Cisco 851 Router - need help with access-lists for firewall

Posted on 2009-02-10
Medium Priority
Last Modified: 2013-11-16
Hello all,

I recommended the purchase of a Cisco 851 router for a home network but have had no luck in implementing it.   The requirements are simple:

1) The 851 needs to route traffic to the internet through a cable modem
2) The 851 should provide basic firewall features (i.e. only allow connections that initiate from the private network)
3) The 851 should act as a DHCP server for the private network and pass on the DHCP data it receives on the external interface to the internal clients

Basically it should act as a replacement for a faulty Linksys firewall/router.   Being familiar with IOS but not an expert on it, I tried configuring the 851 firewall features through the GUI but found out the hard way that this will not work on this unit with version 12.4 of IOS.  

So on I went to the cli and followed examples in the configuration guide as well as some I found on the forums like this one.   My problem is that I think I have my access-lists screwy.    Last night I was able to get internet access through the router from my PCs without a problem, only all connections originating from the outside were being allowed.   That is, I could see that http access to my router was available on the external interface.    I realized I needed a deny line in my access-lists but every time I add it, no one from the private network can get anywhere.   They can ping the router, I can ssh to the router, but the connections either don't make it past the router or they can't get back in, I can't tell which.

I've attached the current router config, but below are the significant parts I believe.    Any and all help is very much appreciated.  

interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address dhcp client-id FastEthernet4
 ip access-group 105 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
interface Vlan1
 ip address
 ip access-group 102 in
 ip inspect firewall in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
ip dns server
ip nat inside source list 1 interface FastEthernet4 overload
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host any
access-list 100 permit ip any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip host any
access-list 101 permit ip any
access-list 102 permit tcp any
access-list 102 permit udp any
access-list 102 permit icmp any
access-list 102 deny ip any any log
access-list 105 permit icmp any any
access-list 105 deny ip any any log
Question by:izgoblin
  • 3
LVL 43

Accepted Solution

JFrederick29 earned 2000 total points
ID: 23604889
Add this:

interface FastEthernet4
ip inspect firewall out
LVL 43

Expert Comment

ID: 23605196
Add this as well for DNS traffic:

conf t
ip inspect name firewall udp

Author Comment

ID: 23610957
ip inspect firewall out <--  Yup, that did it.   Thanks!    Makes perfect sense to me now.    I suppose it can't allow traffic in based on protocol if it isn't doing ip inspection.  :)

LVL 43

Expert Comment

ID: 23610976
Yes, correct.  It needs to inpsect it outbound to allow the return.

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

755 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question