Alright, well I just joined the ranks of the CCNAs about 2 months ago (took the 4 semesters of classes, then passed the test) and I realized that after you get to the CCNA point there is ALOT they don't teach you in CCNA... you must get/have lots of real world experience and pursue other learning to find out the important stuff they don't teach you. With that said I bought this 871W router and a Router Firewall Security book from the ciscopress.com and have been trying to learn how to configure my CABC firewall and proper access lists.
Please help me by telling me what I did right and what I did wrong. Pretty much trying to follow the book and apply it to my SOHO network. Here is my config (minus the obvious passwords and public IPs). I want to make sure my statefull firewall is set up properly and my access-lists are what they should be for a SOHO border router. Thanks!
TEST#sh run
Building configuration...
Current configuration : 9592 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TEST
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret class
!
username cisco privilege 15 secret class
clock timezone EST -5
clock summer-time EST recurring
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
ip dhcp excluded-address 192.168.10.1 192.168.10.10
!
ip dhcp pool HOME_LAN
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 172.100.105.31 172.100.105.32
!
!
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
ip inspect name firewall h323
ip inspect name firewall netshow
ip inspect name firewall ftp
ip inspect name firewall sqlnet
ip inspect name firewall http
ip inspect name firewall icmp
!
no ip bootp server
no ip domain lookup
ip accounting-threshold 100
no ftp-server write-enable
!
bridge irb
!
interface FastEthernet0
description Connection to Vonage Router - and LAN 192.168.15.0 255.255.255.0
no ip address
no cdp enable
!
interface FastEthernet1
description Connection to Netgear Gigabit Switch, home wired LAN
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
shutdown
no cdp enable
!
interface FastEthernet3
no ip address
shutdown
no cdp enable
!
interface FastEthernet4
description WAN Connection to ISP
ip address 172.100.100.55 255.255.255.128
ip access-group ingress-filter in
ip access-group outgoing-list out
no ip redirects
no ip unreachables
ip accounting access-violations
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 key 1 size 128bit ABCDEFGHIJKLMNOPQRSTUVWXYZ transmit-key
encryption vlan 1 mode wep mandatory
!
ssid CISCOWLAN
vlan 1
authentication open
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.10.1 255.255.255.0
ip inspect firewall in
ip nat inside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.100.100.1
ip route 192.168.15.0 255.255.255.0 192.168.10.3
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
!Mapping for Quake 4 server
ip nat inside source static udp 192.168.10.2 27650 172.100.100.55 27650 extendable
ip nat inside source static udp 192.168.10.2 27950 172.100.100.55 27950 extendable
ip nat inside source static udp 192.168.10.2 28004 172.100.100.55 28004 extendable
!
ip access-list extended ingress-filter
deny ip 1.0.0.0 0.255.255.255 any log
deny ip 2.0.0.0 0.255.255.255 any log
