Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Router 2621 firewall suggestions

Status
Not open for further replies.

McCisco

Technical User
Oct 29, 2006
81
US
Here is the current configuration I want to use for my 2621 router as a firewall. Please make any suggestions that will help me use this router as a good firewall against incoming traffic. I have not named the router or set any of the passwords yet. I will before I go live with it.

~Is there anyway log log the traffic the router is allowing and dropping?
########################
sho run
Building configuration...

Current configuration : 1446 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXXXXXXX
!
boot-start-marker
boot system flash
boot-end-marker
!
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
!
no ip bootp server
ip audit po max-events 100
!
interface FastEthernet0/0
ip address 192.168.1.5 255.255.255.0
ip access-group 102 in
no ip unreachables
speed 100
full-duplex
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip http server
ip classless
!
access-list 102 deny icmp any any
access-list 102 deny tcp any any eq ftp
access-list 102 deny tcp any any eq ftp-data
access-list 102 deny tcp any any eq telnet
access-list 102 deny tcp any any eq 22
access-list 102 deny tcp any any eq pop3
access-list 102 deny tcp any any eq 143
access-list 102 deny udp any any eq tftp
access-list 102 permit icmp any any source-quench
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any packet-too-big
access-list 102 permit icmp any any echo-reply
access-list 102 deny icmp any any fragments
access-list 102 deny icmp any any echo
access-list 102 permit tcp any any established
access-list 102 permit tcp any any
access-list 102 permit ip any any
access-list 102 deny tcp any any eq smtp
!
line con 0
line aux 0
line vty 0 4
login
!
end
###########################################################################
System image file is "flash:c2600-io3-mz.123-19.bin"
with 36864K/4096K bytes of memory.
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
2 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
###########################################################
 
You need to set up NAT, define inside and outside interfaces and configure some static NAT translations with port forwarding. You need these as the basics to emulate how a firewall functions.

Are you comfortable with all that?
 
I think I have some idea on setting up the nat and the IP pools. I will give it a try and post back here.

thx
 
You need to reorder some of your access-list. Remember as soon as a machis made you leave the list. For example
deny icmp any any is near the topof the list and then after that you have some permit icmp,the permit will never be seen. The permit IP any any is not your last line.As a result yourlast linedeny tcp any any eq smtp
will never be matched. Just a couple examples
 
Yes , I agree with bbears...if you deny icmp any any in the first statement, then there is no use in putting any other statements concerning icmp. It looks like that with that IOS image, you can't do much else, like tcp intercept, for example. I don't know about ip inspect bla bla bla commands either, if they can be done with your particular IOS, but those commands are a part of a good firewall set up.

Burt
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top