Question on cisco 837 firewall

Soldato
Joined
18 Oct 2002
Posts
7,139
Location
Ironing
Been playing with the 837, and have pretty much got it doing nearly all i need it to do. The only thing that's bothering me is the firewall. My current config is (router ip is 192.168.0.1, interal network is 192.168.0.0/255.255.255.0):

Code:
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.2 80 interface Dialer1 80
ip nat inside source static tcp 192.168.0.2 443 interface Dialer1 443
!
!
ip access-list extended INTERNET-IN
 permit tcp any host 192.168.0.2 eq www
 permit tcp any host 192.168.0.2 eq 443
 deny   ip any any log
 deny   ip 192.0.0.0 0.0.0.15 any log
 deny   ip 0.0.0.0 0.255.255.255 any log
 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 192.168.0.0 0.0.255.255 any log
 deny   ip 172.16.0.0 0.15.255.255 any log
 deny   ip 169.254.0.0 0.0.255.255 any log
 deny   tcp any range 0 65535 any range 0 65535 log
 deny   udp any range 0 65535 any range 0 65535 log
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit

I'm guessing that INTERNET-IN won't start to affect what's going on until I add it to the dialer? Currently I don't think there's an access list on the dialer. If I add what's above, it starts to do weird things, and the internet breaks, so I essentially need to start from scratch. I'm forwarding ports 80 and 443 to 192.168.0.2, and I whilst 443 is forwarding fine, port 80 doesn't seem to be.

So, any general tips and guidelines on how to put together a good set of firewall rules, and also solve my none-forwarding port 80 problem?

Thanks :)
 
NAT (PAT technically) config looks fine - can you advise if it works when you add all but the ACL? If not, can you post up entire config (Remove password, etc).

As for the ACL, remeber they are sequential so permit everything you want then there is explicity "deny ip any any" at the end, so all you need is:

ip access-list extended INTERNET-IN
permit tcp any host 192.168.0.2 eq www
permit tcp any host 192.168.0.2 eq 443

Add:

deny ip any any log

If you want the logging but the ACL always ends with a (hidden) "deny ip any any". You also need to permit "established" traffic with "permit tcp any any established" otherwise you're outgoing traffic won't be allowed back in.

I think you may need to change your ACL so that you are using a real-ip rather than your private IP but I've never used an ACL on an int doing NAT so I am not 100% sure how it should be.

permit tcp any host <ip of dialer 1> eq www
permit tcp any host <IP of dialer1> eq 443
 
entire config :
Code:
Current configuration : 5753 bytes
!
! Last configuration change at 13:51:10 BST Thu Feb 2 2006 by growse
! NVRAM config last updated at 13:19:04 BST Thu Feb 2 2006 by growse
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname nosey
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
no logging buffered
enable secret 5 *****************
!
username growse password 7 **************
username CRWS_Gayatri privilege 15 password 7 **************
username CRWS_Ritesh privilege 15 password 7 **************
username CRWS_Bijoy privilege 15 password 7 **************
username CRWS_dheeraj privilege 15 password 7 **************
clock timezone BST 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
aaa new-model
!
!
aaa authentication login userauthenticate local
aaa authorization network groupauthorise local
aaa session-id common
ip subnet-zero
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.0.1 192.168.0.19
ip dhcp excluded-address 192.168.0.2
ip dhcp excluded-address 192.168.0.3
!
ip dhcp pool CLIENT
   import all
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   domain-name mrmen.home
   dns-server 192.168.0.2
   lease 0 2
!
!
ip inspect max-incomplete low 10
ip inspect max-incomplete high 20
ip inspect one-minute low 10
ip inspect one-minute high 20
ip inspect udp idle-time 15
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 1
ip inspect tcp synwait-time 15
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip inspect name INTERNET-OUT tcp alert on audit-trail on
ip inspect name INTERNET-OUT udp alert on audit-trail on
ip inspect name INTERNET-OUT smtp alert on audit-trail on
ip inspect name INTERNET-OUT http alert on audit-trail on
ip inspect name INTERNET-OUT fragment maximum 2 timeout 1
ip inspect name INTERNET-IN tcp alert on audit-trail on
ip inspect name INTERNET-IN udp alert on audit-trail on
ip inspect name INTERNET-IN smtp alert on audit-trail on
ip inspect name INTERNET-IN http alert on audit-trail on
ip inspect name INTERNET-IN fragment maximum 2 timeout 1
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group growse
 key **********
 dns 192.168.0.1
 domain mrmen.home
 pool ippool
!
!
crypto ipsec transform-set ts-mrmen esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
 set transform-set ts-mrmen
!
!
crypto map clientmap client authentication list userauthenticate
crypto map clientmap isakmp authorization list groupauthorise
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface Ethernet0
 description CRWS Generated text. Please do not delete this:192.168.0.1-255.255.255.0
 ip address 192.168.0.1 255.255.255.0 secondary
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip mroute-cache
 hold-queue 100 out
!
interface Ethernet2
 no ip address
 shutdown
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip mroute-cache
 atm vc-per-vp 64
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer1
 ip address negotiated
 ip nat outside
 ip inspect INTERNET-IN in
 ip inspect INTERNET-OUT out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname **************
 ppp chap password 7 ********************
 ppp pap sent-username *********** password 7 ***********
 ppp ipcp dns request
 ppp ipcp wins request
 crypto map clientmap
 hold-queue 224 in
!
ip local pool ippool 192.168.0.100 192.168.0.110
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
ip dns server
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.2 80 interface Dialer1 80
ip nat inside source static tcp 192.168.0.2 443 interface Dialer1 443
!
!
ip access-list extended INTERNET-IN
 permit tcp any host 192.168.0.2 eq www
 permit tcp any host 192.168.0.2 eq 443
 deny   ip any any log
 deny   ip 192.0.0.0 0.0.0.15 any log
 deny   ip 0.0.0.0 0.255.255.255 any log
 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 192.168.0.0 0.0.255.255 any log
 deny   ip 172.16.0.0 0.15.255.255 any log
 deny   ip 169.254.0.0 0.0.255.255 any log
 deny   tcp any range 0 65535 any range 0 65535 log
 deny   udp any range 0 65535 any range 0 65535 log
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
 exec-timeout 120 0
 no modem enable
 transport preferred all
 transport output all
 stopbits 1
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 access-class 23 in
 exec-timeout 120 0
 length 0
 transport preferred all
 transport input all
 transport output all
!
scheduler max-task-time 5000
end

