Solved: Securing DSL with c1841-advipervicesk9-mz.124-22.T1

M4VM4VM4V · ‎10-15-2011

I'd like to enable any firewall features and block any incoming WAN traffic (except for PPPoE negotiaition and return inside traffic) as we use another DSL for incoming to servers.

Will just be used for outgoing port 80,443.

Could anyone guide as to what to do here?

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ADSL1841
!
boot-start-marker
boot system flash:/c1841-advipservicesk9-mz.124-22.T1.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 $1$qZO0$nP19varmjKm89.UVXNO260
!
no aaa new-model
clock timezone PCTime 8
dot11 syslog
no ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain name adsl1841.com
ip name-server 203.0.178.191
ip name-server 192.168.1.12
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
ip tcp synwait-time 10
no ip ftp passive
!
!
!
interface FastEthernet0/0
description $ES_LAN$
ip address 10.98.8.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no mop enabled
!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
atm ilmi-keepalive
bundle-enable
!
interface ATM0/0/0.2 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Dialer1
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip flow ingress
ip nat outside
no ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname *******

ppp chap password 7 ******

ppp pap sent-username ******!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.98.0.0 255.255.0.0 10.98.8.1
ip route 192.168.1.0 255.255.255.0 10.98.8.1
ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer1 overload
!
logging trap debugging
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 10.98.0.0 0.0.255.255
dialer-list 1 protocol ip permit
snmp-server community cisco RW
no cdp run

!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
password 7 0207175F0D575D7218
login
!
scheduler allocate 4000 1000
end

Thanks for your help!

cadet alain · ‎10-16-2011

Hi,

I had entered the command by heart but indeed I made a mistake for this one, here is the correct syntax:

zone-pair security source destination

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎10-16-2011

Hi,

if it is supported on your platform you can use CBAC or ZBF which are 2 stateful firewalling features, the lattest being the new way.

1)CBAC

config# ip inspect log drop-pkt

config# ip inspect MYFW tcp

config# ip inspect MYFW udp

config# ip access-list extended INSIDEACL

permit tcp any any eq 80

permit tcp any any eq 443

permiit udp any 203.0.178.191 eq 53

config# ip access-list extended OUTACL

deny ip any any

config# int f0/0

ip access-group INSIDEACL in

config# int Dialer1

ip access-group OUTACL in

ip inspect MYFW out

2) ZBF

config# zone sec IN

config# zone sec OUT

config# ip access-list extended INSIDEACL

permit tcp any any eq 80

permit tcp any any eq 443

permiit udp any 203.0.178.191 eq 53

config# class-MAP type inspect match-any IN_OUT

match access-group name INSIDEACL

config# policy-map type inspect IN_OUT_INSP

class type inspect IN_OUT

inspect

config# int f0/0

zone sec IN

config# int dialer1

zone sec OUT

config# zone-pair sec source IN destination OUT

service-policy type inspect IN_OUT_INSP

config# ip inspect log drop-pkt

Regards.

Alain.

Don't forget to rate helpful posts.

M4VM4VM4V · ‎10-16-2011

Thanks, I configured the Zone Based Firewall with the following commands...

zone sec IN
zone sec OUT

ip access-list extended INSIDEACL
            permit tcp any any eq 80
            permit tcp any any eq 443
            permit udp any any eq 53

class-MAP type inspect match-any IN_OUT
match access-group name INSIDEACL

policy-map type inspect IN_OUT_INSP
            class type inspect IN_OUT
              inspect
int f0/0
           zone sec IN

int dialer1
zone sec OUT

Its just that when I input the command below, the router wouldn't let me use it

zone-pair sec source IN destination OUT

It only let me input:

zone-pair sec source source IN destination OUT

or

zone-pair sec source source zone IN destination OUT

So I used source. Is this correct or should I have input source zone?

Other than that, the commands were input sucessfully

service-policy type inspect IN_OUT_INSP
ip inspect log drop-pkt

Please let me know which command to use,

Thanks...

cadet alain · ‎10-16-2011

Hi,

I had entered the command by heart but indeed I made a mistake for this one, here is the correct syntax:

zone-pair security source destination

Regards.

Alain.

Don't forget to rate helpful posts.

M4VM4VM4V · ‎10-17-2011

You Rule!!!

THANKS!!!