Configuring Cisco 871w router for NAT/firewall

I'm setting up a new Cisco 871w router. So far I've configured it so that NAT is set up so that clients can access the internet. This is working. I would like to put this router into "stealth" mode, so to speak, so that it does not respond to ports on the outside interface (except for any that I may open and forward). Right now it either responds closed or has various ports open (including SSH). I've tried enabling the firewall and it does successfully lock down the router from the outside, but it has the side effect of completely blocking all traffic. Inside users can no longer access the internet, despite what the documentation says.

At the moment I've been configuring this via SDM, which perhaps is my first mistake. I'm not familiar enough with the IOS yet, but I'm learning as fast as I can.

I'm guessing either the ACLs aren't right, the firewall settings are not right after SDM creates it, or the NAT is not set up correctly (although it seems to work). Since this is a new setup, there is nothing that can't be changed. Any help would be appreciated.
LVL 3
MelangeAsked:
Who is Participating?
 
th3w01fConnect With a Mentor Commented:
Here is a very basic setup for CBAC.  You may be missing the inspect statements.

ip access-list extended firewall
permit udp any eq domain any
permit udp any eq bootps any eq bootps
deny ip any any log

Interface fastethernet x
Ip access-group firewall in

ip inspect name firewall icmp (needed if you want to ping outside of the 871)
ip inspect name firewall tcp
ip inspect name firewall udp

interface fastethernet x
ip inspect firewall out
0
 
MelangeAuthor Commented:
OK, a couple of things:

Which interface are you referring to in each of the "interface fastethernet x" statements? For this router, #4 is the WAN port and #0-3 are the local ports. Also, "access-group" does not seem to be a valid command, or at least I couldn't find it.
0
 
th3w01fCommented:
The inteface will be your WAN port.  I just used fastethernet x as an example.

ip access-group should be valid under the interface configuraiton.

Here is the configuration info from Cisco http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_content_ac_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1001176


0
 
MelangeAuthor Commented:
I apologize for the delay. I got sidetracked with other projects. I ended up doing something a little different, but that certainly helped. Thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.