Configuring Cisco 871w router for NAT/firewall

Posted on 2008-11-12
Last Modified: 2012-08-13
I'm setting up a new Cisco 871w router. So far I've configured it so that NAT is set up so that clients can access the internet. This is working. I would like to put this router into "stealth" mode, so to speak, so that it does not respond to ports on the outside interface (except for any that I may open and forward). Right now it either responds closed or has various ports open (including SSH). I've tried enabling the firewall and it does successfully lock down the router from the outside, but it has the side effect of completely blocking all traffic. Inside users can no longer access the internet, despite what the documentation says.

At the moment I've been configuring this via SDM, which perhaps is my first mistake. I'm not familiar enough with the IOS yet, but I'm learning as fast as I can.

I'm guessing either the ACLs aren't right, the firewall settings are not right after SDM creates it, or the NAT is not set up correctly (although it seems to work). Since this is a new setup, there is nothing that can't be changed. Any help would be appreciated.
Question by:Melange
    LVL 4

    Accepted Solution

    Here is a very basic setup for CBAC.  You may be missing the inspect statements.

    ip access-list extended firewall
    permit udp any eq domain any
    permit udp any eq bootps any eq bootps
    deny ip any any log

    Interface fastethernet x
    Ip access-group firewall in

    ip inspect name firewall icmp (needed if you want to ping outside of the 871)
    ip inspect name firewall tcp
    ip inspect name firewall udp

    interface fastethernet x
    ip inspect firewall out
    LVL 3

    Author Comment

    OK, a couple of things:

    Which interface are you referring to in each of the "interface fastethernet x" statements? For this router, #4 is the WAN port and #0-3 are the local ports. Also, "access-group" does not seem to be a valid command, or at least I couldn't find it.
    LVL 4

    Expert Comment

    The inteface will be your WAN port.  I just used fastethernet x as an example.

    ip access-group should be valid under the interface configuraiton.

    Here is the configuration info from Cisco

    LVL 3

    Author Closing Comment

    I apologize for the delay. I got sidetracked with other projects. I ended up doing something a little different, but that certainly helped. Thanks.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    Suggested Solutions

    When posting a question about a Cisco ASA, Cisco Router or Cisco Switch, it can aid diagnosis if a suitably sanitised copy of the config is provided. It is much better to leave as much of the configuration as original as possible, as it could be tha…
    Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now