Cisco 857w Firewall Config

CliffyG · 18 Dec 2006 at 11:11

Had my new router a while now so thought i'd best get it properly configured. How is this for a basic firewall config?

Code:

no acc 101

! allow any established
acc 101 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 established

! Torrents
acc 101 permit tcp 0.0.0.0 255.255.255.255 host 10.10.10.1 eq 55896

! PES6
acc 101 permit tcp 0.0.0.0 255.255.255.255 host 10.10.10.1  eq 5739


! all other access
acc 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

int atm0
ip access 101 in
no ip source-route

Also, whats the best way to get my torrent and pes ports forwarded?

Tui · 18 Dec 2006 at 20:54

I suggest you use an extended name list since you can edit individual lines in the CLI. Destination will be your Internet address - if it's fixed then you would use "host X.X.X.X" otherwise a dynamic address would be "any". So something like:

ip access-list extended WAN-IN
remark Torrent uses TCP and UDP
permit tcp any any eq 55896
permit udp any any eq 55896

remark PES6
permit tcp any any eq 5739

remark Log other
deny ip any any log

I also suggest you also use CBAC, this will take care of allowing the incoming to outgoing connections.

ip inspect name WAN-OUT ftp
ip inspect name WAN-OUT pop3
ip inspect name WAN-OUT realaudio
ip inspect name WAN-OUT rtsp
ip inspect name WAN-OUT sip
ip inspect name WAN-OUT smtp
ip inspect name WAN-OUT ntp
ip inspect name WAN-OUT dns
ip inspect name WAN-OUT icmp router-traffic
ip inspect name WAN-OUT tcp router-traffic
ip inspect name WAN-OUT udp router-traffic

There's loads of other services, select the ones you need.

These are applied on the dialer interface, so you'll have something like:

interface ATM0.1 point-to-point
description BT_ADSL
no ip redirects
no ip unreachables
no ip proxy-arp
no snmp trap link-status
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1

interface Dialer0
description MY_ADSL
ip address negotiated
ip access-group WAN-IN in
ip inspect WAN-OUT out
dialer pool 1

Port forwarding to your PC address, which has to be fixed or reserved in your DHCP scope, is done similar to:

ip nat inside source static TCP 10.10.10.1 55896 interface Dialer0 55896
ip nat inside source static UDP 10.10.10.1 55896 interface Dialer0 55896

ip nat inside source static TCP 10.10.10.1 5739 interface Dialer0 5739

CliffyG · 18 Dec 2006 at 21:43

Thanks

. I'm not particularly fussed about checking outgoing so with that in mind if i do:

ip access-list extended WAN-IN
remark Torrent uses TCP and UDP
permit tcp host X.X.X.X eq 55896
permit udp host X.X.X.X eq 55896

remark PES6
permit tcp host X.X.X.X eq 5739

remark Log other
deny ip any any log

ip nat inside source static TCP 10.10.10.1 55896 interface Dialer0 55896
ip nat inside source static UDP 10.10.10.1 55896 interface Dialer0 55896

ip nat inside source static TCP 10.10.10.1 5739 interface Dialer0 5739

and then add "ip access-group WAN-IN in" under the "interface Dialer0" section.

Would that work ok? Does it matter where in the config i stick the firewall and nat lines?

Tui · 20 Dec 2006 at 01:21

You need a source and destination (each with an address and wildcard mask) in the access list line. You had these in your original post but have missed one out in the last.
Referring to your first post, "0.0.0.0 255.255.255.255" has an all one's wildcard mask, so nothing is significant in the address and later IOSs allow the simpler "any" to be used.

An all zero's wildcard mask means all bits in the address are significant. This is a single IP address and is simplified as "host <address>".

So, the first line should permit TCP connections, source "any", destination your fixed router Internet address "host X.X.X.X", to port 55896 and gives:
permit TCP any host X.X.X.X eq 55896

If you don't check out going, you'll need to have similar to what you had in your first post: permit tcp any any established
"Established" only works with TCP, so the access list will also need to have entries to allow any return UDP, like DNS or NTP for example, and ICMP for ping and tracert responses.

This is why CBAC is easier since it dynamically changes the access list to allow return traffic. If your IOS supports it, the "router-traffic" option will statefully inspect router originating traffic as well.

The firewall and NAT lines are global so you can enter them mostly anywhere and the router will put them where it wants.

CliffyG · 20 Dec 2006 at 09:44

Oh yes thanks, not sure how i missed that out.

I'm using 12.4(9)T1 which i'm pretty sure allows the "any" command.

Didn't realise that established only does tcp, i guess i'll go with your original suggestion (what does CBAC stand for btw). Will i need to have an entry for http in that case? I'm pretty sure i should be able to stateful packet inspection so i'll use those lines too.

Tui · 20 Dec 2006 at 15:49

CBAC = Context Based Access Control
Read all about it here http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804a41c5.html

You wouldn't necessarily need a line for http, it would be picked up by the general TCP line, unless you want to filter content e.g. block URLs, or have settings, like auditing and timeouts specific to http.

CliffyG · 20 Dec 2006 at 16:09

Thanks for all your help, i shall have a play later on.