I'm no IOS wizard, so I'm hoping someone can check me out on this and make sure I'm understanding what I need to do (or if this is even the correct approach!).
I have a device (cellphone access point) that needs to expose 5 ports to the web. There is no need for the device to communicate with our office network at all in either direction. I'm assuming the best way to do this is to create a DMZ on a FastEthernet port on our Cisco 881 router (IOS 15.0(1)M5) and connect the device to it. Yes...?
I've done some reading of Tek-tips posts, and I think the correct way to create a DMZ on this router is to:
Create a VLAN for the DMZ.
Associate an interface with the new VLAN.
Create a DHCP pool for the new VLAN.
Create a DMZ Security Zone and assign the interface to it.
Allow the traffic through the firewall.
Create a class-map to match the 5 protocols the device needs.
Create a policy-map to inspect the protocols the class-map specifies.
Create zone-pairs for outside-to-DMZ and DMZ-to-outside and assign the policy-map to them.
Am I on the right track? Any glaring omissions? Any advice would be appreciated as always.
Here's the current config on the router:
I have a device (cellphone access point) that needs to expose 5 ports to the web. There is no need for the device to communicate with our office network at all in either direction. I'm assuming the best way to do this is to create a DMZ on a FastEthernet port on our Cisco 881 router (IOS 15.0(1)M5) and connect the device to it. Yes...?
I've done some reading of Tek-tips posts, and I think the correct way to create a DMZ on this router is to:
Create a VLAN for the DMZ.
Associate an interface with the new VLAN.
Create a DHCP pool for the new VLAN.
Create a DMZ Security Zone and assign the interface to it.
Allow the traffic through the firewall.
Create a class-map to match the 5 protocols the device needs.
Create a policy-map to inspect the protocols the class-map specifies.
Create zone-pairs for outside-to-DMZ and DMZ-to-outside and assign the policy-map to them.
Am I on the right track? Any glaring omissions? Any advice would be appreciated as always.
Here's the current config on the router:
Code:
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname 881Router
!
boot-start-marker
boot system flash:c880data-universalk9-mz.150-1.M5.bin
boot system flash:c880data-universalk9-mz.150-1.M3.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
!
memory-size iomem 10
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-xxxxxxxxxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xxxxxxxxxx
revocation-check none
rsakeypair TP-self-signed-xxxxxxxxxx
!
!
crypto pki certificate chain TP-self-signed-xxxxxxxxxx
no ip source-route
!
!
ip dhcp excluded-address 192.168.16.1
!
ip dhcp pool ccp-pool1
import all
network 192.168.16.0 255.255.255.0
default-router 192.168.16.1
!
!
ip cef
no ip bootp server
ip domain name our.domain
ip name-server 192.168.16.2
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip port-map user-driver port tcp 8082 description Access Website
ip port-map user-RBS port tcp 8085 description Access Schedule
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn xxxxxxxxxx
!
!
username xxxxxxxxxx privilege 15 secret 5 xxxxxxxxxx
username xxxxxxxxxx privilege 15 password 7 xxxxxxxxxx
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ping
match protocol icmp
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any DRIVER_ACCESS
match protocol user-driver
match protocol user-RBS
class-map type inspect match-any driver
match class-map DRIVER_ACCESS
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-all ccp-cls-1
match class-map driver
match access-group name driver
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-all ccp-cls-ccp-permit-1
match class-map ping
match access-group name ping
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass log
class type inspect ccp-cls-ccp-permit-1
pass
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls-1
class type inspect ccp-cls-1
inspect
class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-zone-in-zone source out-zone destination in-zone
service-policy type inspect ccp-policy-ccp-cls-1
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group xxxxxxxxxx
key xxxxxxxxxx
dns 192.168.16.1 192.168.16.2
domain our.domain
pool SDM_POOL_1
acl 101
include-local-lan
pfs
max-users 4
crypto isakmp profile ciscocp-ike-profile-1
match identity group xxxxxxxxxxxxxxxxxxxx
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address xxxxxxxxxx 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet4
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.16.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
!
ip local pool SDM_POOL_1 192.168.17.50 192.168.17.55
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.16.2 8082 interface FastEthernet4 8082
ip nat inside source static tcp 192.168.16.2 8085 interface FastEthernet4 8085
ip nat inside source route-map NAT interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 xxxxxxxxxx
!
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
ip access-list extended driver
remark remark CCP_ACL Category=128
remark CCP_ACL Category=16
permit ip any host 192.168.16.2
ip access-list extended ping
remark CCP_ACL Category=128
permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=20
access-list 101 permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 103 deny ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 103 permit ip 192.168.16.0 0.0.0.255 any
access-list 150 permit ip 192.168.16.0 0.0.0.255 any
no cdp run
!
!
!
!
route-map NAT permit 1
match ip address 103
!
!
control-plane
!
!
banner login ^CCCCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end