IOS ROUTER AS FIREWALL

Will this work for a cisco Expressway install using IOS router as fire wall

interface GigabitEthernet0/0
 description Internal LAN
 ip address 192.168.0.250 255.255.255.0
 ip access-group OutboundInternet in
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 ip verify unicast reverse-path
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description Fiber Internet Connection (Primary internet access)
 ip address 50.206.31.130 255.255.255.248
 ip access-group Internet in
 ip nat outside
 ip nat enable
 ip inspect HQ-INPECT-OUT out
 ip virtual-reassembly in
 ip verify unicast reverse-path
 duplex full
 speed 1000
 ntp broadcast client
 crypto map VPN
!
nterface GigabitEthernet0/2
 description EXPRESSWAY
 ip address 172.29.2.24 255.255.255.0
 ip nat outside  
 ip nat enable  
!
!
object-group network LocalEXPRESSWAY  
 172.29.2.0 255.255.255.0
object-group network RFC1918Private
 10.0.0.0 255.0.0.0
 172.16.0.0 255.240.0.0
 192.168.0.0 255.255.0.0

Object-group service VOIP_DMZ
tcp 80
tcp 443
tcp 22
tcp 161
udp 123
tcp range 3000-35999
tcp 389
tcp 636
udp 514
udp range 3000-35999
udp 1024
udp 53
tcp 6970
tcp 8443
tcp 7400
tcp 2222
tcp 7001
udp range 36000-36001
udp 3478
udp 1024
udp range 36002-59999
tcp range 25000-29999


ip access-list extended Guest_2_WAN
 permit tcp object-group LocalEXPRESSWAY any

ip access-list extended privateToPublic
 permit object-group VOIP_DMZ object-group RFC1918Private any

ip access-list extended siteToSite
 permit ip object-group RFC1918Private object-group RFC1918Private

route-map natOverload deny 10
 match ip address siteToSite
route-map natOverload permit 20
 match ip address privateToPublic

ip nat inside source static 172.20.2.25 107.1.55.21 route-map nonat extendable
ip nat inside source route-map nonat interface GigabitEthernet0/1 overload  
ip nat source list Guest_2_WAN interface GigabitEthernet0/1 overload
 

ip access-list extended In_2_Out
 permit ip any any reflect StatefulInbound  

ip access-list extended Out_2_In
 evaluate StatefulInbound
 permit ip any host 107.1.55.21  

   
interface GigabitEthernet0/1
  ip access-group Out_2_In in
 ip access-group In_2_Out out
John MyersConsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

atlas_shudderedSr. Network EngineerCommented:
Assuming that you are trying to filter traffic out, there is no actual access list named:  access-group OutboundInternet, technically the router won't allow you to place an access-group that doesn't associate to a configured ACL and in the event that you delete the ACL after the fact, the access-group will still list but become null.  At best, there is no effect on the interface

On the outside, this - access-group Internet - has no access-list reference (same as above)

Additionally, at the bottom of your script you re-write the access groups referenced on gig 0/1.  Since an interface can have only one ACL applied in each direction at any given time then the last two entries are what will be applied.

Lastly, assuming that the only traffic that you want to be permitted in from the Internet is the traffic allowed out from the LAN and marked in your RACL or only that traffic destined for 107.1.55.21 then you

Should work but I would suggest cleanup.


ip access-list extended privateToPublic
 permit object-group VOIP_DMZ object-group RFC1918Private any - your object groups are reversed.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
John MyersConsultantAuthor Commented:
Thank for input
John MyersConsultantAuthor Commented:
thanks
atlas_shudderedSr. Network EngineerCommented:
No worries.  Good luck
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.