Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

Cisco 877 Zone-Based Firewall - is this right?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco 877 Zone-Based Firewall - is this right?

    Hi all,

    I've made an attempt at configuring a zone-based firewall on my Cisco 877 12.24(T)2. Prior to today all was working really well, but I wanted to try to improve security as I'm webhosting and mailhosting.

    I've added some rules to my config, and I don't seem to have broken anything, but I don't know if my new ZBF rules are actually doing anything Is there an easy way for me to test them?

    My config is below, and the newly-added lines are in bold. Please could somebody take a look and see if my nerw lines are actually doing anything?

    Many thanks,


    ! Last configuration change at 10:39:37 GMT Mon Oct 11 2010 by root
    ! NVRAM config last updated at 10:06:34 GMT Mon Oct 11 2010 by root
    version 12.4
    no service pad
    service timestamps debug datetime msec localtime
    service timestamps log datetime msec localtime
    service password-encryption
    service internal
    hostname Cisco877
    logging message-counter syslog
    logging buffered 16386
    logging rate-limit 100 except warnings
    no logging console
    no logging monitor
    enable secret 5 xxx
    aaa new-model
    aaa authentication login default local
    aaa authentication ppp default local
    aaa session-id common
    clock timezone GMT 0
    clock summer-time GMT recurring
    dot11 syslog
    ip source-route
    no ip cef
    ip domain name xxx.local
    ip inspect log drop-pkt
    ip inspect name firewall tcp timeout 3600
    ip inspect name firewall udp timeout 3600
    login block-for 180 attempts 3 within 180
    login on-failure log
    login on-success log
    no ipv6 cef
    ntp server ip
    multilink bundle-name authenticated
    vpdn enable
    vpdn-group 1
    ! Default PPTP VPDN group
      protocol pptp
      virtual-template 1
    parameter-map type inspect pmap-audit
     audit-trail on
    object-group network L1_Allow_NTP 
     description Allow NTP from these hosts
    object-group network L2_Allow_SSH 
     description Allow SSH from these hosts
    username xxx password 7 xxx
    username xxx password 7 xxx
    username xxx privilege 15 secret 5 xxx
     log config
    ip ssh version 2
    class-map type inspect match-any ExternallyVisibleProtocols
     description Externally-visible protocols   
     match protocol http
     match protocol https
     match protocol smtp extended
     match protocol pptp
     match protocol ftp
    class-map type inspect match-all ExternallyVisibleServices
     description Externally-visible protocols headed to LAN   
     match class-map ExternallyVisibleProtocols
    policy-map type inspect OutsideToInside
     description Internet to LAN (server)   
     class type inspect ExternallyVisibleServices
      inspect pmap-audit
     class class-default
      drop log
    zone security Inside
    zone security Outside
    zone-pair security OutsideToInside source Outside destination Inside
     service-policy type inspect OutsideToInside
    interface ATM0
     description ADSL Connection
     no ip address
     zone-member security Outside
     no atm ilmi-keepalive
     pvc 0/38 
      encapsulation aal5mux ppp dialer
      dialer pool-member 1
     dsl enable-training-log 
     dsl bitswap both
     hold-queue 200 in
    interface FastEthernet0
    interface FastEthernet1
    interface FastEthernet2
    interface FastEthernet3
    interface Virtual-Template1
     ip unnumbered Vlan1
     ip nat inside
     ip virtual-reassembly
     zone-member security Inside
     peer default ip address pool VPNPOOL
     no keepalive
     ppp encrypt mppe auto required
     ppp authentication ms-chap-v2
    interface Vlan1
     description LAN
     ip address secondary
     ip address secondary
     ip address
     ip nat inside
     ip nat enable
     ip virtual-reassembly
     ip tcp adjust-mss 1452
     hold-queue 100 in
     hold-queue 100 out
    interface Dialer0
     bandwidth inherit
     ip address negotiated
     ip access-group EXT-IN in
     ip access-group EXT-OUT out
     ip nat outside
     ip virtual-reassembly
     encapsulation ppp
     ip tcp header-compression iphc-format
     ip tcp adjust-mss 1452
     dialer pool 1
     dialer-group 1
     no cdp enable
     ppp authentication pap chap callin
     ppp chap hostname [email protected]
     ppp chap password 7 xxx
     ppp ipcp dns request
     ppp ipcp wins request
     ip rtp header-compression iphc-format
    ip local pool VPNPOOL
    ip forward-protocol nd
    ip route Dialer0
    no ip http server
    no ip http secure-server
    ip dns server
    no ip nat service sip udp port 5060
    ip nat inside source static tcp 25 interface Dialer0 25
    ip nat inside source static tcp 80 interface Dialer0 80
    ip nat inside source static tcp 443 interface Dialer0 443
    ip nat inside source static tcp 995 interface Dialer0 995
    ip nat inside source static tcp 20 interface Dialer0 20
    ip nat inside source static tcp 21 interface Dialer0 21
    ip nat inside source static tcp 3389 interface Dialer0 3389
    ip nat inside source list NAT-RANGES interface Dialer0 overload
    ip access-list standard Allowed_SNMP
     deny   any
    ip access-list standard NAT-RANGES
     remark Define NAT internal ranges
    ip access-list extended EXT-IN
     remark Inbound external interface
     remark The below set the rfc1918 private exclusions
     deny   ip any
     deny   ip any
     remark Allow established sessions back in
     permit tcp any any established
     remark Any new ports opened in the IP NAT INSIDE SOURCE STATIC lines should also be added here
     permit tcp any any eq smtp
     permit tcp any any eq www
     permit udp object-group L1_Allow_NTP any eq ntp
     permit tcp object-group L2_Allow_SSH any eq 22 log
     permit tcp any any eq 443
     permit tcp any any eq 995
     permit tcp any any eq 3389
     permit tcp any any eq 1723
     permit tcp any any eq ftp
     permit tcp any any eq ftp-data
     remark Passive FTP ports matching vsftpd config
     permit tcp any any range 50000 50050
     permit gre any any
     permit udp any eq domain any
     remark Standard acceptable icmp rules
     permit icmp any any echo
     permit icmp any any echo-reply
     permit icmp any any source-quench
     permit icmp any any packet-too-big
     permit icmp any any time-exceeded
     deny   ip any any
    ip access-list extended EXT-OUT
     remark Allow all outbound IP
     permit ip any any
    ip access-list logging interval 10
    logging trap debugging
    logging facility local6
    dialer-list 1 protocol ip permit
    snmp-server community XXX RW Allowed_SNMP
    line con 0
     exec-timeout 0 0
     no modem enable
     transport output all
    line aux 0
     transport output all
    line vty 0 4
     exec-timeout 0 0
     privilege level 15
     length 40
     width 160
     transport input ssh
     transport output all
    scheduler max-task-time 5000
    scheduler allocate 20000 1000
    time-range WEEKDAY
     periodic weekdays 8:00 to 18:00
    Last edited by jimwillsher; 11th October 2010, 11:00.