Cisco 887VA DMZ Capability

Hi All,

I have recently managed to setup my Cisco 887VA router with a lot of support, both here at EE and from friends. As a Cisco n00b, It's been quite a journey.

I was wondering if someone could advise if setting up a DMZ was possible with this router? I have attached my current running config.

Ideally, what I am looking to do is place devices in my DMZ so that they have unrestricted outbound access and if required, punch holes through the DMZ to the required VLANS. Any help is much appreciated.

Looking forward to hearing from you all.

(BTW - Are there any GUI Based management tools that anyone would recommend?)
Amarjot SinghAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

That router is capable of zone based firewall, and GUI that you can use is Cisco Configuration Professional, I think it requires for you to be register at Cisco (but you don't have to be partner, just need to register).

Link for Download
I use CCP 2.8 (not express version), I did not try yet 3.1 version (since it is CCP Express).
Amarjot SinghAuthor Commented:
Thanks Predrag! I'm having some issues with CCP 3.2 - The html it loads doesn't load at all. I might try 2.8 to see if I have the same issues.

With regards to zone based firewall - Am I able to set it up without requiring a FE port? As you will know in my previous question I have used all four FE ports that are available (if a port is required, I'm happy to sacrifice one port. Or is it a case that you can "point" the IP address to the DMZ and it is configured?

CCP 2.8 runs OK for Cisco 8xx series, I just try it few minutes ago, just in case.
You are able to setup without FE port, you just need to create separate VLAN  for DMZ and add host(s)  to that VLAN, so, no physical ports are needed.
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

Amarjot SinghAuthor Commented:
CCP 2.8 works great! Although I sort of wish I hadn't tried it - so many options!

This will probably sound stupid but here it goes... How would I go about configuring it as you suggest? (I'm more than happy to lose VLAN3 of it is simpler to configure this way.

And how would I add a device to the DMZ?
No need to lose VLAN 3.

You need to add new VLAN on router, together with new VLAN interface for that VLAN.
One port you need to convert from access port to trunk port.

#interface vlan 5                   <--  will create vlan 5 and interface VLAN 5
 ip address x.x.x.x y.y.y.y
 ip nat inside

# interface fa X
no switchport mode access
switchport mode trunk
switchport trunk allowed vlan 1, x, 5

Then you need to create vlan 5 on your switch and add ports for host in it.
Create trunk port on switch add vlans 1, x and 5 to it (on some devices native vlan (usually vlan 1 can't be changed on some switches, and must be present on trunk on many devices) must be present on trunk so it can work properly). That's why it is not good idea to use native vlan for hosts.
If you need to add vlan to trunk port ( like native vlan) or any other vlan command is
# switchport trunk allowed vlan add X

Recommendation (if configuration is the same like it was in previously posted question):
For current Vlan 1
   remove interface vlan 1 with
# no interface vlan 1
# interface vlan 6   (or any other unused VLAN number)
add ip address that was on interface vlan 1 and ip nat inside
and  add Fa0 to that vlan (currently in vlan 1)
# interface Fa0
# switchport access vlan 6
and you are good to go :) you are not using VLAN 1 anymore for hosts.

And then you can create ZB firewall with DMZ from GUI.
Amarjot SinghAuthor Commented:
So if I understand correctly -

Lose VLAN1 and use VLAN 6 instead because it is a native VLAN
Assign VLAN 6 where VLAN1 is currently

interface vlan 6                   
description **VLAN 6 INTERFACE**
ip address
ip nat inside
interface Fa0
no switchport access vlan 1
switchport access vlan 6

Open in new window

Then Create VLAN 5 as the DMZ VLAN

interface vlan 5
description **VLAN 5 INTERFACE - DMZ**
ip address
ip helper-address
ip nat inside

Open in new window

Assign VLAN 5 to the same interface as VLAN 6 (based on the changes above)

interface fa 0
no switchport mode access
switchport mode trunk
switchport trunk allowed vlan 6, x, 5 <//Not sure what x should be here, is this the FA? If so, should this be 0?\\)

Open in new window

So the above should give me the setup required to be able to use the ZBF, right?

I will then need to configure the physical switch port on my L2 device with VLAN 5 so that I can get my device outbound - correct?

Is there a way to virtually move devices into the DMZ also? So for example, If I have a device that sits on 192.168.1.x (VLAN 6 (previously VLAN1)) without having to reconfigure the addresses?
Benjamin Van DitmarsSr Network EngineerCommented:
why not use one internal switch ports. then he doesn't have to make a trunk,

just add a second vlan,

vlan x
name DMZ

interface vlan x
ip address x.x.x.x
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
no autostate
ip access-group DMZ-OUT in

interface fastehternet
switchport mode access
switchport access

alse add an access rule on the lan interface. and make access rules that alows or deny traffic

