[Last Call] Learn how to a build a cloud-first strategyRegister Now


Configuring Cisco 871w router for NAT/firewall

Posted on 2008-11-12
Medium Priority
Last Modified: 2012-08-13
I'm setting up a new Cisco 871w router. So far I've configured it so that NAT is set up so that clients can access the internet. This is working. I would like to put this router into "stealth" mode, so to speak, so that it does not respond to ports on the outside interface (except for any that I may open and forward). Right now it either responds closed or has various ports open (including SSH). I've tried enabling the firewall and it does successfully lock down the router from the outside, but it has the side effect of completely blocking all traffic. Inside users can no longer access the internet, despite what the documentation says.

At the moment I've been configuring this via SDM, which perhaps is my first mistake. I'm not familiar enough with the IOS yet, but I'm learning as fast as I can.

I'm guessing either the ACLs aren't right, the firewall settings are not right after SDM creates it, or the NAT is not set up correctly (although it seems to work). Since this is a new setup, there is nothing that can't be changed. Any help would be appreciated.
Question by:Melange
  • 2
  • 2

Accepted Solution

th3w01f earned 1200 total points
ID: 22943065
Here is a very basic setup for CBAC.  You may be missing the inspect statements.

ip access-list extended firewall
permit udp any eq domain any
permit udp any eq bootps any eq bootps
deny ip any any log

Interface fastethernet x
Ip access-group firewall in

ip inspect name firewall icmp (needed if you want to ping outside of the 871)
ip inspect name firewall tcp
ip inspect name firewall udp

interface fastethernet x
ip inspect firewall out

Author Comment

ID: 22943453
OK, a couple of things:

Which interface are you referring to in each of the "interface fastethernet x" statements? For this router, #4 is the WAN port and #0-3 are the local ports. Also, "access-group" does not seem to be a valid command, or at least I couldn't find it.

Expert Comment

ID: 22943625
The inteface will be your WAN port.  I just used fastethernet x as an example.

ip access-group should be valid under the interface configuraiton.

Here is the configuration info from Cisco http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_content_ac_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1001176


Author Closing Comment

ID: 31516051
I apologize for the delay. I got sidetracked with other projects. I ended up doing something a little different, but that certainly helped. Thanks.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hi there, This article summarizes what you need if you are going to set up your home or small business Network Attached Storage (NAS) to be accessible from the internet. Of course there are configuration differences based on your NAS or router ma…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question