Announcement

Collapse
No announcement yet.

Cisco 877 Zone-Based Firewall - is this right?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco 877 Zone-Based Firewall - is this right?

    Hi all,

    I've made an attempt at configuring a zone-based firewall on my Cisco 877 12.24(T)2. Prior to today all was working really well, but I wanted to try to improve security as I'm webhosting and mailhosting.

    I've added some rules to my config, and I don't seem to have broken anything, but I don't know if my new ZBF rules are actually doing anything Is there an easy way for me to test them?

    My config is below, and the newly-added lines are in bold. Please could somebody take a look and see if my nerw lines are actually doing anything?

    Many thanks,


    Jim

    Code:
    !
    ! Last configuration change at 10:39:37 GMT Mon Oct 11 2010 by root
    ! NVRAM config last updated at 10:06:34 GMT Mon Oct 11 2010 by root
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec localtime
    service timestamps log datetime msec localtime
    service password-encryption
    service internal
    !
    hostname Cisco877
    !
    boot-start-marker
    boot-end-marker
    !
    logging message-counter syslog
    logging buffered 16386
    logging rate-limit 100 except warnings
    no logging console
    no logging monitor
    enable secret 5 xxx
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication ppp default local
    !
    !
    aaa session-id common
    clock timezone GMT 0
    clock summer-time GMT recurring
    !
    !
    dot11 syslog
    ip source-route
    !
    !
    !
    !
    no ip cef
    ip domain name xxx.local
    ip inspect log drop-pkt
    ip inspect name firewall tcp timeout 3600
    ip inspect name firewall udp timeout 3600
    login block-for 180 attempts 3 within 180
    login on-failure log
    login on-success log
    no ipv6 cef
    ntp server ip time-a.nist.gov
    !
    multilink bundle-name authenticated
    !
    vpdn enable
    !
    vpdn-group 1
    ! Default PPTP VPDN group
     accept-dialin
      protocol pptp
      virtual-template 1
    !
    parameter-map type inspect pmap-audit
     audit-trail on
    !
    !
    object-group network L1_Allow_NTP 
     description Allow NTP from these hosts
     129.x.xx.xx 255.255.255.255
    !
    object-group network L2_Allow_SSH 
     description Allow SSH from these hosts
     192.168.1.0 255.255.255.0
    !
    username xxx password 7 xxx
    username xxx password 7 xxx
    username xxx privilege 15 secret 5 xxx
    ! 
    !
    !
    archive
     log config
      hidekeys
    !
    !
    ip ssh version 2
    !
    class-map type inspect match-any ExternallyVisibleProtocols
     description Externally-visible protocols   
     match protocol http
     match protocol https
     match protocol smtp extended
     match protocol pptp
     match protocol ftp
    class-map type inspect match-all ExternallyVisibleServices
     description Externally-visible protocols headed to LAN   
     match class-map ExternallyVisibleProtocols
    !
    !
    policy-map type inspect OutsideToInside
     description Internet to LAN (server)   
     class type inspect ExternallyVisibleServices
      inspect pmap-audit
     class class-default
      drop log
    !
    zone security Inside
    zone security Outside
    !
    !
    zone-pair security OutsideToInside source Outside destination Inside
     service-policy type inspect OutsideToInside
    !
    interface ATM0
     description ADSL Connection
     no ip address
     zone-member security Outside
     no atm ilmi-keepalive
     pvc 0/38 
      encapsulation aal5mux ppp dialer
      dialer pool-member 1
     !
     dsl enable-training-log 
     dsl bitswap both
     hold-queue 200 in
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Virtual-Template1
     ip unnumbered Vlan1
     ip nat inside
     ip virtual-reassembly
     zone-member security Inside
     peer default ip address pool VPNPOOL
     no keepalive
