Solved

Cisco 1801 ISR router config help

Posted on 2010-09-18
2
825 Views
Last Modified: 2012-08-14
I’d like to setup a DMZ on a Cisco 1801 ISR router, but I’m not sure if that’s even possible.  If not, I’d like to at least restrict a certain host to access to the outside only (i.e. can only talk to the internet, and no access to any other internal hosts)

What would be the best way to go about this?

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname ACME

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 debugging

logging console critical

enable secret *****

enable password *****

!

aaa new-model

!

!

aaa authentication login local_authen local

aaa authorization exec local_author local

!

aaa session-id common

!

resource policy

!

no ip source-route

!

!

ip cef

!

!

ip tcp synwait-time 10

no ip bootp server

ip name-server b.b.b.b

ip name-server a.a.a.a

ip ssh time-out 60

ip ssh authentication-retries 2

ip inspect log drop-pkt

ip inspect name SDM_HIGH appfw SDM_HIGH

ip inspect name SDM_HIGH icmp

ip inspect name SDM_HIGH dns

ip inspect name SDM_HIGH esmtp

ip inspect name SDM_HIGH https

ip inspect name SDM_HIGH imap reset

ip inspect name SDM_HIGH pop3 reset

ip inspect name SDM_HIGH tcp

ip inspect name SDM_HIGH udp

ip inspect name SDM_HIGH http java-list 10

ip inspect name TAC-FW icmp

ip inspect name TAC-FW dns

ip inspect name TAC-FW esmtp

ip inspect name TAC-FW https

ip inspect name TAC-FW imap reset

ip inspect name TAC-FW pop3 reset

ip inspect name TAC-FW tcp

ip inspect name TAC-FW udp

!

appfw policy-name SDM_HIGH

  application im aol

    service default action reset alarm

    service text-chat action reset alarm

    server deny name login.oscar.aol.com

    server deny name toc.oscar.aol.com

    server deny name oam-d09a.blue.aol.com

    audit-trail on

  application im msn

    service default action reset alarm

    service text-chat action reset alarm

    server deny name messenger.hotmail.com

    server deny name gateway.messenger.hotmail.com

    server deny name webmessenger.msn.com

    audit-trail on

  application http

    strict-http action reset alarm

    port-misuse im action reset alarm

    port-misuse p2p action reset alarm

    port-misuse tunneling action reset alarm

  application im yahoo

    service default action reset alarm

    service text-chat action reset alarm

    server deny name scs.msg.yahoo.com

    server deny name scsa.msg.yahoo.com

    server deny name scsb.msg.yahoo.com

    server deny name scsc.msg.yahoo.com

    server deny name scsd.msg.yahoo.com

    server deny name cs16.msg.dcn.yahoo.com

    server deny name cs19.msg.dcn.yahoo.com

    server deny name cs42.msg.dcn.yahoo.com

    server deny name cs53.msg.dcn.yahoo.com

    server deny name cs54.msg.dcn.yahoo.com

    server deny name ads1.vip.scd.yahoo.com

    server deny name radio1.launch.vip.dal.yahoo.com

    server deny name in1.msg.vip.re2.yahoo.com

    server deny name data1.my.vip.sc5.yahoo.com

    server deny name address1.pim.vip.mud.yahoo.com

    server deny name edit.messenger.yahoo.com

    server deny name messenger.yahoo.com

    server deny name http.pager.yahoo.com

    server deny name privacy.yahoo.com

    server deny name csa.yahoo.com

    server deny name csb.yahoo.com

    server deny name csc.yahoo.com

    audit-trail on

!

!

crypto pki trustpoint TP-self-signed-2508303165

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-2508303165

 revocation-check none

 rsakeypair TP-self-signed-2508303165

!

!

crypto pki certificate chain TP-self-signed-2508303165

 certificate self-signed 01

  3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32353038 33303331 3635301E 170D3039 30343239 32323138

  30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35303833

  30333136 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100E5B0 C96BD419 1A9E5A5A 48C17E94 A35D004A 73E97864 C1E790DA 81B7CC05

