Config 2851 as firewall 1

[cspectra]

I need help for configuring cisco 2851 router as firewall.
The network starts from an ISP router; our cisco 2851 will be the firewall and its outside interface is the Fast ethernet 1/0, with public IP A.B.C.29 / 28 bit mask connects to that router. The boss wants the mail server public IP stays the old value of A.B.C.26 with same mask. Only one whole class C inside private network x.y.z.0 / 24 bit mask. The mail server private IP is x.y.z.11, allowing only mail service. How do I config the outside interface, route, rules, and NAT.
I am not Cisco techie, can somebody provid hints lease?
Thanks in advance.

 

[Minue]

Hello
The SDM could be of great help.In the meantime here's a base conf.Change the addresses to suit your needs.Please post if you have a question on the conf.
Regards


ip inspect name appfw_100 http
ip inspect name appfw_100 tcp
ip inspect name appfw_100 udp
ip inspect name dmzinspect tcp
ip inspect name dmzinspect udp

interface Loopback0
description $FW_DMZ$
ip address 172.16.2.1 255.255.255.0
ip access-group 101 in
ip inspect dmzinspect out
!
interface FastEthernet0/0
description $FW_INSIDE$
ip address 10.1.12.2 255.255.255.0
ip access-group 100 in
ip inspect appfw_100 in
no shutdown
!
interface Serial0/0/1
description $FW_OUTSIDE$
ip address 192.168.23.2 255.255.255.0
ip access-group 102 in
ip verify unicast reverse-path



access-list 100 deny ip 172.16.2.0 0.0.0.255 any
access-list 100 deny ip 192.168.23.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 deny ip any any log
access-list 102 deny ip 172.16.2.0 0.0.0.255 any
access-list 102 deny ip 10.1.12.0 0.0.0.255 any
access-list 102 permit icmp any host 192.168.23.2 echo-reply
access-list 102 permit icmp any host 192.168.23.2 time-exceeded
access-list 102 permit icmp any host 192.168.23.2 unreachable
access-list 102 permit tcp any host 172.16.2.10 eq 25
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log

 

[burtsbees]

The best way CBAC work is you have the same inspect name for in and out, allow what you want going out, and deny everything coming in. The CBAC will change the acl dynamically to let in what you have it inspecting going out.

Burt

 

[cspectra]

To "Minue",
I got some hints from your answer, but at the same time I got a little confused. I hope you will explain.

What is the Loopback interface, and the purpose of the whole section? If it is there for the mail server on the DMZ, then it is non applicable to our case since our boss wants all traffic in and out on the same in/out interfaces.

I will study the access-list, before asking more question.

To "burtsbees",
Could you tell waht CBAC is?

Thank you both.

 

[Minue]

Hello
Sorry!I wasn't meant to change the loopback 0 to your second fastethernet.Which should be your DMZ interface.Tell your boss that he's looking for trouble by not putting the Mail server on it's own subnet.If you must do it this way it still can be done.Will you be using NAT/PAT?
Just to give you a few pointer on the access-list.The list 102:
1.Will only permit the essential ICMP that the inside host need for the ip protocol.These are for pining ,tracert,Internet unreacheable host.As you can see we allow traffic to the mail server on port 25.
2.The rest of the access-list will block private addresses broadcast and loopbacks.This is an anti-spoof method.
3.All other traffic is deny and logg,so that you can have an idea of who's trying to penetrate you network.
The access-list 100 is applying anti-spoof as well but in the outbound direction.Then all other traffic is allow to leave the network.
Note carefully that the outside list will automatically create an access-list for the return traffic that originated from inside.You will see this behavior with the "show ip inspect session detail".
The word CBAC was use the mean Firewall on router,before they decide to call it Cisco IOS Firewall.
Regards
ps.Please fell free to post if you have any doubts.

 

[cspectra]

Minue,
I thought that the interface IP addresses are the NAT/PAT themselves. All other inside traffic will be translated to (as 192.168.23.2 in your example) the outside IP and reverse for incomming traffic. Only mail service traffic will be translated to (as 172.16.2.10 in your example) the IP of the inside mail server.
If it is not what I thought, then some suggestions will be very much appreciated. At the same time, it is stated that the mail server must be on the inside network; how would I adjust to this.
Thanks

 

[Minue]

Hello
In my example,the outside and DMZ interface,would be pure Public addresses.(Was just following the cisco convention,to avoid using real companies address in configuration examples).
Also these the addresses I used isn't NAT/PAT.If your'e not using public address on your LAN you will have to configure NAT.Please confirm.So I can post you a more suitable conf.
Regards

