Configuring Cisco 871w router for NAT/firewall

I'm setting up a new Cisco 871w router. So far I've configured it so that NAT is set up so that clients can access the internet. This is working. I would like to put this router into "stealth" mode, so to speak, so that it does not respond to ports on the outside interface (except for any that I may open and forward). Right now it either responds closed or has various ports open (including SSH). I've tried enabling the firewall and it does successfully lock down the router from the outside, but it has the side effect of completely blocking all traffic. Inside users can no longer access the internet, despite what the documentation says.

At the moment I've been configuring this via SDM, which perhaps is my first mistake. I'm not familiar enough with the IOS yet, but I'm learning as fast as I can.

I'm guessing either the ACLs aren't right, the firewall settings are not right after SDM creates it, or the NAT is not set up correctly (although it seems to work). Since this is a new setup, there is nothing that can't be changed. Any help would be appreciated.
LVL 3
MelangeAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

th3w01fCommented:
Here is a very basic setup for CBAC.  You may be missing the inspect statements.

ip access-list extended firewall
permit udp any eq domain any
permit udp any eq bootps any eq bootps
deny ip any any log

Interface fastethernet x
Ip access-group firewall in

ip inspect name firewall icmp (needed if you want to ping outside of the 871)
ip inspect name firewall tcp
ip inspect name firewall udp

interface fastethernet x
ip inspect firewall out
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MelangeAuthor Commented:
OK, a couple of things:

Which interface are you referring to in each of the "interface fastethernet x" statements? For this router, #4 is the WAN port and #0-3 are the local ports. Also, "access-group" does not seem to be a valid command, or at least I couldn't find it.
0
th3w01fCommented:
The inteface will be your WAN port.  I just used fastethernet x as an example.

ip access-group should be valid under the interface configuraiton.

Here is the configuration info from Cisco http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_content_ac_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1001176


0
MelangeAuthor Commented:
I apologize for the delay. I got sidetracked with other projects. I ended up doing something a little different, but that certainly helped. Thanks.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.