deny ip 5.0.0.0 0.255.255.255 any log
deny ip 7.0.0.0 0.255.255.255 any log
deny ip 23.0.0.0 0.255.255.255 any log
deny ip 27.0.0.0 0.255.255.255 any log
deny ip 31.0.0.0 0.255.255.255 any log
deny ip 36.0.0.0 0.255.255.255 any log
deny ip 37.0.0.0 0.255.255.255 any log
deny ip 39.0.0.0 0.255.255.255 any log
deny ip 41.0.0.0 0.255.255.255 any log
deny ip 42.0.0.0 0.255.255.255 any log
deny ip 49.0.0.0 0.255.255.255 any log
deny ip 50.0.0.0 0.255.255.255 any log
deny ip 58.0.0.0 0.255.255.255 any log
deny ip 59.0.0.0 0.255.255.255 any log
deny ip 60.0.0.0 0.255.255.255 any log
deny ip 70.0.0.0 0.255.255.255 any log
deny ip 71.0.0.0 0.255.255.255 any log
deny ip 72.0.0.0 0.255.255.255 any log
deny ip 73.0.0.0 0.255.255.255 any log
deny ip 74.0.0.0 0.255.255.255 any log
deny ip 75.0.0.0 0.255.255.255 any log
deny ip 76.0.0.0 0.255.255.255 any log
deny ip 77.0.0.0 0.255.255.255 any log
deny ip 78.0.0.0 0.255.255.255 any log
deny ip 79.0.0.0 0.255.255.255 any log
deny ip 83.0.0.0 0.255.255.255 any log
deny ip 84.0.0.0 0.255.255.255 any log
deny ip 85.0.0.0 0.255.255.255 any log
deny ip 86.0.0.0 0.255.255.255 any log
deny ip 87.0.0.0 0.255.255.255 any log
deny ip 88.0.0.0 0.255.255.255 any log
deny ip 89.0.0.0 0.255.255.255 any log
deny ip 90.0.0.0 0.255.255.255 any log
deny ip 91.0.0.0 0.255.255.255 any log
deny ip 92.0.0.0 0.255.255.255 any log
deny ip 93.0.0.0 0.255.255.255 any log
deny ip 94.0.0.0 0.255.255.255 any log
deny ip 95.0.0.0 0.255.255.255 any log
deny ip 96.0.0.0 0.255.255.255 any log
deny ip 97.0.0.0 0.255.255.255 any log
deny ip 98.0.0.0 0.255.255.255 any log
deny ip 99.0.0.0 0.255.255.255 any log
deny ip 100.0.0.0 0.255.255.255 any log
deny ip 101.0.0.0 0.255.255.255 any log
deny ip 102.0.0.0 0.255.255.255 any log
deny ip 103.0.0.0 0.255.255.255 any log
deny ip 104.0.0.0 0.255.255.255 any log
deny ip 105.0.0.0 0.255.255.255 any log
deny ip 106.0.0.0 0.255.255.255 any log
deny ip 107.0.0.0 0.255.255.255 any log
deny ip 108.0.0.0 0.255.255.255 any log
deny ip 109.0.0.0 0.255.255.255 any log
deny ip 110.0.0.0 0.255.255.255 any log
deny ip 111.0.0.0 0.255.255.255 any log
deny ip 112.0.0.0 0.255.255.255 any log
deny ip 113.0.0.0 0.255.255.255 any log
deny ip 114.0.0.0 0.255.255.255 any log
deny ip 115.0.0.0 0.255.255.255 any log
deny ip 116.0.0.0 0.255.255.255 any log
deny ip 117.0.0.0 0.255.255.255 any log
deny ip 118.0.0.0 0.255.255.255 any log
deny ip 119.0.0.0 0.255.255.255 any log
deny ip 120.0.0.0 0.255.255.255 any log
deny ip 121.0.0.0 0.255.255.255 any log
deny ip 122.0.0.0 0.255.255.255 any log
deny ip 123.0.0.0 0.255.255.255 any log
deny ip 124.0.0.0 0.255.255.255 any log
deny ip 125.0.0.0 0.255.255.255 any log
deny ip 126.0.0.0 0.255.255.255 any log
deny ip 197.0.0.0 0.255.255.255 any log
deny ip 201.0.0.0 0.255.255.255 any log
remark RFC 1918 private addresses
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
remark Other bogons
deny ip 224.0.0.0 15.255.255.255 any log
deny ip 240.0.0.0 15.255.255.255 any log
deny ip 0.0.0.0 0.255.255.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 192.0.2.0 0.0.0.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
permit icmp any any echo-reply
!
