Cisco 851 Router - need help with access-lists for firewall

Posted on 2009-02-10
Last Modified: 2013-11-16
Hello all,

I recommended the purchase of a Cisco 851 router for a home network but have had no luck in implementing it.   The requirements are simple:

1) The 851 needs to route traffic to the internet through a cable modem
2) The 851 should provide basic firewall features (i.e. only allow connections that initiate from the private network)
3) The 851 should act as a DHCP server for the private network and pass on the DHCP data it receives on the external interface to the internal clients

Basically it should act as a replacement for a faulty Linksys firewall/router.   Being familiar with IOS but not an expert on it, I tried configuring the 851 firewall features through the GUI but found out the hard way that this will not work on this unit with version 12.4 of IOS.  

So on I went to the cli and followed examples in the configuration guide as well as some I found on the forums like this one.   My problem is that I think I have my access-lists screwy.    Last night I was able to get internet access through the router from my PCs without a problem, only all connections originating from the outside were being allowed.   That is, I could see that http access to my router was available on the external interface.    I realized I needed a deny line in my access-lists but every time I add it, no one from the private network can get anywhere.   They can ping the router, I can ssh to the router, but the connections either don't make it past the router or they can't get back in, I can't tell which.

I've attached the current router config, but below are the significant parts I believe.    Any and all help is very much appreciated.  

interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address dhcp client-id FastEthernet4
 ip access-group 105 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
interface Vlan1
 ip address
 ip access-group 102 in
 ip inspect firewall in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
ip dns server
ip nat inside source list 1 interface FastEthernet4 overload
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host any
access-list 100 permit ip any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip host any
access-list 101 permit ip any
access-list 102 permit tcp any
access-list 102 permit udp any
access-list 102 permit icmp any
access-list 102 deny ip any any log
access-list 105 permit icmp any any
access-list 105 deny ip any any log
Question by:izgoblin
    LVL 43

    Accepted Solution

    Add this:

    interface FastEthernet4
    ip inspect firewall out
    LVL 43

    Expert Comment

    Add this as well for DNS traffic:

    conf t
    ip inspect name firewall udp

    Author Comment

    ip inspect firewall out <--  Yup, that did it.   Thanks!    Makes perfect sense to me now.    I suppose it can't allow traffic in based on protocol if it isn't doing ip inspection.  :)

    LVL 43

    Expert Comment

    Yes, correct.  It needs to inpsect it outbound to allow the return.

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    Join & Write a Comment

    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now