Solved

Firewall behind Cisco 827?  How to configure DMZ host?

Posted on 2004-09-21
10
1,358 Views
Last Modified: 2010-08-05
Hello all,

I would like to put a Linux-based firewall/IDS behind my Cisco 827.  To do so, I believe I have to configure the firewall box as a DMZ host on the Cisco so the Cisco will forward all traffic inside to it.  Most cheap new Linksys/Netgear/ActionTec/etc. routers have this capabilitiy with a single checkbox, so I was assuming that this Cisco would too, but I haven't been able to figure out how to do it at the command line interface.

Any assistance properly configuring a DMZ host on this Cisco router would be greatly appreciated.  If I'm barking up the wrong tree and there is some other way to allow a firewall behind the Cisco, I'd take that too.  If I can get this working, I can avoid switching to the junky ActionTec router my ISP is trying to foist upon me!

Below is my current config and version information.

Thanks!

Eli

Current:
=====
Cisco -> Switch -> Workstations

Proposed:
======
Cisco -> Firewall -> Switch -> Workstations

Current (sanitized) Cisco config:
=============
DSLRouter#sh run
Building configuration...

Current configuration : 3723 bytes
!
version 12.1
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname DSLRouter
!
logging rate-limit console 10 except errors
enable secret 5 xxx
enable password 7 xxx
!
username xxx privilege 15 password 7 xxx
ip subnet-zero
no ip finger
ip name-server 216.165.128.161
ip name-server 216.165.128.165
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool CLIENT
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
!
no ip dhcp-client network-discovery
!
!
!
interface Ethernet0
 ip address 10.1.1.1 255.255.0.0
 ip nat inside
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 0/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 pvc 0/100
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 bundle-enable
 dsl operating-mode auto
 hold-queue 224 in
!
interface Dialer0
 bandwidth 4096
 ip address negotiated
 ip nat outside
 encapsulation ppp
 dialer pool 1
 ppp pap sent-username xxx password 7 xxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.1.100.6 25 interface Dialer0 25
<--snip--->
lots more port forwarding deleted...
<--snip--->
access-list 1 permit 10.1.0.0 0.0.255.255
!
line con 0
 exec-timeout 120 0
 password 7 xxx
 transport input none
 stopbits 1
line vty 0 3
 exec-timeout 0 0
 password 7 xxx
 login
line vty 4
 exec-timeout 0 0
 password 7 xxx
 login
!
scheduler max-task-time 5000
end

DSLRouter#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C820 Software (C820-Y6-M), Version 12.1(5)YB4, EARLY DEPLOYMENT RELEASE
 SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Tue 03-Jul-01 18:18 by ealyon
Image text-base: 0x80013170, data-base: 0x80672A1C

ROM: System Bootstrap, Version 12.2(1r)XE2, RELEASE SOFTWARE (fc1)
ROM: C820 Software (C820-Y6-M), Version 12.1(5)YB4, EARLY DEPLOYMENT RELEASE SOF
TWARE (fc1)

DSLRouter uptime is 1 hour, 12 minutes
System returned to ROM by power-on
System image file is "flash:c820-y6-mz.121-5.YB4"

CISCO C827 (MPC855T) processor (revision 0x701) with 15360K/1024K bytes of memor
y.
Processor board ID JAD05430A6A (4208687172), with hardware revision 0000
CPU rev number 5
Bridging software.
1 Ethernet/IEEE 802.3 interface(s)
1 ATM network interface(s)
128K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102
0
Comment
Question by:etsolow
  • 6
  • 2
10 Comments
 
LVL 11

Accepted Solution

by:
PennGwyn earned 500 total points
ID: 12114116
The appropriation of the term "DMZ" by SOHO router manufacturers should not be propagated.  A true DMZ is a separate subnet, isolated from the trusted internal network by a firewall/filter IN ORDER to make it taolerably safe to make servers in that subnet visible to the outside world.  Making a server visible without any such security is NOT a "DMZ".

That said, you don't need a "DMZ host" to do what you want.  You need a static route that tells the Cisco that your LAN block, 10.10.10.x, is reached by sending packets to the outside interface of the Linux box, which will apparently be on the 10.1.x.x block.  (Using a /16 block for a segment that probably just consists of a crossover cable is kind of wasteful, but it will work.)

ip route 10.10.10.0 255.255.255.0 10.1.x.x

That will do it.

