Announcement

Collapse
No announcement yet.

Simple Firewall Setup in 877 Router

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Simple Firewall Setup in 877 Router

    Hi, is there anyone who knows how to setup the basic and simple firewall feature in Cisco 877 ADSL router?

    I am asked by my company to setup the basic firewall in the router as they do not want to incur any additional cost to get another ASA 5505 firewall. Basic firewall rules will be to allow all LAN clients to access the Internet and to restrict external access to the LAN except for the default applications such as POP, SMTP, FTP, HTTP etc..

  • #2
    Re: Simple Firewall Setup in 877 Router

    Hi, you can do a Zone-Based Firewall if your IOS is 12.4(15) or above.
    You can learn more here:
    http://www.cisco.com/en/US/products/...808bc994.shtml

    here is simple example of config file:
    !
    !
    class-map type inspect match-any vlan1-int-class
    match protocol http
    match protocol https
    match protocol dns
    match protocol smtp
    match protocol pop3
    match protocol icmp
    !
    class-map type inspect match-any L4-int-self-class
    match protocol tcp
    match protocol udp
    match protocol icmp
    class-map type inspect match-all int-self-class
    match class-map L4-int-self-class
    match access-group 100
    !
    !
    policy-map type inspect int-vlan1-policy
    class class-default
    drop log
    !
    policy-map type inspect vlan1-int-policy
    class type inspect vlan1-int-class
    inspect
    class class-default
    drop log
    !
    policy-map type inspect int-self-policy
    class type inspect int-self-class
    inspect
    class class-default
    drop log
    !
    zone security vlan1
    zone security internet
    !
    zone-pair security internet-self source internet destination self
    service-policy type inspect int-self-policy
    zone-pair security vlan1-internet source vlan1 destination internet
    service-policy type inspect vlan1-int-policy
    zone-pair security internet-vlan1 source internet destination vlan1
    service-policy type inspect int-vlan1-policy

    !
    interface FastEthernet4
    zone-member security internet
    !
    interface Vlan1
    zone-member security vlan1
    !
    !
    access-list 100 permit udp host x.x.x.x eq ntp host x.x.x.x eq ntp

    access-list 100 permit icmp any host x.x.x.x echo-reply
    access-list 100 permit icmp any host x.x.x.x time-exceeded
    access-list 100 permit icmp any host x.x.x.x unreachable
    access-list 100 deny ip any any
    !
    end

    In access-list 100 you can make exeptions for what can access your router interfaces. For example to do ping from remote side.

    Good Luck!

    Comment

    Working...
    X