ip access-list extended outgoing-filter
remark Allow List for Public IP
remark General ports for WWW, SSH, DNS, Telnet, Email and Time Server
permit tcp host 172.100.100.55 any eq www
permit tcp host 172.100.100.55 any eq 443
permit tcp host 172.100.100.55 any eq smtp
permit tcp host 172.100.100.55 any eq telnet
permit tcp host 172.100.100.55 any eq pop3
permit tcp host 172.100.100.55 any eq domain
permit udp host 172.100.100.55 any eq domain
permit udp host 172.100.100.55 any eq ntp
remark MSN Messenger
permit tcp host 172.100.100.55 any eq 1863
remark AOL
permit tcp host 172.100.100.55 any range 5190 5193
remark Quake 4
permit udp host 172.100.100.55 any eq 27650
permit udp host 172.100.100.55 any eq 27950
permit udp host 172.100.100.55 any eq 28004
permit udp 192.168.10.0 0.0.0.255 any eq 27950
remark Vonage VoIP Phone Service
permit udp host 172.100.100.55 any range 5060 5070
permit udp host 172.100.100.55 any range 10000 25000
permit udp host 172.100.100.55 any eq tftp
permit icmp any any
remark Allow List for Local LAN
remark General ports for WWW, SSH, DNS, Telnet, Email and Time Server
permit tcp 192.168.10.0 0.0.0.255 any eq www
permit tcp 192.168.10.0 0.0.0.255 any eq 443
permit tcp 192.168.10.0 0.0.0.255 any eq smtp
permit tcp 192.168.10.0 0.0.0.255 any eq telnet
permit tcp 192.168.10.0 0.0.0.255 any eq pop3
permit tcp 192.168.10.0 0.0.0.255 any eq domain
permit udp 192.168.10.0 0.0.0.255 any eq domain
permit udp 192.168.10.0 0.0.0.255 any eq ntp
remark MSN Messenger
permit tcp 192.168.10.0 0.0.0.255 any eq 1863
remark AOL
permit tcp 192.168.10.0 0.0.0.255 any range 5190 5193
remark Quake 4
permit udp 192.168.10.0 0.0.0.255 any eq 28004
permit udp 192.168.10.0 0.0.0.255 any eq 27650
remark Vonage VoIP Phone Service
permit udp 192.168.10.0 0.0.0.255 any range 5060 5070
permit udp 192.168.10.0 0.0.0.255 any range 10000 25000
permit udp 192.168.10.0 0.0.0.255 any eq tftp
deny ip any any log
!
access-list 1 permit 192.168.10.0 0.0.0.255
!
access-list 2 permit 192.168.10.2
access-list 2 permit 192.168.10.5
!
no cdp run
!
control-plane
!
bridge 1 route ip
!
line con 0
exec-timeout 60 0
password cisco
login
no modem enable
transport preferred all
transport output all
line aux 0
login
transport preferred all
transport output all
line vty 0
access-class 2 in
exec-timeout 5 0
password cisco
login
transport preferred all
transport input telnet ssh
transport output all
line vty 1 4
login
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
end
TEST#
Please help me by telling me what I did right and what I did wrong. Pretty much trying to follow the book and apply it to my SOHO network. Here is my config (minus the obvious passwords and public IPs). I want to make sure my statefull firewall is set up properly and my access-lists are what they should be for a SOHO border router. Thanks!
TEST#sh run
Building configuration...
Current configuration : 9592 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TEST
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret class
!
username cisco privilege 15 secret class
clock timezone EST -5
clock summer-time EST recurring
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
ip dhcp excluded-address 192.168.10.1 192.168.10.10
!
ip dhcp pool HOME_LAN
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 172.100.105.31 172.100.105.32
!
!
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
ip inspect name firewall h323
ip inspect name firewall netshow
ip inspect name firewall ftp
ip inspect name firewall sqlnet
ip inspect name firewall http
ip inspect name firewall icmp
!
no ip bootp server
no ip domain lookup
ip accounting-threshold 100
no ftp-server write-enable
!
bridge irb
!
interface FastEthernet0
description Connection to Vonage Router - and LAN 192.168.15.0 255.255.255.0
no ip address
no cdp enable
!
interface FastEthernet1
description Connection to Netgear Gigabit Switch, home wired LAN
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
shutdown
no cdp enable
!
interface FastEthernet3
no ip address
shutdown
no cdp enable
!
interface FastEthernet4
description WAN Connection to ISP
ip address 172.100.100.55 255.255.255.128
ip access-group ingress-filter in
ip access-group outgoing-list out
no ip redirects
no ip unreachables
ip accounting access-violations
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 key 1 size 128bit ABCDEFGHIJKLMNOPQRSTUVWXYZ transmit-key
encryption vlan 1 mode wep mandatory
!