X is vlan that you just added so, in the case you created x is not needed you already added 5 & 6. You need to add add vlan 1 (in many cases you can't remove vlan 1 from trunk). ZBF is just attached to vlans, so all physical ports have nothing with it.
Since you moved vlan int address to the same address space as server you just need to recomfigure switch ports so ports on switch that are on vlan 1 now belong to vlan 6, no need to reconfigure server ip address.
@Benjamin I know configuration from previous question, currently all 4 physical ports are access ports, and there are 4 vlans (each port has its own vlan). If 5th vlan is added then one of ports needs to be trunk port or one vlan need to be elimimated.
Benjamin Van DitmarsSr Network EngineerCommented:
ahh I am sorry, yes then make one a trunk port with native the original vlan and vlan 5 as a tagged vlan  above it
Amarjot SinghAuthor Commented:
Thanks Predrag and Benjamin - I'm going to test out the config in an hour or so. Fingers crossed!
Benjamin Van DitmarsSr Network EngineerCommented:
when help is needed, just screem to us. and we will help you, that's what it is for
Amarjot SinghAuthor Commented:
So things just got a little bit weird when trying to configure

I made the IP address of VLAN 6 so that it didn't overlap with VLAN1 and it came back with a message that it overlaps with VLAN1. So I reloaded and then tried to go ahead without creating VLAN6 and just use VLAN1 and I think I had the issue you described Predrag -

Command rejected: Bad VLAN allowed list. You have to include all default vlans, e.g. 1-2,1002-1005.

Open in new window

This error came up when doing the following.
switchport trunk allowed vlan 1,5

Open in new window

I've uploaded a full config and vlan-switch as it currently stands as I think I'm doing something wrong.
Some vlans cannot be excluded :)
1,1002-1005 they need to be present on vlan on Cisco switches for some backward compatibility.

# switchport trunk allowed vlan 1,5, 1002-1005
will work

and also I don't like servers to be in VLAN 1 (that was what I was trying to achieve) :)
If you leave some ports in default state, and plug some host in some of those ports, they will be part of VLAN 1 (server VLAN in your case)...
According to switch best practice all unused ports should be part of some "black hole VLAN" vlan that is present only on that switch and that vlan is not part of any trunk.
What I was trying o say is
interface Vlan1
 description **VLAN 1 INTERFACE**
 no ip address
 no ip nat inside
 ip virtual-reassembly in

interface Vlan6
 description **VLAN 6 INTERFACE**
 ip address
 ip nat inside
 ip virtual-reassembly in

Open in new window

And then access ports on Netgear switch from vlan 1 should be be reassign to vlan 6 and there should be no changing of IP addresses on hosts in vlan 1, also there should be configured trunk port on Netgear's interface  that is connected to Cisco .

On Cisco also:
interface FastEthernet0
 switchport mode trunk
 switchport trunk allowed vlan 1, 5, 6, 1002 - 1005
 no ip address

Open in new window

but just to notify that some switches demand space between , - and number (example 1, 2, 3 - 4    or 1,2,3-4) - some don't :)

That is how I would do it, but also can be done without moving servers to vlan 6.... just by adding another vlan to port as Benjamin suggested...
Amarjot SinghAuthor Commented:
Thanks Predrag - Just tried out what you said this time with no errors but took out my connection completely lol

I don't trust myself with trunking haha

I think it might just be best to use sacrifice VLAN 3 and also a access port. Are you able to advise how to configure it in this method instead?
Benjamin Van DitmarsSr Network EngineerCommented:
why not put vlan 1 as native then you have vlan 1 as default at port 1 and tagged traffic of vlan 5

interface fastethernet 0
no switchport mode access
switchport mode trunk
switchport trunk allowed vlan 1,5,1002-1005
switchport trunk native vlan 1
switchport trunk encapsulation dot1q
ip address x.x.x.x.
ip nat inside

now you will have all functionality as it was, and vlan 5 tagged on this interface

I guess if it did not work as it should that Netgear switch did not have properly configured trunk on its side. I guess problem could be also moving ports on Netgear from vlan 1 to vlan 6 for clients.

If you plan to go with using one of existing vlans (vlan3) you don't need to reconfigure anything from starting configuration (before question here), just run CCP and configure firewall (advanced config) with vlan 3 as DMZ. Although I would recommend to consider is it wise (if you are merging 2 vlans that can have few consequences like security, or is address space big enough (including projection of future growth)? I would not recommend for business use Class C of IP address even without merging two vlans).
Amarjot SinghAuthor Commented:
Yh I think the issue was on the Netgear side - I had set up the trunk ports as I have done previously but it just didn't like it.

Thanks for the confirmation - VLAN 3 is just a test network which is not currently being used so I'm not too concerned about losing this. Also, as for capacity, this is a lab environment for testing so that I can get it up and running and then move over to a real environment where required (trunking and ports will be less of an issue at that point).

I've uploaded some pictures of the menu that I am being offered with possible config - I'm unsure of what to add to the "Service" in the second picture as well as the level of security required. Ideally what I want to achieve is that I can place devices into the DMZ so that  they have unrestricted outbound access and where required punch holes through the firewall if there is a requirement for an application to talk to the rest of the network.
Ideally what I want to achieve is that I can place devices into the DMZ so that  they have unrestricted outbound access and where required punch holes through the firewall if there is a requirement for an application to talk to the rest of the network.
That's what exactly you will get with DMZ. For services, it is asked of you what holes you want to punch in firewall. :)
Simple explanation article
Cisco manual for CCP ver 2.8

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Amarjot SinghAuthor Commented:
Hey Predrag - thanks for the link!

Apologies for the delay in my response, I am currently in another country (last minute flight for work) and will be back tomorrow and will attempt to configure this then :)

Amarjot SinghAuthor Commented:
Thank you so much your assistance with this - Managed to get it all setup as required :)
You're welcome.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.