• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 785
  • Last Modified:

Cisco 1841 with security bundle DMZ setup and review running config

I need to have a DMZ setup on Ethernet port 0/0 to 63...226 address so that all the 63 server can talk to the 10 traffic and vice versa.   I also need to have the 63...225 address open to out side world for SDM access and telnet. I also need logging enabled and intrusion protection..

This is copy of running config any sugjestions are helpfull


Building configuration...

Current configuration : 5721 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname bhu
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
no aaa new-model
!
resource policy
!
memory-size iomem 25
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
no ip dhcp use vrf connected
ip dhcp excluded-address 10.4.2.1 10.4.2.99
ip dhcp excluded-address 10.4.2.251 10.4.2.254
!
ip dhcp pool 10.4.2.x
   import all
   network 10.4.2.0 255.255.255.0
   dns-server 66.153.20.73 66.153.20.66
   default-router 10.4.2.1
   lease 6
!
!
ip ips notify SDEE
ip name-server 66.153.20.73
ip name-server 66.153.20.66
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 description $FW_INSIDE$
 ip address 63.139.76.225 255.255.255.224
 ip access-group 100 in
 speed auto
 full-duplex
!
interface FastEthernet0/1
 description $ETH-LAN$$FW_INSIDE$
 ip address 10.4.2.1 255.255.255.0
 ip access-group 101 in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/0/0
 switchport access vlan 2
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Serial0/1/0
 description $FW_OUTSIDE$
 ip address 63.139.44.218 255.255.255.252
 ip access-group 104 in
 ip verify unicast reverse-path
 ip inspect SDM_LOW out
 ip nat outside
 ip virtual-reassembly
 no fair-queue
 service-module t1 timeslots 1-24
!
interface Vlan1
 description $FW_INSIDE$
 ip address 10.4.3.1 255.255.255.0
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly
!
interface Vlan2
 description $FW_INSIDE$
 ip address 10.4.4.1 255.255.255.0
 ip access-group 103 in
 ip nat inside
 ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/1/0
ip route 0.0.0.0 0.0.0.0 63.139.44.217
!
ip http server
no ip http secure-server
ip nat inside source list nat interface Serial0/1/0 overload
!
ip access-list extended nat
 remark SDM_ACL Category=2
 permit ip 10.4.2.0 0.0.1.255 any
 permit ip 10.4.4.0 0.0.0.255 any
!
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 10.4.4.0 0.0.0.255 any
access-list 100 deny   ip 10.4.3.0 0.0.0.255 any
access-list 100 deny   ip 10.4.2.0 0.0.0.255 any
access-list 100 deny   ip 63.139.44.216 0.0.0.3 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip 10.4.4.0 0.0.0.255 any
access-list 101 deny   ip 10.4.3.0 0.0.0.255 any
access-list 101 deny   ip 63.139.44.216 0.0.0.3 any
access-list 101 deny   ip 63.139.76.224 0.0.0.31 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny   ip 10.4.4.0 0.0.0.255 any
access-list 102 deny   ip 10.4.2.0 0.0.0.255 any
access-list 102 deny   ip 63.139.44.216 0.0.0.3 any
access-list 102 deny   ip 63.139.76.224 0.0.0.31 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 deny   ip 10.4.3.0 0.0.0.255 any
access-list 103 deny   ip 10.4.2.0 0.0.0.255 any
access-list 103 deny   ip 63.139.44.216 0.0.0.3 any
access-list 103 deny   ip 63.139.76.224 0.0.0.31 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 permit tcp any host 63.139.76.226 eq 443
access-list 104 permit tcp any host 63.139.76.226 eq www
access-list 104 permit udp host 66.153.20.66 eq domain host 63.139.44.218
access-list 104 permit udp host 66.153.20.73 eq domain host 63.139.44.218
access-list 104 deny   ip 10.4.4.0 0.0.0.255 any
access-list 104 deny   ip 10.4.3.0 0.0.0.255 any
access-list 104 deny   ip 10.4.2.0 0.0.0.255 any
access-list 104 deny   ip 63.139.76.224 0.0.0.31 any
access-list 104 permit icmp any host 63.139.44.218 echo-reply
access-list 104 permit icmp any host 63.139.44.218 time-exceeded
access-list 104 permit icmp any host 63.139.44.218 unreachable
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip host 0.0.0.0 any
access-list 104 deny   ip any any log
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 login
!
warm-reboot
end
0
ckness
Asked:
ckness
1 Solution
 
charan_jeetsinghCommented:
To initialize Cisco IOS Firewall IDS on a router, go though this page :
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfids.htm


use 'ip inspect ' command for logging
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now