fabiolr
asked on
Creating ACLs/Firewall for Cisco 2801 with NAT and ISP+DHCP in complex set-up.
Hello, Experts.
I have a 2-site network that is a bit complicated and I need to set up its security. I used to have fixed IP links, but we moved to cheaper Cable internet service and I am lost on the security ACLs and/or firewall rules.
This is the setup:
Site 1, router "jk28":
Cable Modem connected to FastEthernet 0/1, DHCP for public IP.
Vlan 1, 192.168.1.x - Access for Site 1 (FastEthernet0/0.1)
Vlan 2 192.168.2.x - Cisco Voice for Site 1 (FastEthernet0/0.5)
Vlan 3 192.168.0.x - servers for site 1 (FastEthernet0/0.3)
Vlan 6 - 192.168.3.x - Link Vlan to site 2 (FastEthernet0/0.2)
There is a point-to-point link to site 2, 2 miles away, delivered with ethernet from the operator. It is transparent.
Site 2, router "nine":
Cable Modem connected to FastEthernet 0/1, DHCP for public IP *
Vlan 5, 192.168.4.x - Cisco Voice for site 2 (FastEthernet0/1.1)
Vlan 4. 192.168.5.x - Access for site 1 (FastEthernet0/1.2)
Vlan 6 - 192.168.3.x - Link Vlan to site 1
* (I use the two different interet services for redudancy, having one site use the other's in case one goes down. I do it manually changing the default routes. It works)
OK, so there is no security anymore, I deleted the original ACLs because they were related to the old fixed IPs. Now since the public IP changes due to it being served by ISPs DHCP, I cannot figure out how to correctly set the basic security ACLs.
Of course I use NAT overloaded for everyone.
Currently everything works fine and anyone can browse the web and all.
I want to:
- Avoid the common attacks, spoofing, etc.
- Allow external access to a webcam (80) and some other services. A client inside already posts to DynDNS.
- Allow conections from both sites to both internet links.
- Consider if I should be worried about the WAN site-to-site link. It has a private IP, but should I filter its traffic? Could it be intercepted?
- Use the router's Firewall? how?
Thanks in advance for the help. I will post the relevant configs.
PS Both routers have the best security IOS:
jk28#sh ver
Cisco IOS Software, 2801 Software (C2801-ADVENTERPRISEK9-M), Version 12.4(22)T, RELEASE SOFTWARE (fc1)
nine#sh ver
Cisco IOS Software, 2801 Software (C2801-ADVENTERPRISEK9-M), Version 12.4(22)T, RELEASE SOFTWARE (fc1)
I have a 2-site network that is a bit complicated and I need to set up its security. I used to have fixed IP links, but we moved to cheaper Cable internet service and I am lost on the security ACLs and/or firewall rules.
This is the setup:
Site 1, router "jk28":
Cable Modem connected to FastEthernet 0/1, DHCP for public IP.
Vlan 1, 192.168.1.x - Access for Site 1 (FastEthernet0/0.1)
Vlan 2 192.168.2.x - Cisco Voice for Site 1 (FastEthernet0/0.5)
Vlan 3 192.168.0.x - servers for site 1 (FastEthernet0/0.3)
Vlan 6 - 192.168.3.x - Link Vlan to site 2 (FastEthernet0/0.2)
There is a point-to-point link to site 2, 2 miles away, delivered with ethernet from the operator. It is transparent.
Site 2, router "nine":
Cable Modem connected to FastEthernet 0/1, DHCP for public IP *
Vlan 5, 192.168.4.x - Cisco Voice for site 2 (FastEthernet0/1.1)
Vlan 4. 192.168.5.x - Access for site 1 (FastEthernet0/1.2)
Vlan 6 - 192.168.3.x - Link Vlan to site 1
* (I use the two different interet services for redudancy, having one site use the other's in case one goes down. I do it manually changing the default routes. It works)
OK, so there is no security anymore, I deleted the original ACLs because they were related to the old fixed IPs. Now since the public IP changes due to it being served by ISPs DHCP, I cannot figure out how to correctly set the basic security ACLs.
Of course I use NAT overloaded for everyone.
Currently everything works fine and anyone can browse the web and all.
I want to:
- Avoid the common attacks, spoofing, etc.
- Allow external access to a webcam (80) and some other services. A client inside already posts to DynDNS.
- Allow conections from both sites to both internet links.
- Consider if I should be worried about the WAN site-to-site link. It has a private IP, but should I filter its traffic? Could it be intercepted?
- Use the router's Firewall? how?
Thanks in advance for the help. I will post the relevant configs.
PS Both routers have the best security IOS:
jk28#sh ver
Cisco IOS Software, 2801 Software (C2801-ADVENTERPRISEK9-M),
nine#sh ver
Cisco IOS Software, 2801 Software (C2801-ADVENTERPRISEK9-M),
********** SITE 1: *****************
interface FastEthernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/0.1
description $FW_INSIDE$
encapsulation dot1Q 1 native
ip address 192.168.1.254 255.255.255.0
ip helper-address 192.168.0.1
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip flow ingress
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.2
description $FW_INSIDE$
encapsulation dot1Q 6
ip address 192.168.3.253 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface FastEthernet0/0.3
description $FW_INSIDE$
encapsulation dot1Q 3
ip address 192.168.0.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.5
description ** CallManager Express **$FW_INSIDE$
encapsulation dot1Q 2
ip address 192.168.2.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface FastEthernet0/1
description Virtua Cable Modem
ip dhcp client route track 1
ip dhcp client update dns
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
no ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
no mop enabled
ip route 192.168.4.0 255.255.255.0 192.168.3.254
ip route 192.168.5.0 255.255.255.0 192.168.3.254
ip route 0.0.0.0 0.0.0.0 dhcp
ip nat inside source list 1 interface FastEthernet0/1 overload
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 1 permit 192.168.4.0 0.0.0.255
********** SITE 2: *****************
nine#
interface FastEthernet0/0
description Virtua Cable Modem
ip dhcp client route track 1
ip dhcp client update dns
ip address dhcp
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
no ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
snmp trap ip verify drop-rate
no cdp enable
no mop enabled
!
interface FastEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1.1
encapsulation dot1Q 5
ip address 192.168.4.254 255.255.255.0
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.2
encapsulation dot1Q 4 native
ip address 192.168.5.254 255.255.255.0
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface FastEthernet0/1.3
description Link JK28
encapsulation dot1Q 6
ip address 192.168.3.254 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface FastEthernet0/1.4
encapsulation dot1Q 7
ip address 192.168.7.254 255.255.255.0
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
no cdp enable
!
ip forward-protocol nd
ip route 192.168.0.0 255.255.255.0 192.168.3.253
ip route 192.168.1.0 255.255.255.0 192.168.3.253
ip route 192.168.2.0 255.255.255.0 192.168.3.253
ip route 192.168.3.0 255.255.255.0 192.168.3.253
ip route 0.0.0.0 0.0.0.0 dhcp
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.5.232 80 interface FastEthernet0/0 8080
ip nat inside source static tcp 192.168.5.229 80 interface FastEthernet0/0 8081
ip nat inside source static tcp 192.168.5.10 22 interface FastEthernet0/0 2222
ip nat inside source static tcp 192.168.5.241 5001 interface FastEthernet0/0 5001
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 1 permit 192.168.4.0 0.0.0.255
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Elegant, Quick and Simple solution, thank you!
ASKER
I applied and it seems to work. I added log to the end of the access-lists so I can monitor it more throughly.
All the Best,
Fabio