ssid CISCOWLAN
vlan 1
authentication open
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.10.1 255.255.255.0
ip inspect firewall in
ip nat inside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.100.100.1
ip route 192.168.15.0 255.255.255.0 192.168.10.3
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
!Mapping for Quake 4 server
ip nat inside source static udp 192.168.10.2 27650 172.100.100.55 27650 extendable
ip nat inside source static udp 192.168.10.2 27950 172.100.100.55 27950 extendable
ip nat inside source static udp 192.168.10.2 28004 172.100.100.55 28004 extendable
!
ip access-list extended ingress-filter
deny ip 1.0.0.0 0.255.255.255 any log
deny ip 2.0.0.0 0.255.255.255 any log
deny ip 5.0.0.0 0.255.255.255 any log
deny ip 7.0.0.0 0.255.255.255 any log
deny ip 23.0.0.0 0.255.255.255 any log
deny ip 27.0.0.0 0.255.255.255 any log
deny ip 31.0.0.0 0.255.255.255 any log
deny ip 36.0.0.0 0.255.255.255 any log
deny ip 37.0.0.0 0.255.255.255 any log
deny ip 39.0.0.0 0.255.255.255 any log
deny ip 41.0.0.0 0.255.255.255 any log
deny ip 42.0.0.0 0.255.255.255 any log
deny ip 49.0.0.0 0.255.255.255 any log
deny ip 50.0.0.0 0.255.255.255 any log
deny ip 58.0.0.0 0.255.255.255 any log
deny ip 59.0.0.0 0.255.255.255 any log
deny ip 60.0.0.0 0.255.255.255 any log
deny ip 70.0.0.0 0.255.255.255 any log
deny ip 71.0.0.0 0.255.255.255 any log
deny ip 72.0.0.0 0.255.255.255 any log
deny ip 73.0.0.0 0.255.255.255 any log
deny ip 74.0.0.0 0.255.255.255 any log
deny ip 75.0.0.0 0.255.255.255 any log
deny ip 76.0.0.0 0.255.255.255 any log
deny ip 77.0.0.0 0.255.255.255 any log
deny ip 78.0.0.0 0.255.255.255 any log
deny ip 79.0.0.0 0.255.255.255 any log
deny ip 83.0.0.0 0.255.255.255 any log
deny ip 84.0.0.0 0.255.255.255 any log
deny ip 85.0.0.0 0.255.255.255 any log
deny ip 86.0.0.0 0.255.255.255 any log
deny ip 87.0.0.0 0.255.255.255 any log
deny ip 88.0.0.0 0.255.255.255 any log
deny ip 89.0.0.0 0.255.255.255 any log
deny ip 90.0.0.0 0.255.255.255 any log
deny ip 91.0.0.0 0.255.255.255 any log
deny ip 92.0.0.0 0.255.255.255 any log
deny ip 93.0.0.0 0.255.255.255 any log
deny ip 94.0.0.0 0.255.255.255 any log
deny ip 95.0.0.0 0.255.255.255 any log
deny ip 96.0.0.0 0.255.255.255 any log
deny ip 97.0.0.0 0.255.255.255 any log
deny ip 98.0.0.0 0.255.255.255 any log
deny ip 99.0.0.0 0.255.255.255 any log
deny ip 100.0.0.0 0.255.255.255 any log
deny ip 101.0.0.0 0.255.255.255 any log
deny ip 102.0.0.0 0.255.255.255 any log
deny ip 103.0.0.0 0.255.255.255 any log
deny ip 104.0.0.0 0.255.255.255 any log
deny ip 105.0.0.0 0.255.255.255 any log
deny ip 106.0.0.0 0.255.255.255 any log
deny ip 107.0.0.0 0.255.255.255 any log
deny ip 108.0.0.0 0.255.255.255 any log
deny ip 109.0.0.0 0.255.255.255 any log
deny ip 110.0.0.0 0.255.255.255 any log
deny ip 111.0.0.0 0.255.255.255 any log
deny ip 112.0.0.0 0.255.255.255 any log
deny ip 113.0.0.0 0.255.255.255 any log
deny ip 114.0.0.0 0.255.255.255 any log
deny ip 115.0.0.0 0.255.255.255 any log
deny ip 116.0.0.0 0.255.255.255 any log
deny ip 117.0.0.0 0.255.255.255 any log
deny ip 118.0.0.0 0.255.255.255 any log
deny ip 119.0.0.0 0.255.255.255 any log
deny ip 120.0.0.0 0.255.255.255 any log
deny ip 121.0.0.0 0.255.255.255 any log
deny ip 122.0.0.0 0.255.255.255 any log
deny ip 123.0.0.0 0.255.255.255 any log
deny ip 124.0.0.0 0.255.255.255 any log
deny ip 125.0.0.0 0.255.255.255 any log
deny ip 126.0.0.0 0.255.255.255 any log
deny ip 197.0.0.0 0.255.255.255 any log
deny ip 201.0.0.0 0.255.255.255 any log
remark RFC 1918 private addresses
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
remark Other bogons
deny ip 224.0.0.0 15.255.255.255 any log
deny ip 240.0.0.0 15.255.255.255 any log
deny ip 0.0.0.0 0.255.255.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 192.0.2.0 0.0.0.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
permit icmp any any echo-reply
!