     ppp encrypt mppe auto required
     ppp authentication ms-chap-v2
    !
    interface Vlan1
     description LAN
     ip address 192.168.0.254 255.255.255.0 secondary
     ip address 192.168.19.254 255.255.255.0 secondary
     ip address 192.168.1.1 255.255.255.0
     ip nat inside
     ip nat enable
     ip virtual-reassembly
     ip tcp adjust-mss 1452
     hold-queue 100 in
     hold-queue 100 out
    !
    interface Dialer0
     bandwidth inherit
     ip address negotiated
     ip access-group EXT-IN in
     ip access-group EXT-OUT out
     ip nat outside
     ip virtual-reassembly
     encapsulation ppp
     ip tcp header-compression iphc-format
     ip tcp adjust-mss 1452
     dialer pool 1
     dialer-group 1
     no cdp enable
     ppp authentication pap chap callin
     ppp chap hostname [email protected]
     ppp chap password 7 xxx
     ppp ipcp dns request
     ppp ipcp wins request
     ip rtp header-compression iphc-format
    !
    ip local pool VPNPOOL 192.168.1.251 192.168.1.253
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer0
    no ip http server
    no ip http secure-server
    !
    !
    ip dns server
    no ip nat service sip udp port 5060
    ip nat inside source static tcp 192.168.1.50 25 interface Dialer0 25
    ip nat inside source static tcp 192.168.1.50 80 interface Dialer0 80
    ip nat inside source static tcp 192.168.1.50 443 interface Dialer0 443
    ip nat inside source static tcp 192.168.1.50 995 interface Dialer0 995
    ip nat inside source static tcp 192.168.1.50 20 interface Dialer0 20
    ip nat inside source static tcp 192.168.1.50 21 interface Dialer0 21
    ip nat inside source static tcp 192.168.1.20 3389 interface Dialer0 3389
    ip nat inside source list NAT-RANGES interface Dialer0 overload
    !
    ip access-list standard Allowed_SNMP
     permit 192.168.1.0 0.0.0.255
     deny   any
    ip access-list standard NAT-RANGES
     remark Define NAT internal ranges
     permit 192.168.1.0 0.0.0.255
    !
    ip access-list extended EXT-IN
     remark Inbound external interface
     remark The below set the rfc1918 private exclusions
     deny   ip 192.168.0.0 0.0.255.255 any
     deny   ip 10.0.0.0 0.255.255.255 any
     remark Allow established sessions back in
     permit tcp any any established
     remark Any new ports opened in the IP NAT INSIDE SOURCE STATIC lines should also be added here
     permit tcp any any eq smtp
     permit tcp any any eq www
     permit udp object-group L1_Allow_NTP any eq ntp
     permit tcp object-group L2_Allow_SSH any eq 22 log
     permit tcp any any eq 443
     permit tcp any any eq 995
     permit tcp any any eq 3389
     permit tcp any any eq 1723
     permit tcp any any eq ftp
     permit tcp any any eq ftp-data
     remark Passive FTP ports matching vsftpd config
     permit tcp any any range 50000 50050
     permit gre any any
     permit udp any eq domain any
     remark Standard acceptable icmp rules
     permit icmp any any echo
     permit icmp any any echo-reply
     permit icmp any any source-quench
     permit icmp any any packet-too-big
     permit icmp any any time-exceeded
     deny   ip any any
    ip access-list extended EXT-OUT
     remark Allow all outbound IP
     permit ip any any
    !
    ip access-list logging interval 10
    logging trap debugging
    logging facility local6
    logging 192.168.1.50
    dialer-list 1 protocol ip permit
    !
    !
    !
    !
    snmp-server community XXX RW Allowed_SNMP
    !
    control-plane
    !
    !
    line con 0
     exec-timeout 0 0
     no modem enable
     transport output all
    line aux 0
     transport output all
    line vty 0 4
     exec-timeout 0 0
     privilege level 15
     length 40
     width 160
     transport input ssh
     transport output all
    !
    scheduler max-task-time 5000
    scheduler allocate 20000 1000
    time-range WEEKDAY
     periodic weekdays 8:00 to 18:00
    !
    end
    Last edited by jimwillsher; 11th October 2010, 11:00.
Working...
X