  9C6822B5 9FA0BCE0 E274A992 79E1C47A C16C6053 A25C84B4 2854D9AA 14121760

  7997025D 9173CB64 DADCF71D E1974114 EE23146B 8071405A 4A6A3604 0A5FB88D

  2072F758 B4A1D853 35FAA2C2 8AF17F9D 02DCA3EC 4445B520 F963119E 0B2B3811

  038B0203 010001A3 65306330 0F060355 1D130101 FF040530 030101FF 30100603

  551D1104 09300782 054A4A45 5231301F 0603551D 23041830 16801478 07672762

  D5028DE6 3EA457D3 C73B3122 BFA12430 1D060355 1D0E0416 04147807 672762D5

  028DE63E A457D3C7 3B3122BF A124300D 06092A86 4886F70D 01010405 00038181

  00C53990 BCBE932B 58A884FD 8608B2A2 3263A55A DBBBA7DD F631BFF8 F3828CE3

  F5ED8AD6 92259D1B A69512BB 8B852157 D5B74C05 42ABD49C 8823DDAB EC730209

  A07148F6 AE970FD2 DE5C961E EC7B4421 FF29295F 45B48874 1153A833 A48AE70A

  1FBA7D39 0ED2CD58 ADEC0E34 E616584B C7EBC17E 3334F16B CF847F6C AEA141BA 2D

  quit

username ******

!

!

class-map match-any sdm_p2p_kazaa

 match protocol fasttrack

 match protocol kazaa2

class-map match-any sdm_p2p_edonkey

 match protocol edonkey

class-map match-any sdm_p2p_gnutella

 match protocol gnutella

class-map match-any sdm_p2p_bittorrent

 match protocol bittorrent

!

!

policy-map sdmappfwp2p_SDM_HIGH

 class sdm_p2p_gnutella

   drop

 class sdm_p2p_bittorrent

   drop

 class sdm_p2p_edonkey

   drop

 class sdm_p2p_kazaa

   drop

!

!

!

!

!

!

interface Null0

 no ip unreachables

!

interface FastEthernet0

 description $ETH-LAN$$FW_INSIDE$

 ip address 192.168.1.1 255.255.255.0

 ip access-group 100 in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat inside

 ip virtual-reassembly

 ip route-cache flow

 ip tcp adjust-mss 1452

 duplex auto

 speed auto

!

interface BRI0

 no ip address

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 encapsulation hdlc

 ip route-cache flow

 shutdown

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface ATM0

 no ip address

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip route-cache flow

 no atm ilmi-keepalive

 dsl operating-mode auto

!

interface ATM0.1 point-to-point

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 no snmp trap link-status

 pvc 0/35

  pppoe-client dial-pool-number 1

 !

!

interface Vlan1

 no ip address

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip route-cache flow

!

interface Dialer0

 description $FW_OUTSIDE$

 mtu 1492

 ip address negotiated

 ip access-group 101 in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat outside

 ip inspect TAC-FW out

 ip virtual-reassembly

 encapsulation ppp

 ip route-cache flow

 dialer pool 1

 no cdp enable

 ppp authentication pap callin

 ppp pap sent-username ********

 service-policy input sdmappfwp2p_SDM_HIGH

 service-policy output sdmappfwp2p_SDM_HIGH

!

ip route 0.0.0.0 0.0.0.0 Dialer0

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat inside source list 1 interface Dialer0 overload

!

logging trap debugging

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 10 permit any

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 permit tcp any any established

access-list 101 permit udp host a.a.a.a eq domain any

access-list 101 permit udp host b.b.b.b eq domain any

access-list 101 permit udp any host a.a.a.a eq domain

access-list 101 permit udp any host b.b.b.b eq domain

access-list 101 permit tcp host a.a.a.a eq domain any

access-list 101 permit tcp host b.b.b.b eq domain any

access-list 101 permit tcp any host a.a.a.a eq domain

access-list 101 permit tcp any host b.b.b.b eq domain

access-list 101 permit esp any any

access-list 101 permit udp any any eq non500-isakmp

access-list 101 permit udp any any eq isakmp

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 deny   ip c.c.c.c 0.15.255.255 any

access-list 101 deny   ip d.d.d.d 0.0.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip host 0.0.0.0 any

access-list 101 deny   ip any any log

access-list 101 deny   ip any any

no cdp run

!

!

!

!

!

!

control-plane

!

banner login ^CWelcome to the **** Network. Any unauthorized access attempt to this system is unlawful

, and may be subject to civil and/or criminal penalties.

 ^C

!

line con 0

 password *******

 login authentication local_authen

line aux 0

 login authentication local_authen

line vty 0 4

 authorization exec local_author

 login authentication local_authen

 transport input telnet ssh

!

scheduler allocate 4000 1000

scheduler interval 500

end

Open in new window

0
Comment
Question by:tballin
2 Comments
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 500 total points
ID: 33710566
Hi,

Only that you need to create new VLAN for DMZ:

int vlan 3
 ip add x.x.x.x x.x.x.x
 ip nat ins

interface FastEthernet8
 descriprion DMZ

you need to create acl and nake static nat for you this VLAN
0
 

Author Comment

by:tballin
ID: 33734120
Thanks - I'll give this a try and let you know.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now