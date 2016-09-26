A few things



1) Your ip inspect rule on Fe0 needs to be changed. If you allow inspect tcp/udp that pretty much means any inbound traffic is going to be accepted in. The inspect rule should be "out" instead of "in".



2) You are going to want to change no ip domain lookup to Ip domain lookup. Without this, you are not going to be able to go to any website by name I.E. Amazon.com (EDIT--If you have the Router running as a DNS server)



3) The ACL 10 of deny any has no affect on rules 100 and 101. It is top down, but only for that particular ACL.



4) ACL 101 is also a big open hole too. It essentially is going to allow anything inbound. If you want to stop unwanted traffic coming in, I have sanitized a bit of my router running on edge for home use. The DHCP from my modem I made specific since my ISP seems to allow some RFC1918 addresses to float on the public network.



5) if you are ever curious if something is getting blocked, put a log at the end of the ACL command. That way when you check the log, you can see if the traffic is being allowed or blocked so you can change it to function properly.



6) If you want to have a Rule that is an inbound rule on your vlan, then it needs to include something along the lines of



access-list 100 permit udp any eq bootpc any eq bootps



That way, any computer that does not have an IP address and it trying to get one, will get one.

Otherwise, you can take the inbound rule off VLAN1 and I bet you it would work without issues.





ip inspect name FWOUT tcp

ip inspect name FWOUT udp

ip inspect name FWOUT dns <---Needed for Domain lookup

ip inspect name FWOUT http

ip inspect name FWOUT https

ip inspect name FWOUT time

ip inspect name FWOUT icmp

ip inspect name FWOUT echo

ip inspect name FWOUT isakmp



interface GigabitEthernet0/0

description LAN

ip address 192.168.205.252 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

description TWC Connection

ip address dhcp

ip access-group 103 in <---allows only what is permited below

ip nat outside

ip inspect FWOUT out

ip virtual-reassembly in

duplex auto

speed auto

no cdp enable



access-list 103 deny icmp any any redirect

access-list 103 deny ip 0.0.0.0 0.255.255.255 any log

access-list 103 deny ip 10.0.0.0 0.255.255.255 any log

access-list 103 deny ip 127.0.0.0 0.255.255.255 any log

access-list 103 deny ip 172.16.0.0 0.15.255.255 any log

access-list 103 deny ip 224.0.0.0 15.255.255.255 any log

access-list 103 deny ip host 255.255.255.255 any log

access-list 103 permit udp any any eq ntp

access-list 103 permit esp host 63.96.X.X any

access-list 103 permit ahp host 63.96.X.X any

access-list 103 permit udp host 63.96.X.X any eq isakmp log

access-list 103 permit udp host 63.96.X.X eq isakmp any eq isakmp log

access-list 103 permit tcp host 63.96.X.X eq 500 any eq 500 log

access-list 103 permit udp 70.122.240.0 0.0.15.255 any eq bootps log <---DHCP From Modem

access-list 103 permit udp 70.122.240.0 0.0.15.255 any eq bootpc log <---DHCP From Modem

access-list 103 permit udp any eq domain any

access-list 103 permit icmp any any echo-reply

access-list 103 permit tcp host 63.96.X.X any eq 9922

access-list 103 deny ip any any log