[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Creating ACLs/Firewall for Cisco 2801 with  NAT and ISP+DHCP in complex set-up.

Posted on 2009-04-16
3
Medium Priority
?
1,284 Views
Last Modified: 2012-05-06
Hello, Experts.
I have a 2-site network that is a bit complicated and I need to set up its security. I used to have fixed IP links, but we moved to cheaper Cable internet service and I am lost on the security ACLs and/or firewall rules.

This is the setup:

Site 1, router "jk28":
Cable Modem connected to FastEthernet 0/1, DHCP for public IP.
Vlan 1, 192.168.1.x - Access for Site 1 (FastEthernet0/0.1)
Vlan 2 192.168.2.x - Cisco Voice for Site 1 (FastEthernet0/0.5)
Vlan 3 192.168.0.x - servers for site 1 (FastEthernet0/0.3)
Vlan 6 - 192.168.3.x - Link Vlan to site 2 (FastEthernet0/0.2)

There is a point-to-point link to site 2, 2 miles away, delivered with ethernet from the operator. It is transparent.

Site 2, router "nine":
Cable Modem connected to FastEthernet 0/1, DHCP for public IP *
Vlan 5, 192.168.4.x - Cisco Voice for site 2 (FastEthernet0/1.1)
Vlan 4. 192.168.5.x - Access for site 1 (FastEthernet0/1.2)
Vlan 6 - 192.168.3.x - Link Vlan to site 1

*  (I use the two different interet services for redudancy, having one site use the other's in case one goes down. I do it manually changing the default routes. It works)

OK, so there is no security anymore, I deleted the original ACLs because they were related to the old fixed IPs. Now since the public IP changes due to it being served by ISPs DHCP, I cannot figure out how to correctly set the basic security ACLs.

Of course I use NAT overloaded for everyone.
Currently everything works fine and anyone can browse the web and all.

I want to:
- Avoid the common attacks, spoofing, etc.
- Allow external access to a webcam (80) and some other services. A client inside already  posts to DynDNS.
- Allow conections from both sites to both internet links.
- Consider if I should be worried about the WAN site-to-site link. It has a private IP, but should I filter its traffic? Could it be intercepted?
- Use the router's Firewall? how?

Thanks in advance for the help. I will post the relevant configs.

PS Both routers have the best security IOS:
jk28#sh ver
Cisco IOS Software, 2801 Software (C2801-ADVENTERPRISEK9-M), Version 12.4(22)T, RELEASE SOFTWARE (fc1)

nine#sh ver
Cisco IOS Software, 2801 Software (C2801-ADVENTERPRISEK9-M), Version 12.4(22)T, RELEASE SOFTWARE (fc1)




















**********        SITE  1:      *****************
 
 
interface FastEthernet0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/0.1
 description $FW_INSIDE$
 encapsulation dot1Q 1 native
 ip address 192.168.1.254 255.255.255.0
 ip helper-address 192.168.0.1
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting output-packets
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0.2
 description $FW_INSIDE$
 encapsulation dot1Q 6
 ip address 192.168.3.253 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!
interface FastEthernet0/0.3
 description $FW_INSIDE$
 encapsulation dot1Q 3
 ip address 192.168.0.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0.5
 description ** CallManager Express **$FW_INSIDE$
 encapsulation dot1Q 2
 ip address 192.168.2.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!
interface FastEthernet0/1
 description Virtua Cable Modem
 ip dhcp client route track 1
 ip dhcp client update dns
 ip address dhcp
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 no ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
 
 
ip route 192.168.4.0 255.255.255.0 192.168.3.254
ip route 192.168.5.0 255.255.255.0 192.168.3.254
ip route 0.0.0.0 0.0.0.0 dhcp
 
ip nat inside source list 1 interface FastEthernet0/1 overload
 
 
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 1 permit 192.168.4.0 0.0.0.255
 
 
**********        SITE  2:      *****************
nine#
interface FastEthernet0/0
 description Virtua Cable Modem
 ip dhcp client route track 1
 ip dhcp client update dns
 ip address dhcp
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 no ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 duplex auto
 speed auto
 snmp trap ip verify drop-rate
 no cdp enable
 no mop enabled
!
interface FastEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1.1
 encapsulation dot1Q 5
 ip address 192.168.4.254 255.255.255.0
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/1.2
 encapsulation dot1Q 4 native
 ip address 192.168.5.254 255.255.255.0
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!
interface FastEthernet0/1.3
 description Link JK28
 encapsulation dot1Q 6
 ip address 192.168.3.254 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!
interface FastEthernet0/1.4
 encapsulation dot1Q 7
 ip address 192.168.7.254 255.255.255.0
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!
ip forward-protocol nd
ip route 192.168.0.0 255.255.255.0 192.168.3.253
ip route 192.168.1.0 255.255.255.0 192.168.3.253
ip route 192.168.2.0 255.255.255.0 192.168.3.253
ip route 192.168.3.0 255.255.255.0 192.168.3.253
ip route 0.0.0.0 0.0.0.0 dhcp
 
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.5.232 80 interface FastEthernet0/0 8080
ip nat inside source static tcp 192.168.5.229 80 interface FastEthernet0/0 8081
ip nat inside source static tcp 192.168.5.10 22 interface FastEthernet0/0 2222
ip nat inside source static tcp 192.168.5.241 5001 interface FastEthernet0/0 5001
 
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 1 permit 192.168.4.0 0.0.0.255

Open in new window

0
Comment
Question by:fabiolr
  • 2
3 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 24158636
You can use the IOS Firewall to allow stateful tracking of connetions through the router.  Inspect outbound on the WAN interfaces of the router.  This will allow the return traffic that was initiated from the inside back through the router.

You can also add an access-list inbound on the WAN interfaces to only permit what is needed (DHCP, 80 to the webcam, etc..) but denies everything else.

For example:

Make sure you make these changes from inside the LAN as you could block access to the router externally.

Enable the IOS Firewall to keep track of TCP and UDP connections.  This allows the return traffic from inside initiated connections.

ip inspect name firewall tcp
ip inspect name firewall udp

int fa0/0
ip inspect firewall out

Then, add an access-list that will allow the inbound connections initiated from the Internet.

This access-list allows DHCP (for the router), ICMP replies and external access to your NAT'd servers.  It denies everthing else.

access-list 150 permit udp any eq bootps any eq bootpc
access-list 150 permit tcp any any eq 8080
access-list 150 permit tcp any any eq 8081
access-list 150 permit tcp any any eq 2222
access-list 150 permit tcp any any eq 5001
access-list 150 permit icmp any any echo-reply
access-list 150 permit icmp any any unreachable
access-list 150 permit icmp any any time-exceeded
access-list 150 deny ip any any

int fa0/0
ip access-group 150 in
0
 

Author Comment

by:fabiolr
ID: 24159464
Thank You JFrederick29, this is a very elegant and simple solution.

I applied and it seems to work. I added log to the end of the access-lists so I can monitor it more throughly.

All the Best,

Fabio
0
 

Author Closing Comment

by:fabiolr
ID: 31570919
Elegant, Quick  and Simple solution, thank you!
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question