cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
95
Views
0
Helpful
2
Replies
Highlighted
Beginner

Need to figure out a basic FW on a 881 SOHO Router

Looking for a basic firewall / ACL's that will deny any unsolicited inbound traffic but allow all devices on the inside to operate normally, 

 

Basic working config:

Cisco_881W#sho run
Building configuration...

Current configuration : 2022 bytes
!
! Last configuration change at 06:26:51 UTC Tue Jun 16 2015
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco_881W
!
boot-start-marker
boot-end-marker
!
enable password <removed>
!
no aaa new-model
!
!
!
memory-size iomem 10
service-module wlan-ap 0 bootimage autonomous
!
!
ip source-route
!
!
ip dhcp excluded-address 10.20.30.1 10.20.30.99
ip dhcp excluded-address 10.20.30.201 10.20.30.254
!
ip dhcp pool myDHCPpool
   import all
   network 10.20.30.0 255.255.255.0
   default-router 10.20.30.1 
   dns-server 99.99.99.53 99.99.99.153 
!
!
ip cef
ip name-server 9.99.99.53
ip name-server 9.99.99.153
no ipv6 cef
!
!

!         
!
archive
 log config
  hidekeys
!
!

!
!
!
!
!
!
interface FastEthernet0
 !
!
interface FastEthernet1
 !
!
interface FastEthernet2
 !
!
interface FastEthernet3
 !
!
interface FastEthernet4
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 ipv6 address dhcp rapid-commit
 ipv6 enable
 !
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip unnumbered Vlan1
 arp timeout 0
 !
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 switchport mode trunk
 !
!
interface Vlan1
 ip address 10.20.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !
!
router rip
 version 2
 network 10.0.0.0
 network 108.0.0.0
 network 192.168.1.0
 no auto-summary
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat inside source list 23 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 108.71.140.1
!
access-list 23 permit 10.20.30.0 0.0.0.255
!
!
!
!
!
control-plane
 !
!
!
line con 0
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
line vty 0 4
 password <removed>
 login
!
scheduler max-task-time 5000
end

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advisor

Hi there,

Hi there,

You already have an implict deny since you are not NAT'ing external traffic to your inside network (port-forwarding).

In its current configuration you should configre an ACL on your line vty to allow only access from inside networks:

 

!
line vty 0 4
  access-class 23 in
!

 

cheers,

Seb.

 

View solution in original post

2 REPLIES 2
Highlighted
VIP Advisor

Hi there,

Hi there,

You already have an implict deny since you are not NAT'ing external traffic to your inside network (port-forwarding).

In its current configuration you should configre an ACL on your line vty to allow only access from inside networks:

 

!
line vty 0 4
  access-class 23 in
!

 

cheers,

Seb.

 

View solution in original post

Highlighted
Beginner

Hi Seb,Thanks for responding.

Hi Seb,

Thanks for responding.  I kinda thought that was the case, but I have been away for so long from router configurations and ACL's I couldn't recall for sure.  It gets blurry real fast when you stop using it.

So if I need to start opening ports that will be when I need to make sure I keep things straight. We'll see if the games work this weekend :)

Thanks again!