any eq 68
!
ip access-list extended Others_acl
permit object-group Others_svc object-group Others_src_net object-group Others_dst_net
ip access-list extended Web_acl
permit object-group Web_svc object-group Web_src_net object-group Web_dst_net
ip access-list extended nat-list
permit ip object-group local_lan_subnets any
!
ipv6 ioam timestamp
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
transport input none
!
scheduler allocate 20000 1000
!
end

dm92100 · ‎01-12-2021

Hi Georg. Thanks a lot for your help. I have used the configuration you wrote.

There's a catch. On my system, the sytax is slightly different for the lines

access-list extended 101
permit udp any any eq 67
access-list extended 102
permit udp any any eq 68

they have to be written like this:

access-list 101 permit udp any any eq bootps
access-list 102 permit udp any any eq bootpc

(the router automatically converted 67 and 68 that I typed into bootps and bootpc)

After I implemented your changes, hosts on the lan successfully received their addresses with dhcp. Thanks a lot.

But there was another problem: I could no longer access the wan. This was because of this line:

ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 dhcp

that I reverted to

ip route 0.0.0.0 0.0.0.0 dhcp

and it worked ! Probably some of the router's IOS version syntax specifics, like for access-list.

As I noticed that some websites were not working correctly, I added with the GUI a pass-all policy on top of the existing two that cannot be modified. The reason for that is that I want a system easily changeable from its web interface.

Here's the resulting configuration file.

I wonder if I need a zone firewall at all for the case.

What is your opinion ?

Regards

DM

Georg Pauwen · ‎01-12-2021

Hello,

I was thinking the same thing: do you really need the ZBF ? For a typical home user, it is not really necessary. The entire configuration could be slimmed down to just the below (important parts marked in bold), this gives users unrestricted access to all sites, and frees up the router's resources (as that is a small and not very powerful router):

!
! Last configuration change at 12:15:34 UTC Tue Jan 12 2021 by cisco
!
version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
ip dhcp excluded-address 192.168.50.250 192.168.50.254
!
ip dhcp pool dhcp-lan
import all
network 192.168.50.0 255.255.255.0
default-router 192.168.50.254
dns-server 8.8.8.8 8.8.4.4
!
ip cef
no ipv6 cef
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
parameter-map type inspect global
max-incomplete low 18000
max-incomplete high 20000
nbar-classify
multilink bundle-name authenticated
!
username cisco privilege 15 secret cisco
!
redundancy
!
interface GigabitEthernet0
description LanSwitch
no ip address
!
interface GigabitEthernet1
description LanSwitch
no ip address
!
interface GigabitEthernet2
description LanSwitch
no ip address
!
interface GigabitEthernet3
description LanSwitch
no ip address
!
interface GigabitEthernet4
description LanSwitch
no ip address
!
interface GigabitEthernet5
description LanSwitch
no ip address
!
interface GigabitEthernet6
description LanSwitch
no ip address
!
interface GigabitEthernet7
description LanSwitch
no ip address
!
interface GigabitEthernet8
description PrimaryWANDesc_WanPrimaire
ip address dhcp hostname Routeur
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet9
no ip address
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.50.254 255.255.255.0
ip nbar protocol-discovery
ip flow monitor application-mon input
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
load-interval 30
!
ip forward-protocol nd
ip http server
ip http upload enable path flash:
ip http upload overwrite
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 dhcp
!
ipv6 ioam timestamp
!
access-list 1 permit 192.168.50.0 0.0.0.255
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
transport input none
!
scheduler allocate 20000 1000
!
end

dm92100 · ‎01-12-2021

Thanks again !

Well I tried and measured the throughput in Mbps

Without router: DL=302 UL=303 (I'm using FTTH but my mother's office has another provider)

With ZBF: DL=160 UL=154

Without ZBF: DL=270 UL=210

Your latest script definitely eats less throughput.

But a friend of mine advised me to test the router on the wan port with nmap. Whici I did. Ports 22, 80 and 443 are open on wan side. How can I make sure that nobody connects on wan side, but that I can still get wan ip by dhcp ?

Best regards

DM

Georg Pauwen · ‎01-12-2021

Hello,

you are using something called 'double NAT', meaning your 892 router translates to the IP address given out by the ISP modem/router, which then translates the internal addresses to an actual public address. The ISP modem/router is where the potential vulnerability is, so it doesn't really matter what you configure on the 892. What brand/model is the ISP modem ? Does it have any security/firewall options ?

dm92100 · ‎01-13-2021

Hi Georg

Actually, I just remembered, the place where the router will be has a fixed IP. But it makes no difference. If I rely, for security, on an external device with an unknown configuration, I may probably miss the point of having a basic firewall.

As suggested by conspiracy theorists, I did my own research, and I finally understood how I could block those ports on WAN only. It's surprisingly simple. And nmap no longer show those ports as open.

ip access-list extended block-mgmt-ports
deny tcp any any eq www
deny tcp any any eq 443
deny tcp any any eq 22
permit ip any any
interface GigabitEthernet8
ip access-group block-mgmt-ports in

Thanks a lot for your patience and your help. I learned something on this occasion.

The resulting configuration is attached (except for the fixed wan ip address), if anybody comes across a similar problem.

Best regards

DM

Georg Pauwen · ‎01-13-2021

Hello,

does that access list not block any http/https/ssh access then ?

dm92100 · ‎01-13-2021

It does only on wan side. http/https/ssh remain open on lan side. Which is what I wanted. I end up with a robust router and a safe solution.

I still wonder if I could be missing something regarding security and what an ZBF could provide, at the expense of throughput.