 

[cspectra]

Minue,
As I said earlier, we only have two interfaces: one outside, Pulic IP is 65.A.B.29 / 28-bit mask, default gateway is 65.A.B.25. The inside, private IP network class C 192.168.y.0 / 24-bit mask. We need to NAT/PAT so that most outbound traffic are blocked except FTP, SSH, HTTP, HTTPS, SMTP, etc. However, the special case is only SMTP service is allowed from the outside to target to public IP address of 65.A.B.26 which is NATed to 192.168.y.12.
Please add all other safety measures if you think it is wise to do so. Thanks

 

[Minue]

Hello
The below conf should get you up and running,we can fine tune it as soon as it is active.

ip inspect name appfw_100 tcp
ip inspect name appfw_100 udp
! Note here you can add more protocols for deeper inspection.The TCP&UDP just does general inspection.

interface FastEthernet0/0
description $FW_INSIDE$
ip address 192.168.y.0 255.255.255.0
ip access-group 100 in
ip inspect appfw_100 in
ip nat inside

!
interface Serial0/0/1 --------Your outside interface
description $FW_OUTSIDE$
ip address 65.A.B.26 255.255.255.252
ip access-group 102 in
ip nat outside
ip verify unicast reverse-path




access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any ----!Here I allowed all ip protocols for simplicity.But you can tailored it down to the TCP traffic you want.




access-list 102 deny ip 192.168.y.0 0.0.0.255 any
access-list 102 permit icmp any host 65.A.B.26 echo-reply
access-list 102 permit icmp any host 65.A.B.26 time-exceeded
access-list 102 permit icmp any host 65.A.B.26 unreachable
access-list 102 permit tcp any any eq smtp
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log


access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.1.110 25 interface Serial0/0/1 25
|______________Your outside interface


Regards

 

[cspectra]

Minue,
I guess in the line:
"access-list 102 deny ip 10.0.0.0 0.255.255.255 any"
Should I replace the 10.0.0.0 with my inside interface IP address class: 192.168.0.0 0.0.255.255, or something else?

Should I remove line:
"access-list 102 deny ip 172.16.0.0 0.15.255.255 any" since we don't use the DMZ?

Assuming the rest are OK, can you explain why, in the last 3 lines, access-group 1 is there and meaning of line:
"ip nat inside source list 1 interface FastEthernet0/0 overload".
Thanks again.

 

[Minue]

Hello
Remember I told that this line is for inbound antispoofing.
"access-list 102 deny ip 10.0.0.0 0.255.255.255 any".It denying the private class-A address from entering your network.We only want address source from public addresses to enter.In any case you can add the 192.168.0.0 0.0.255.255 to be more precise.The access-list 102 deny ip 172.16.0.0 0.15.255.255 any" is needed because it,s the class-B private range.
Please change this NAT for the Mail server,I overlook it.
ip nat inside source static tcp 192.168.y.12 25 interface Serial0/0/1 25
|______________Your outside interface

1.The access-list 1 tells the router that when it sees traffic from your private network 192.168.y.0 to NAT it.
2.The second line tells the router to use the WAN interface with it,s public address as the NAT global outside address.The overload mean use PAT instead of NAT which is a one-to-one mapping.
3.The last line is for the Natting the mail server.It says if a packet comes in on port 25 to the WAN interface which represents the public IP,to NAT the packet to 192.168.y.0.

Regards
ps.Is you public address giving to you via DHCP or is it statically configure?

 

[cspectra]

Thank you very much Minue. I understand now; I'll try with the SDM to see how it would come out on the running config. I'll let you know.

 

[burtsbees]

What I meant by my statement is

ip inspect name blabla tcp
repeat for all other protocols like Minue said. I only create one name though...here's why...

You create an acl that allows what you want out AND coming back in (same acl), and apply this outbound on your LAN interface. You then create a second acl allowing any remote access (like a vpn, ssh, etc) BUT deny everything else. Sounds crazy, I know. However, you apply the ip inspect blabla out on the LAN and in on the WAN. The firewall inspects protocols going out according to the rules and allows them BACK in (like http, if it is inspected)---it dynamically CHANGES the acl inbound! Cool, huh?

It's like a fine-tuned way of doing an acl with the keyword "established" at the end, but MUCH better.

Burt

 

[Minue]

Hello Burt
You have made me a bit curious.Can you please post an small configuration example.
Regards

 

[cspectra]

Burtsbees, can you make example for what you metioned. I could not follow. Thanks

 

[burtsbees]

I have been somewhat busy---I will post a config soon...hang in there...

Burt