Announcement

Collapse
No announcement yet.

Cisco Firewall on 877 router

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco Firewall on 877 router

    Guys,

    I am very concerned that I have not secured my firewall properly, and have done all the config thru SDM.

    I had cause to check NAT earlier today, and issued a show ip nat translation command, and found thousands of connections on virtually every port of my web server, connecting from sequential IP addresses that resolved to wanadoo.fr

    What I need to do is open only port 80 and port 443 (for https) can someone advise me how to do this either from the CLI or from SDM.

    Has anyone got the time to have a look at my running config and tell me if there are any glaring holes - this is my first Cisco router, and is somewhat a baptism of fire.

    Any and all help is very very very appreciated.

    Ian

  • #2
    Re: Cisco Firewall on 877 router

    can you post the config without the passwords?
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Cisco Firewall on 877 router

      Building configuration...

      Current configuration : 9497 bytes
      !
      ! Last configuration change at 17:47:23 PCTime Mon Jun 11 2007 by ad
      ! NVRAM config last updated at 15:44:53 PCTime Thu Jun 7 2007 by adm
      !
      version 12.4
      no service pad
      service tcp-keepalives-in
      service tcp-keepalives-out
      service timestamps debug datetime msec localtime show-timezone
      service timestamps log datetime msec localtime show-timezone
      service password-encryption
      service sequence-numbers
      !
      hostname ADSL_Router
      !
      boot-start-marker
      boot-end-marker
      !
      logging buffered 51200 warnings
      enable secret 5 $1$e8aw$KTNMStBZMGTmsLm.jMLdB1
      !
      aaa new-model
      !
      !
      aaa authentication login local_authen local
      aaa authorization exec local_author local
      !
      aaa session-id common
      !
      resource policy
      !
      clock timezone PCTime 0
      ip subnet-zero
      no ip source-route
      ip cef
      !
      !
      ip inspect log drop-pkt
      ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
      ip inspect name SDM_MEDIUM cuseeme
      ip inspect name SDM_MEDIUM dns
      ip inspect name SDM_MEDIUM ftp
      ip inspect name SDM_MEDIUM h323
      ip inspect name SDM_MEDIUM https
      ip inspect name SDM_MEDIUM icmp
      ip inspect name SDM_MEDIUM imap reset
      ip inspect name SDM_MEDIUM pop3 reset
      ip inspect name SDM_MEDIUM netshow
      ip inspect name SDM_MEDIUM rcmd
      ip inspect name SDM_MEDIUM realaudio
      ip inspect name SDM_MEDIUM rtsp
      ip inspect name SDM_MEDIUM esmtp
      ip inspect name SDM_MEDIUM sqlnet
      ip inspect name SDM_MEDIUM streamworks
      ip inspect name SDM_MEDIUM tftp
      ip inspect name SDM_MEDIUM tcp
      ip inspect name SDM_MEDIUM udp
      ip inspect name SDM_MEDIUM vdolive
      ip tcp synwait-time 10
      no ip bootp server
      ip domain name domain.ashlawn.org.uk
      ip name-server 212.23.6.100
      ip name-server 212.23.3.100
      !
      appfw policy-name SDM_MEDIUM
      application im aol
      service default action allow alarm
      service text-chat action allow alarm
      server permit name login.oscar.aol.com
      server permit name toc.oscar.aol.com
      server permit name oam-d09a.blue.aol.com
      audit-trail on
      application im msn
      service default action allow alarm
      service text-chat action allow alarm
      server permit name messenger.hotmail.com
      server permit name gateway.messenger.hotmail.com
      server permit name webmessenger.msn.com
      audit-trail on
      application http
      strict-http action allow alarm
      port-misuse im action reset alarm
      port-misuse p2p action reset alarm
      port-misuse tunneling action allow alarm
      application im yahoo
      service default action allow alarm
      service text-chat action allow alarm
      server permit name scs.msg.yahoo.com
      server permit name scsa.msg.yahoo.com
      server permit name scsb.msg.yahoo.com
      server permit name scsc.msg.yahoo.com
      server permit name scsd.msg.yahoo.com
      server permit name cs16.msg.dcn.yahoo.com
      server permit name cs19.msg.dcn.yahoo.com
      server permit name cs42.msg.dcn.yahoo.com
      server permit name cs53.msg.dcn.yahoo.com
      server permit name cs54.msg.dcn.yahoo.com
      server permit name ads1.vip.scd.yahoo.com
      server permit name radio1.launch.vip.dal.yahoo.com
      server permit name in1.msg.vip.re2.yahoo.com
      server permit name data1.my.vip.sc5.yahoo.com
      server permit name address1.pim.vip.mud.yahoo.com
      server permit name edit.messenger.yahoo.com
      server permit name messenger.yahoo.com
      server permit name http.pager.yahoo.com
      server permit name privacy.yahoo.com
      server permit name csa.yahoo.com
      server permit name csb.yahoo.com
      server permit name csc.yahoo.com
      audit-trail on
      !
      !

