Solved: Need to figure out a basic FW on a 881 SOHO Router

johnsont · ‎06-15-2015

Looking for a basic firewall / ACL's that will deny any unsolicited inbound traffic but allow all devices on the inside to operate normally,

Basic working config:

Cisco_881W#sho run
Building configuration...

Current configuration : 2022 bytes
!
! Last configuration change at 06:26:51 UTC Tue Jun 16 2015
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco_881W
!
boot-start-marker
boot-end-marker
!
enable password <removed>
!
no aaa new-model
!
!
!
memory-size iomem 10
service-module wlan-ap 0 bootimage autonomous
!
!
ip source-route
!
!
ip dhcp excluded-address 10.20.30.1 10.20.30.99
ip dhcp excluded-address 10.20.30.201 10.20.30.254
!
ip dhcp pool myDHCPpool
import all
network 10.20.30.0 255.255.255.0
default-router 10.20.30.1
dns-server 99.99.99.53 99.99.99.153
!
!
ip cef
ip name-server 9.99.99.53
ip name-server 9.99.99.153
no ipv6 cef
!
!

!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
ipv6 address dhcp rapid-commit
ipv6 enable
!
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
!
!
interface Vlan1
ip address 10.20.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
router rip
version 2
network 10.0.0.0
network 108.0.0.0
network 192.168.1.0
no auto-summary
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat inside source list 23 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 108.71.140.1
!
access-list 23 permit 10.20.30.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
password <removed>
login
!
scheduler max-task-time 5000
end

Seb Rupik · ‎06-16-2015

Hi there,

You already have an implict deny since you are not NAT'ing external traffic to your inside network (port-forwarding).

In its current configuration you should configre an ACL on your line vty to allow only access from inside networks:

!
line vty 0 4
  access-class 23 in
!

cheers,

Seb.

View solution in original post

Seb Rupik · ‎06-16-2015

Hi there,

You already have an implict deny since you are not NAT'ing external traffic to your inside network (port-forwarding).

In its current configuration you should configre an ACL on your line vty to allow only access from inside networks:

!
line vty 0 4
  access-class 23 in
!

cheers,

Seb.

johnsont · ‎06-16-2015

Hi Seb,

Thanks for responding. I kinda thought that was the case, but I have been away for so long from router configurations and ACL's I couldn't recall for sure. It gets blurry real fast when you stop using it.

So if I need to start opening ports that will be when I need to make sure I keep things straight. We'll see if the games work this weekend :)

Thanks again!