0
 
LVL 2

Author Comment

by:etsolow
ID: 12114298
That 10.1.x.x config is for my current network, without the firewall in place.  Frankly, I don't know what that 10.10.10.x stuff is - all my workstations are in the 10.1.x.x range.  (Probably just leftover from the default ISP setup.)  I plan to use a 192.168.x.x range for the network between the router and the firewall...

So it'll look like:

dynamic|Cisco|192.168.1.1 <-> 192.168.1.2|Firewall|10.1.1.1 <-> 10.1.x.x|Workstations

And my route statement will be:

ip route 10.1.0.0 255.255.0.0 192.168.1.2

Does that look right?
0
 
LVL 2

Author Comment

by:etsolow
ID: 12114581
Or would that final address be 192.168.1.1 (the internal interface of the Cisco)?
0
 
LVL 2

Author Comment

by:etsolow
ID: 12115093
After further consideration, I must say that I don't think this solution will work.  A static route determines where to send traffic that is bound for a particular subnet, right?  Well all the traffic that hits my router is bound for its external address, not any internal/private address I may have, so I believe that static route will simply be ignored.

Your DMZ rant notwithstanding, there is more to the "DMZ host" setting on SOHO routers than a simple static route.  It is essentially performing NAT port forwarding on all ports, it seems to me.

Am I off base?
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 11

Expert Comment

by:PennGwyn
ID: 12116868
> Or would that final address be 192.168.1.1 (the internal interface of the Cisco)?

The Cisco already knows how to get to itself.  It needs to know that the firewall is how to reach this destination.

> After further consideration, I must say that I don't think this solution will work.  A static route determines where to send
> traffic that is bound for a particular subnet, right?  Well all the traffic that hits my router is bound for its external address,
> not any internal/private address I may have, so I believe that static route will simply be ignored.

OUTBOUND traffic will go to the firewall, since that's your hosts' default route.  It will send them to the Cisco since that's ITS default route.  The Cisco will forward them to the ISP (after NATting them) since that's ITS default route.

INBOUND traffic from the ISP will come to the Cisco since it bears the NATted external address.  The Cisco will reverse the NAT and look for a route to 10.1.x.x.  If it doesn't have one, it will either re-NAT the packet and send it to its default route (back to the ISP...), or drop it.  Since it doesn't have a 10.1.x.x interface, it needs to be told to send those packets to somebody who DOES.

> Your DMZ rant notwithstanding, there is more to the "DMZ host" setting on SOHO routers than a simple static route.  It is
> essentially performing NAT port forwarding on all ports, it seems to me.
>
> Am I off base?

Yes.

(a) You're right, it's not a static route.  I never said it was -- I said that what YOU need *is* a static route.  A "DMZ host" is not the right approach to take to solve your problem -- and neither is any kind of NAT port forwarding.

(b) NAT port forwarding does nothing to restrict traffic between the "DMZ host" and other machines on the internal LAN.  Calling it a "DMZ" doesn't make it one.


0
 
LVL 2

Author Comment

by:etsolow
ID: 12116951
OK, for outbound traffic I can see your logic.  And inbound traffic in reply to that outbound traffic, sure.  Perhaps I mislead you by saying there were only workstations on the internal network, but what about unsolicited inbound traffic, to an internal web or mail server?  There's no NAT to reverse - how does the static route come into play when the *destination* is the external interface of my router?
0
 
LVL 2

Author Comment

by:etsolow
ID: 12118015
So, I made the changes you suggested.  At this point I have internet access from inside, but as I suspected I cannot get access to my internal network from outside.

I have SMTP running on 10.1.100.6 and a firewall rule to allow 25/TCP to that address.  I can connect to port 25 from the router so that tells me the firewall isn't blocking it and the route is configured correctly; I can't telnet to 25 from outside, and I suspect the reason is what I mentioned above.
0
 
LVL 2

Author Comment

by:etsolow
ID: 12118504
One last update... ;)

Perhaps this is what you had in mind:  if I use port forwarding on the router and forward the relevant ports in to the firewall, then on the firewall forward those ports inbound, everything works.  However, that's not what I wanted to do.  I was hoping to forward *everything* in to the router, allowing me to log port scans, probes, etc., on the firewall and also allowing me to use only the firewall to control the inbound ports instead of maintaining the inbound ports on both devices.

Does that help clarify exactly what I'm trying to do?  If so, do you still think that the static route can accomplish this?

Eli
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now