Solved

Configuration Example Most Basic Zone Based Firewall

Posted on 2008-10-10
7
1,137 Views
Last Modified: 2012-05-05
I have some remote SOHO routers VPNing to a central site.  I want to add a very basic Zone Based Policy Firewall such that all traffic to the Internet is permitted out and its reply traffic is permitted in.  Inbound SIP traffic from two hosts is peritted in and IPSEC traffic is permitted from specific IP.  ICMP is permitted any any.  Would appreciate a configuration example.  Thanks.
0
Comment
Question by:amigan_99
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22693151
I highly recommend the Cisco ASA 5505 - this firewall is indeed zone-based and supports SIP as well as IPsec and SSL VPN. The unit runs about $350 USD and will do everything you need! It will work fine with an 871 router as well regarding the VPN.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html 
Cheers! Let me know if you have any questions
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22693153
Also - it supports all Cisco LAN routing protocols - EIGRP, OSPF, RIP.
0
 
LVL 10

Expert Comment

by:kyleb84
ID: 22699936
A Very basic example of this would be just to create a few ACLs:

This is just off the top of my head and would probably work.
- The config assumes your internal network is 192.168.1.0/24
- Also, the permit gre ACLs are still in place for the IPSEC.

At least you've got something to base your config on...

!
int Dialer 0
 ip access-group 110 in
!
! Allow SIP from hosts x.x.x.x, and y.y.y.y, deny the rest
access-list 110 permit tcp host x.x.x.x  any eq 5060
access-list 110 permit tcp host y.y.y.y  any eq 5060
access-list 110 deny tcp any 192.168.1.0 0.0.0.255 eq 5060
!
! IPSEC allow
access-list 110 permit tcp z.z.z.z 0.0.0.0 any eq 500
access-list 110 deny tcp any 192.168.1.0 0.0.0.255 eq 500
!
! ICMP
access-list 110 permit icmp any any
!
! And allow existing NAT TCP streams
access-list 110 permit tcp any any established
!
! DENY the rest
access-list 110 deny any any
!
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 
LVL 1

Author Comment

by:amigan_99
ID: 22699945
Thanks for the ACL method.  But I specifically want the ZBPF so that all the return traffic is intelligently permitted back in.  
0
 
LVL 10

Accepted Solution

by:
kyleb84 earned 500 total points
ID: 22699972
0
 
LVL 1

Author Closing Comment

by:amigan_99
ID: 31505147
I was looking specifically for a minimalist configuration.  But this is the best answer.  Thanks.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22703963
The ASA/PIX will automatically permit all return traffic.
On Cisco routers, you must use the keyword "established" at the end of all TCP ACLs, like this:
access-list 110 permit tcp host y.y.y.y any eq 5060 established
Cheers! Let me know if you have any questions!
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month9 days, 7 hours left to enroll

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question