ip access-list extended outgoing-filter
remark Allow List for Public IP
remark General ports for WWW, SSH, DNS, Telnet, Email and Time Server
permit tcp host 172.100.100.55 any eq www
permit tcp host 172.100.100.55 any eq 443
permit tcp host 172.100.100.55 any eq smtp
permit tcp host 172.100.100.55 any eq telnet
permit tcp host 172.100.100.55 any eq pop3
permit tcp host 172.100.100.55 any eq domain
permit udp host 172.100.100.55 any eq domain
permit udp host 172.100.100.55 any eq ntp
remark MSN Messenger
permit tcp host 172.100.100.55 any eq 1863
remark AOL
permit tcp host 172.100.100.55 any range 5190 5193
remark Quake 4
permit udp host 172.100.100.55 any eq 27650
permit udp host 172.100.100.55 any eq 27950
permit udp host 172.100.100.55 any eq 28004
permit udp 192.168.10.0 0.0.0.255 any eq 27950
remark Vonage VoIP Phone Service
permit udp host 172.100.100.55 any range 5060 5070
permit udp host 172.100.100.55 any range 10000 25000
permit udp host 172.100.100.55 any eq tftp
permit icmp any any
remark Allow List for Local LAN
remark General ports for WWW, SSH, DNS, Telnet, Email and Time Server
permit tcp 192.168.10.0 0.0.0.255 any eq www
permit tcp 192.168.10.0 0.0.0.255 any eq 443
permit tcp 192.168.10.0 0.0.0.255 any eq smtp
permit tcp 192.168.10.0 0.0.0.255 any eq telnet
permit tcp 192.168.10.0 0.0.0.255 any eq pop3
permit tcp 192.168.10.0 0.0.0.255 any eq domain
permit udp 192.168.10.0 0.0.0.255 any eq domain
permit udp 192.168.10.0 0.0.0.255 any eq ntp
remark MSN Messenger
permit tcp 192.168.10.0 0.0.0.255 any eq 1863
remark AOL
permit tcp 192.168.10.0 0.0.0.255 any range 5190 5193
remark Quake 4
permit udp 192.168.10.0 0.0.0.255 any eq 28004
permit udp 192.168.10.0 0.0.0.255 any eq 27650
remark Vonage VoIP Phone Service
permit udp 192.168.10.0 0.0.0.255 any range 5060 5070
permit udp 192.168.10.0 0.0.0.255 any range 10000 25000
permit udp 192.168.10.0 0.0.0.255 any eq tftp
deny ip any any log
!
access-list 1 permit 192.168.10.0 0.0.0.255
!
access-list 2 permit 192.168.10.2
access-list 2 permit 192.168.10.5
!
no cdp run
!
control-plane
!
bridge 1 route ip
!
line con 0
exec-timeout 60 0
password cisco
login
no modem enable
transport preferred all
transport output all
line aux 0
login
transport preferred all
transport output all
line vty 0
access-class 2 in
exec-timeout 5 0
password cisco
login
transport preferred all
transport input telnet ssh
transport output all
line vty 1 4
login
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
end
TEST#