LoDoGg.com Homepage
Forum Home Forum Home > Technical Section > Cisco
  New Posts New Posts RSS Feed: Basic Cisco Firewall Config
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

Basic Cisco Firewall Config
 Post Reply Post Reply
Author
Message
  Topic Search Topic Search  Topic Options Topic Options
lodogg View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2003
Online Status: Offline
Posts: 1831 		  Quote lodogg Quote  Post ReplyReply Direct Link To This Post Topic: Basic Cisco Firewall Config
    Posted: 05 July 2007 at 11:34am
This option is the most economical and might be a quick way to tackle the problem. Keep in mind that

1. This basic Firewall ACL only works on certain situations and certain protocol usages

2. Should you choose to implement this basic Firewall ACL on the router, it is suggested to have additional hardware firewall sitting behind the router for long-term solution

Assumptions on the sample configuration:

* There is Ethernet 0 interface as your LAN interface and Ethernet 1 interface as your WAN interface
* You have a single static Public IP address within your network (the 1.1.1.2/30)
* The Internet default gateway is 1.1.1.1/30
* Your LAN only has 10.0.0.0/24 as internal network and nothing else
* You run public Web and Mail servers (the www and smtp) using the 1.1.1.2 as the public IP address
* The internal Mail server IP address is 10.0.0.2 and the internal Web server IP address is 10.0.0.3
* You also use 1.1.1.2 for Internet browsing traffic from your LAN
* You use your ISP DNS servers to browse the Internet (the TCP and UDP 53)
* Your network daily usage is only browsing the Internet (that only use protocol TCP) and no other protocols used
* You keep logs on potential illegitimate traffic attempts

Following is the sample configuration

interface Ethernet0
description LAN interface
ip address 10.0.0.1 255.255.255.0
ip nat inside
!
interface Ethernet1
description WAN interface
ip address 1.1.1.2 255.255.255.252
ip access-group 100 in
ip access-group 101 out
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
!
ip nat inside source static tcp 10.0.0.2 25 1.1.1.2 25
ip nat inside source static tcp 10.0.0.3 80 1.1.1.2 80
!
ip nat inside source list 110 interface Ethernet1 overload
!
access-list 100 remark Basic Firewall to protect from Internet intruders
access-list 100 permit tcp any host 1.1.1.2 eq 25
access-list 100 permit tcp any host 1.1.1.2 eq 80
access-list 100 permit udp any eq 53 host 1.1.1.2
access-list 100 permit tcp any host 1.1.1.2 established
access-list 100 deny ip any any log-input
!
access-list 101 remark Deny Illegitimate Traffic go outbound
access-list 101 deny tcp any any eq 135 log-input
access-list 101 deny tcp any eq 135 any log-input
access-list 101 deny udp any any eq 135 log-input
access-list 101 deny udp any eq 135 any log-input
access-list 101 deny tcp any any range 137 139 log-input
access-list 101 deny tcp any range 137 139 any log-input
access-list 101 deny udp any any range 137 139 log-input
access-list 101 deny udp any range 137 139 any log-input
access-list 101 deny tcp any any eq 445 log-input
access-list 101 deny tcp any eq 445 any log-input
access-list 101 deny udp any any eq 445 log-input
access-list 101 deny udp any eq 445 any log-input
access-list 101 deny tcp any any eq 593 log-input
access-list 101 deny tcp any eq 593 any log-input
access-list 101 deny tcp any any eq 707 log-input
access-list 101 deny tcp any eq 707 any log-input
access-list 101 deny tcp any any eq 4444 log-input
access-list 101 deny tcp any eq 4444 any log-input
access-list 101 deny ip host 0.0.0.0 any log-input
access-list 101 deny ip host 255.255.255.255 any log-input
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log-input
access-list 101 deny ip any 10.0.0.0 0.255.255.255 log-input
access-list 101 deny ip any 172.16.0.0 0.15.255.255 log-input
access-list 101 deny ip any 192.168.0.0 0.0.255.255 log-input
access-list 101 permit ip 1.1.1.0 0.0.0.3 any
access-list 101 deny ip any any log-input
!
access-list 110 remark Deny NAT/PAT for Illegitimate Traffic
access-list 110 deny ip 1.1.1.0 0.0.0.3 any log-input
access-list 110 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.255.255.255 log-input
access-list 110 deny ip 10.0.0.0 0.0.0.255 172.16.0.0 0.15.255.255 log-input
access-list 110 deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.255.255 log-input
access-list 110 permit ip 10.0.0.0 0.0.0.255 any
access-list 110 deny ip any any log-input

Notes:

1. The sample configuration is not intended as full router configuration. It only shows related commands.

2. ACL 100: Inbound Traffic Firewall
* The key of the Firewall ACL (ACL 100) is the "established" keyword
* Internet browsing mean outbound connections initiated from your LAN out to the Internet
* Most common Internet browsing (i.e. open up websites, FTP sites, some Internet video or audio live streaming) only requires protocol TCP
* With Internet browsing, only established TCP packets that are necessary to enter your network as reply packets
* These established TCP packets are TCP ACK (acknowledge) during the three-way handshake or on ESTABLISHED mode (the actual data transfer); and RST (reset to close the connection)
* With "established" keyword, only TCP packet ACK and RST will be permitted to enter your network
* Note that there is no need to specify "access-list 100 permit tcp any eq 53 host 1.1.1.2" since the "access-list 100 permit tcp any host 1.1.1.2 established" would take care reply TCP port 53 (DNS) packets

3. ACL 101: Outbound Traffic Firewall
* Those TCP and UDP ports are known used by virus/worm, therefore outbound connection to the Internet on such ports should be blocked
* The host IP addresses are "invalid IP addresses" in Internet browsing perspective
* Since only the 1.1.1.0/30 subnet is used as the Public IP subnet, any other IP addresses from different subnet try to go out to the Internet using the router should be illegitimate traffic; hence should be blocked

4. ACL 110: NAT/PAT Traffic Firewall
* NAT/PAT sourcing from any IP address within your Public IP subnet or any IP address other than your internal subnet should be illegitimate traffic and known used by DOS (Denial of Service) attack; hence should be blocked
* No private subnet on the Internet, hence NAT/PAT to those subnets should be blocked as well

5. Blackholing illegitimate traffic
Since there are no other private subnets within your network than 10.0.0.0/24, traffic to other private subnets should go to Null interface (black hole)
Back to Top
esther.david6 View Drop Down
Newbie
Newbie


Joined: 22 November 2008
Online Status: Offline
Posts: 9 		  Quote esther.david6 Quote  Post ReplyReply Direct Link To This Post Posted: 08 December 2008 at 2:06am
Thank you for giving this information, this information is very useful and helpful also, and i will use this in my regular work.
esther david
Back to Top
 Post Reply Post Reply

Forum Jump Forum Permissions View Drop Down

Bulletin Board Software by Web Wiz Forums® version 9.54
Copyright ©2001-2008 Web Wiz

This page was generated in 0.125 seconds.