My only problem is what will happen to normal internet traffic to the 192.168.0.0/24 subnet if I just have two permit lines and a deny all in the extended acl? Surely that'll be blocked?

*edit*:

If I have something like:

Code:
ip access-list extended INTERNET-IN
 permit tcp any host 192.168.0.2 eq www
 permit tcp any host 192.168.0.2 eq 443
 permit udp any any eq domain
 permit tcp any any established
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit

Would that work well? (just tried it, blocks everything)
 
Last edited:
Does the config work OK without the firewall? If so, your new ACL should work but I don't know anything about IOS fw feature set (Which is what you're using) so haven't a clue about all that "ip inspect" stuff.
 
yup, everything is behaving properly (except the vpn - havn't even begun to think about testing that) on the inside with and without the ACL. Doing a simple port scan without shows 80,443 and 53 open, but everything else closed. However, with the ACL in place, everything is coming up stealthed whereas it should be everything stealthed except 53, 80 and 443. Oddness.

Not sure what the ip inspect thing does either. Think it's the stateful part of the firewall - will get rid of everything that isn't www and see what happens.
 
Also, that seems to kill dns lookups from inside the network and the router, as well as pings - odd.
 
growse said:
yup, everything is behaving properly (except the vpn - havn't even begun to think about testing that) on the inside with and without the ACL. Doing a simple port scan without shows 80,443 and 53 open, but everything else closed. However, with the ACL in place, everything is coming up stealthed whereas it should be everything stealthed except 53, 80 and 443. Oddness.

Not sure what the ip inspect thing does either. Think it's the stateful part of the firewall - will get rid of everything that isn't www and see what happens.


Correct. IP Inspect adds state information to the router. You would then be able to get rid of the permit entries for the http and ssl stuff IIRC.
CRWS is a config butcher, as is SDM. They often work, but looking at the config afterwards reveal what they have done...made a mess ;)






Also:

"ip inspect INTERNET-IN in"

Needs to be removed from the dialer. I only have this configured for outbound. Then add your "ip access-group INTERNET-IN in" to the dialer and see if it works.

If not, try changing
"permit tcp any host 192.168.0.2 eq www
permit tcp any host 192.168.0.2 eq 443"

to

"permit tcp any any eq www
permit tcp any any eq 443"

I have seen a glitch where this is necessary instead of being able to specify an individual host. Of course, bare in mind that this will temporarily open up additional hosts to this kind of traffic, although you wont have a translation to anything else.
 
"My only problem is what will happen to normal internet traffic to the 192.168.0.0/24 subnet if I just have two permit lines and a deny all in the extended acl? Surely that'll be blocked?"


With IP Inspect working properly, you wont need to permit return traffic through the router. Any traffic established by a host on the "inside" of your router will have its traffic returned. One notable exception to this, is ICMP, which is stateless in nature. This often catches people out, but you need to allow 2 way access through firewalls for this to happen. In your case just add "permit icmp 192.168.0.0 0.0.0.255 any echo-reply" and that should clear up the Ping stuff.
 
Rich said:
In your case just add "permit icmp 192.168.0.0 0.0.0.255 any echo-reply" and that should clear up the Ping stuff.

Good point about ICMP, forgot to mention it. I'd also suggest simply allowing ICMP altogether not just echo as there are lots of important features in ICMP.
 
right, finally got it working. I removed all the ip inspect lines, and just have:
Code:
ip access-list extended INTERNET-IN
 permit tcp any any eq www
 permit tcp any any eq 443
 permit tcp any any established
 permit udp any any eq domain
 permit icmp 192.168.0.0 0.0.0.255 any echo
 permit icmp 192.168.0.0 0.0.0.255 any echo-reply
 deny   ip any any log

Pings aren't working yet, and I'd like ip inspect to work, but I'll get round to that.
 
oops :D

permit icmp any 192.168.0.0 0.0.0.255 echo-reply

Is the one i should have put in i think but now i cant think straight :p


Either way, i just tested it and as long as you have ICMP as part of your Inspect policy you wont need any access list entries to allow ICMP from your inside net to the outside and back. Learn something new every day :D

The IP Inspect should work for you, but like i said in the last post its probably best to just do it one way. Its actually quite rare that it is done in both directions, especially for a home router.
 
Back
Top Bottom