tballin
asked on
Cisco 1801 ISR router config help
I’d like to setup a DMZ on a Cisco 1801 ISR router, but I’m not sure if that’s even possible. If not, I’d like to at least restrict a certain host to access to the outside only (i.e. can only talk to the internet, and no access to any other internal hosts)
What would be the best way to go about this?
What would be the best way to go about this?
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ACME
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret *****
enable password *****
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
no ip source-route
!
!
ip cef
!
!
ip tcp synwait-time 10
no ip bootp server
ip name-server b.b.b.b
ip name-server a.a.a.a
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect log drop-pkt
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
ip inspect name SDM_HIGH http java-list 10
ip inspect name TAC-FW icmp
ip inspect name TAC-FW dns
ip inspect name TAC-FW esmtp
ip inspect name TAC-FW https
ip inspect name TAC-FW imap reset
ip inspect name TAC-FW pop3 reset
ip inspect name TAC-FW tcp
ip inspect name TAC-FW udp
!
appfw policy-name SDM_HIGH
application im aol
service default action reset alarm
service text-chat action reset alarm
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action reset alarm
service text-chat action reset alarm
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.com
server deny name webmessenger.msn.com
audit-trail on
application http
strict-http action reset alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action reset alarm
application im yahoo
service default action reset alarm
service text-chat action reset alarm
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yahoo.com
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo.com
server deny name edit.messenger.yahoo.com
server deny name messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
audit-trail on
!
!
crypto pki trustpoint TP-self-signed-2508303165
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2508303165
revocation-check none
rsakeypair TP-self-signed-2508303165
!
!
crypto pki certificate chain TP-self-signed-2508303165
certificate self-signed 01
3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32353038 33303331 3635301E 170D3039 30343239 32323138
30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35303833
30333136 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E5B0 C96BD419 1A9E5A5A 48C17E94 A35D004A 73E97864 C1E790DA 81B7CC05
9C6822B5 9FA0BCE0 E274A992 79E1C47A C16C6053 A25C84B4 2854D9AA 14121760
7997025D 9173CB64 DADCF71D E1974114 EE23146B 8071405A 4A6A3604 0A5FB88D
2072F758 B4A1D853 35FAA2C2 8AF17F9D 02DCA3EC 4445B520 F963119E 0B2B3811
038B0203 010001A3 65306330 0F060355 1D130101 FF040530 030101FF 30100603
551D1104 09300782 054A4A45 5231301F 0603551D 23041830 16801478 07672762
D5028DE6 3EA457D3 C73B3122 BFA12430 1D060355 1D0E0416 04147807 672762D5
028DE63E A457D3C7 3B3122BF A124300D 06092A86 4886F70D 01010405 00038181
00C53990 BCBE932B 58A884FD 8608B2A2 3263A55A DBBBA7DD F631BFF8 F3828CE3
F5ED8AD6 92259D1B A69512BB 8B852157 D5B74C05 42ABD49C 8823DDAB EC730209
A07148F6 AE970FD2 DE5C961E EC7B4421 FF29295F 45B48874 1153A833 A48AE70A
1FBA7D39 0ED2CD58 ADEC0E34 E616584B C7EBC17E 3334F16B CF847F6C AEA141BA 2D
quit
username ******
!
!
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
!
policy-map sdmappfwp2p_SDM_HIGH
class sdm_p2p_gnutella
drop
class sdm_p2p_bittorrent
drop
class sdm_p2p_edonkey
drop
class sdm_p2p_kazaa
drop
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
description $ETH-LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
duplex auto
speed auto
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
ip route-cache flow
shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
no snmp trap link-status
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
!
interface Dialer0
description $FW_OUTSIDE$
mtu 1492
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect TAC-FW out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username ********
service-policy input sdmappfwp2p_SDM_HIGH
service-policy output sdmappfwp2p_SDM_HIGH
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 10 permit any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit tcp any any established
access-list 101 permit udp host a.a.a.a eq domain any
access-list 101 permit udp host b.b.b.b eq domain any
access-list 101 permit udp any host a.a.a.a eq domain
access-list 101 permit udp any host b.b.b.b eq domain
access-list 101 permit tcp host a.a.a.a eq domain any
access-list 101 permit tcp host b.b.b.b eq domain any
access-list 101 permit tcp any host a.a.a.a eq domain
access-list 101 permit tcp any host b.b.b.b eq domain
access-list 101 permit esp any any
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip c.c.c.c 0.15.255.255 any
access-list 101 deny ip d.d.d.d 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 101 deny ip any any
no cdp run
!
!
!
!
!
!
control-plane
!
banner login ^CWelcome to the **** Network. Any unauthorized access attempt to this system is unlawful
, and may be subject to civil and/or criminal penalties.
^C
!
line con 0
password *******
login authentication local_authen
line aux 0
login authentication local_authen
line vty 0 4
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER