Solved

Cisco 1801 ISR router config help

Posted on 2010-09-18
2
830 Views
Last Modified: 2012-08-14
I’d like to setup a DMZ on a Cisco 1801 ISR router, but I’m not sure if that’s even possible.  If not, I’d like to at least restrict a certain host to access to the outside only (i.e. can only talk to the internet, and no access to any other internal hosts)

What would be the best way to go about this?

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ACME
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret *****
enable password *****
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
no ip source-route
!
!
ip cef
!
!
ip tcp synwait-time 10
no ip bootp server
ip name-server b.b.b.b
ip name-server a.a.a.a
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect log drop-pkt
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
ip inspect name SDM_HIGH http java-list 10
ip inspect name TAC-FW icmp
ip inspect name TAC-FW dns
ip inspect name TAC-FW esmtp
ip inspect name TAC-FW https
ip inspect name TAC-FW imap reset
ip inspect name TAC-FW pop3 reset
ip inspect name TAC-FW tcp
ip inspect name TAC-FW udp
!
appfw policy-name SDM_HIGH
  application im aol
    service default action reset alarm
    service text-chat action reset alarm
    server deny name login.oscar.aol.com
    server deny name toc.oscar.aol.com
    server deny name oam-d09a.blue.aol.com
    audit-trail on
  application im msn
    service default action reset alarm
    service text-chat action reset alarm
    server deny name messenger.hotmail.com
    server deny name gateway.messenger.hotmail.com
    server deny name webmessenger.msn.com
    audit-trail on
  application http
    strict-http action reset alarm
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action reset alarm
  application im yahoo
    service default action reset alarm
    service text-chat action reset alarm
    server deny name scs.msg.yahoo.com
    server deny name scsa.msg.yahoo.com
    server deny name scsb.msg.yahoo.com
    server deny name scsc.msg.yahoo.com
    server deny name scsd.msg.yahoo.com
    server deny name cs16.msg.dcn.yahoo.com
    server deny name cs19.msg.dcn.yahoo.com
    server deny name cs42.msg.dcn.yahoo.com
    server deny name cs53.msg.dcn.yahoo.com
    server deny name cs54.msg.dcn.yahoo.com
    server deny name ads1.vip.scd.yahoo.com
    server deny name radio1.launch.vip.dal.yahoo.com
    server deny name in1.msg.vip.re2.yahoo.com
    server deny name data1.my.vip.sc5.yahoo.com
    server deny name address1.pim.vip.mud.yahoo.com
    server deny name edit.messenger.yahoo.com
    server deny name messenger.yahoo.com
    server deny name http.pager.yahoo.com
    server deny name privacy.yahoo.com
    server deny name csa.yahoo.com
    server deny name csb.yahoo.com
    server deny name csc.yahoo.com
    audit-trail on
!
!
crypto pki trustpoint TP-self-signed-2508303165
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2508303165
 revocation-check none
 rsakeypair TP-self-signed-2508303165
!
!
crypto pki certificate chain TP-self-signed-2508303165
 certificate self-signed 01
  3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32353038 33303331 3635301E 170D3039 30343239 32323138
  30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35303833
  30333136 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100E5B0 C96BD419 1A9E5A5A 48C17E94 A35D004A 73E97864 C1E790DA 81B7CC05
  9C6822B5 9FA0BCE0 E274A992 79E1C47A C16C6053 A25C84B4 2854D9AA 14121760
  7997025D 9173CB64 DADCF71D E1974114 EE23146B 8071405A 4A6A3604 0A5FB88D
  2072F758 B4A1D853 35FAA2C2 8AF17F9D 02DCA3EC 4445B520 F963119E 0B2B3811
  038B0203 010001A3 65306330 0F060355 1D130101 FF040530 030101FF 30100603
  551D1104 09300782 054A4A45 5231301F 0603551D 23041830 16801478 07672762
  D5028DE6 3EA457D3 C73B3122 BFA12430 1D060355 1D0E0416 04147807 672762D5
  028DE63E A457D3C7 3B3122BF A124300D 06092A86 4886F70D 01010405 00038181
  00C53990 BCBE932B 58A884FD 8608B2A2 3263A55A DBBBA7DD F631BFF8 F3828CE3
  F5ED8AD6 92259D1B A69512BB 8B852157 D5B74C05 42ABD49C 8823DDAB EC730209
  A07148F6 AE970FD2 DE5C961E EC7B4421 FF29295F 45B48874 1153A833 A48AE70A
  1FBA7D39 0ED2CD58 ADEC0E34 E616584B C7EBC17E 3334F16B CF847F6C AEA141BA 2D
  quit
username ******
!
!
class-map match-any sdm_p2p_kazaa
 match protocol fasttrack
 match protocol kazaa2
class-map match-any sdm_p2p_edonkey
 match protocol edonkey
class-map match-any sdm_p2p_gnutella
 match protocol gnutella
class-map match-any sdm_p2p_bittorrent
 match protocol bittorrent
!
!
policy-map sdmappfwp2p_SDM_HIGH
 class sdm_p2p_gnutella
   drop
 class sdm_p2p_bittorrent
   drop
 class sdm_p2p_edonkey
   drop
 class sdm_p2p_kazaa
   drop
!
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 description $ETH-LAN$$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
!
interface BRI0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation hdlc
 ip route-cache flow
 shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no snmp trap link-status
 pvc 0/35
  pppoe-client dial-pool-number 1
 !
!
interface Vlan1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
!
interface Dialer0
 description $FW_OUTSIDE$
 mtu 1492
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect TAC-FW out
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username ********
 service-policy input sdmappfwp2p_SDM_HIGH
 service-policy output sdmappfwp2p_SDM_HIGH
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 10 permit any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit tcp any any established
access-list 101 permit udp host a.a.a.a eq domain any
access-list 101 permit udp host b.b.b.b eq domain any
access-list 101 permit udp any host a.a.a.a eq domain
access-list 101 permit udp any host b.b.b.b eq domain
access-list 101 permit tcp host a.a.a.a eq domain any
access-list 101 permit tcp host b.b.b.b eq domain any
access-list 101 permit tcp any host a.a.a.a eq domain
access-list 101 permit tcp any host b.b.b.b eq domain
access-list 101 permit esp any any
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip c.c.c.c 0.15.255.255 any
access-list 101 deny   ip d.d.d.d 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 101 deny   ip any any
no cdp run
!
!
!
!
!
!
control-plane
!
banner login ^CWelcome to the **** Network. Any unauthorized access attempt to this system is unlawful
, and may be subject to civil and/or criminal penalties.
 ^C
!
line con 0
 password *******
 login authentication local_authen
line aux 0
 login authentication local_authen
line vty 0 4
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end

Open in new window

0
Comment
Question by:tballin
2 Comments
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 500 total points
ID: 33710566
Hi,

Only that you need to create new VLAN for DMZ:

int vlan 3
 ip add x.x.x.x x.x.x.x
 ip nat ins

interface FastEthernet8
 descriprion DMZ

you need to create acl and nake static nat for you this VLAN
0
 

Author Comment

by:tballin
ID: 33734120
Thanks - I'll give this a try and let you know.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

774 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question