      !
      interface Null0
      no ip unreachables
      !
      interface ATM0
      no ip address
      no ip redirects
      no ip unreachables
      ip route-cache flow
      no atm ilmi-keepalive
      dsl operating-mode auto
      !
      interface ATM0.1 point-to-point
      description $ES_WAN$
      no ip redirects
      no ip unreachables
      pvc 0/38
      encapsulation aal5mux ppp dialer
      dialer pool-member 1
      !
      !
      interface FastEthernet0
      !
      interface FastEthernet1
      switchport access vlan 2
      !
      interface FastEthernet2
      !
      interface FastEthernet3
      !
      interface Vlan1
      description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
      ip address 10.177.0.30 255.255.248.0
      ip access-group 100 in
      no ip redirects
      no ip unreachables
      ip nat inside
      ip virtual-reassembly
      ip route-cache flow
      ip tcp adjust-mss 1452
      !
      interface Dialer0
      description $FW_OUTSIDE$
      ip address 82.70.xxx.xxx 255.255.255.248
      ip access-group 101 in
      no ip redirects
      no ip unreachables
      ip inspect SDM_MEDIUM out
      ip nat outside
      ip virtual-reassembly
      encapsulation ppp
      ip route-cache flow
      dialer pool 1
      dialer-group 1
      no cdp enable
      ppp authentication chap callin
      ppp chap hostname
      ppp chap password
      !
      ip classless
      ip route 0.0.0.0 0.0.0.0 Dialer0
      !
      ip http server
      ip http authentication local
      ip http secure-server
      ip http timeout-policy idle 5 life 86400 requests 10000
      ip nat inside source list 1 interface Dialer0 overload
      ip nat inside source static 10.177.0.4 82.70.xxx.xxx
      ip nat inside source static 10.177.0.7 82.70.xxx.xxx
      ip nat inside source static 10.177.0.12 82.70.xxx.xxx
      !
      access-list 1 remark INSIDE_IF=Vlan1
      access-list 1 remark SDM_ACL Category=2
      access-list 1 permit 10.177.0.0 0.0.7.255
      access-list 100 remark auto generated by SDM firewall configuration
      access-list 100 remark SDM_ACL Category=1
      access-list 100 deny ip 82.70.xxx.xxx 0.0.0.7 any
      access-list 100 deny ip host 255.255.255.255 any
      access-list 100 deny ip 127.0.0.0 0.255.255.255 any
      access-list 100 permit icmp any any
      access-list 100 permit ip any any
      access-list 101 remark auto generated by SDM firewall configuration
      access-list 101 remark SDM_ACL Category=1
      access-list 101 remark Access to Mail Gateway (UDP)
      access-list 101 permit udp any host 82.70.xxx.xxx
      access-list 101 remark Access to Mail Gateway (TCP
      access-list 101 permit tcp any host 82.70.xxx.xxx
      access-list 101 remark Access to Bromcom (TCP)
      access-list 101 permit tcp any host 82.70.xxx.xxx log
      access-list 101 remark Acess to Bromcom (UDP)
      access-list 101 permit udp any host 82.70.xxx.xxx8 log
      access-list 101 remark Access to Webmail Server (UDP)
      access-list 101 permit udp any host 82.70.xxx.xxx
      access-list 101 remark Access to Webmail Server (TCP)
      access-list 101 permit tcp any host 82.70.xxx.xxx
      access-list 101 permit udp host 212.23.6.100 eq domain host 82.70.13
      access-list 101 permit udp host 212.23.3.100 eq domain host 82.70.13
      access-list 101 deny icmp any 82.70.xxx.xxx 0.0.0.7
      access-list 101 deny icmp any host 82.70.xxx.xxx
      access-list 101 remark tracert
      access-list 101 permit icmp any host 82.70.xxx.xxx traceroute
      access-list 101 permit icmp any host 82.70.xxx.xxx echo-reply
      access-list 101 permit icmp any host 82.70.xxx.xxx time-exceeded
      access-list 101 permit icmp any host 82.70.xxx.xxx unreachable
      access-list 101 permit tcp any host 82.70.xxx.xxx eq 443
      access-list 101 deny tcp any host 82.70.xxx.xxx eq 22
      access-list 101 deny tcp any host 82.70.xxx.xxx eq cmd
      access-list 101 deny ip 10.177.0.0 0.0.7.255 any
      access-list 101 deny ip 10.0.0.0 0.255.255.255 any
      access-list 101 deny ip 172.16.0.0 0.15.255.255 any
      access-list 101 deny ip 192.168.0.0 0.0.255.255 any
      access-list 101 deny ip 127.0.0.0 0.255.255.255 any
      access-list 101 deny ip host 255.255.255.255 any
      access-list 101 deny ip host 0.0.0.0 any
      access-list 101 deny ip any any log
      dialer-list 1 protocol ip permit
      no cdp run
      !
      control-plane
      !
      banner login ^CAuthorized access only!
      Disconnect IMMEDIATELY if you are not an authorized user!^C
      !
      line con 0
      login authentication local_authen
      no modem enable
      line aux 0
      login authentication local_authen
      line vty 0 4
      authorization exec local_author
      login authentication local_authen
      transport input telnet ssh
      !
      scheduler max-task-time 5000
      scheduler allocate 4000 1000
      scheduler interval 500
      end

      ADSL_Router#

      Comment


      • #4
        Re: Cisco Firewall on 877 router

        You should use the Extended access-lists including the protocol.
        just type for more options:
        access-list 101 permit tcp any host 82.70.xxx.xxx ?

        for example:
        (you dont need UDP to the webserver)
        NO access-list 101 remark Access to Webmail Server (UDP)
        NO access-list 101 permit udp any host 82.70.xxx.xxx

        access-list 101 remark Access to Webmail Server (TCP)
        access-list 101 permit tcp any host 82.70.xxx.xxx eq 80
        access-list 101 permit tcp any host 82.70.xxx.xxx eq 443
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Cisco Firewall on 877 router

          Thanks for this info, I had kinda worked this out, but as I have said many times, this is my first Cisco outing.

          I have some problem because when I do open specific ports my Outlook Web Access doesn't work, if I open the whole server (without specifying protocols) it works.

          The same goes for my messaging gateway.

          Anyway, many thanks for the help, I'll keep struggling on, always get there in the end. It's obviously soemthing I'm doing (or not doing)

          As a complete aside, do any of you "qualified" Cisco people have any recommended reading material that would introduce a newbie, and start on the dreaded path towards CCNA?

          Many Many Thanks

          Ian

          Comment


          • #6
            Re: Cisco Firewall on 877 router

            Do you still have problems or did you fixed it?


            About the study:
            Buy the Cisco press books and take the advantages to practice on the CCNA prepcenter site
            I've used them to pass my CCNA

            You can take 2 exams, the Intro and the ICND.
            You can take also both exams at once which i did.
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment

            Working...
            X