CISCO router firewall -- critique please.

[richcom23]

Alright, well I just joined the ranks of the CCNAs about 2 months ago (took the 4 semesters of classes, then passed the test) and I realized that after you get to the CCNA point there is ALOT they don't teach you in CCNA... you must get/have lots of real world experience and pursue other learning to find out the important stuff they don't teach you. With that said I bought this 871W router and a Router Firewall Security book from the ciscopress.com and have been trying to learn how to configure my CABC firewall and proper access lists.

Please help me by telling me what I did right and what I did wrong. Pretty much trying to follow the book and apply it to my SOHO network. Here is my config (minus the obvious passwords and public IPs). I want to make sure my statefull firewall is set up properly and my access-lists are what they should be for a SOHO border router. Thanks!


TEST#sh run

Building configuration...

Current configuration : 9592 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TEST
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret class
!
username cisco privilege 15 secret class
clock timezone EST -5
clock summer-time EST recurring
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
ip dhcp excluded-address 192.168.10.1 192.168.10.10
!
ip dhcp pool HOME_LAN
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 172.100.105.31 172.100.105.32
!
!
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
ip inspect name firewall h323
ip inspect name firewall netshow
ip inspect name firewall ftp
ip inspect name firewall sqlnet
ip inspect name firewall http
ip inspect name firewall icmp
!
no ip bootp server
no ip domain lookup
ip accounting-threshold 100
no ftp-server write-enable
!
bridge irb
!
interface FastEthernet0
description Connection to Vonage Router - and LAN 192.168.15.0 255.255.255.0
no ip address
no cdp enable
!
interface FastEthernet1
description Connection to Netgear Gigabit Switch, home wired LAN
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
shutdown
no cdp enable
!
interface FastEthernet3
no ip address
shutdown
no cdp enable
!
interface FastEthernet4
description WAN Connection to ISP
ip address 172.100.100.55 255.255.255.128
ip access-group ingress-filter in
ip access-group outgoing-list out
no ip redirects
no ip unreachables
ip accounting access-violations
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 key 1 size 128bit ABCDEFGHIJKLMNOPQRSTUVWXYZ transmit-key
encryption vlan 1 mode wep mandatory
!
ssid CISCOWLAN
vlan 1
authentication open
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.10.1 255.255.255.0
ip inspect firewall in
ip nat inside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.100.100.1
ip route 192.168.15.0 255.255.255.0 192.168.10.3
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
!Mapping for Quake 4 server
ip nat inside source static udp 192.168.10.2 27650 172.100.100.55 27650 extendable
ip nat inside source static udp 192.168.10.2 27950 172.100.100.55 27950 extendable
ip nat inside source static udp 192.168.10.2 28004 172.100.100.55 28004 extendable
!
ip access-list extended ingress-filter
deny ip 1.0.0.0 0.255.255.255 any log
deny ip 2.0.0.0 0.255.255.255 any log
deny ip 5.0.0.0 0.255.255.255 any log
deny ip 7.0.0.0 0.255.255.255 any log
deny ip 23.0.0.0 0.255.255.255 any log
deny ip 27.0.0.0 0.255.255.255 any log
deny ip 31.0.0.0 0.255.255.255 any log
deny ip 36.0.0.0 0.255.255.255 any log
deny ip 37.0.0.0 0.255.255.255 any log
deny ip 39.0.0.0 0.255.255.255 any log
deny ip 41.0.0.0 0.255.255.255 any log
deny ip 42.0.0.0 0.255.255.255 any log
deny ip 49.0.0.0 0.255.255.255 any log
deny ip 50.0.0.0 0.255.255.255 any log
deny ip 58.0.0.0 0.255.255.255 any log
deny ip 59.0.0.0 0.255.255.255 any log
deny ip 60.0.0.0 0.255.255.255 any log
deny ip 70.0.0.0 0.255.255.255 any log
deny ip 71.0.0.0 0.255.255.255 any log
deny ip 72.0.0.0 0.255.255.255 any log
deny ip 73.0.0.0 0.255.255.255 any log
deny ip 74.0.0.0 0.255.255.255 any log
deny ip 75.0.0.0 0.255.255.255 any log
deny ip 76.0.0.0 0.255.255.255 any log
deny ip 77.0.0.0 0.255.255.255 any log
deny ip 78.0.0.0 0.255.255.255 any log
deny ip 79.0.0.0 0.255.255.255 any log
deny ip 83.0.0.0 0.255.255.255 any log
deny ip 84.0.0.0 0.255.255.255 any log
deny ip 85.0.0.0 0.255.255.255 any log
deny ip 86.0.0.0 0.255.255.255 any log
deny ip 87.0.0.0 0.255.255.255 any log
deny ip 88.0.0.0 0.255.255.255 any log
deny ip 89.0.0.0 0.255.255.255 any log
deny ip 90.0.0.0 0.255.255.255 any log
deny ip 91.0.0.0 0.255.255.255 any log
deny ip 92.0.0.0 0.255.255.255 any log
deny ip 93.0.0.0 0.255.255.255 any log
deny ip 94.0.0.0 0.255.255.255 any log
deny ip 95.0.0.0 0.255.255.255 any log
deny ip 96.0.0.0 0.255.255.255 any log
deny ip 97.0.0.0 0.255.255.255 any log
deny ip 98.0.0.0 0.255.255.255 any log
deny ip 99.0.0.0 0.255.255.255 any log
deny ip 100.0.0.0 0.255.255.255 any log
deny ip 101.0.0.0 0.255.255.255 any log
deny ip 102.0.0.0 0.255.255.255 any log
deny ip 103.0.0.0 0.255.255.255 any log
deny ip 104.0.0.0 0.255.255.255 any log
deny ip 105.0.0.0 0.255.255.255 any log
deny ip 106.0.0.0 0.255.255.255 any log
deny ip 107.0.0.0 0.255.255.255 any log
deny ip 108.0.0.0 0.255.255.255 any log
deny ip 109.0.0.0 0.255.255.255 any log
deny ip 110.0.0.0 0.255.255.255 any log
deny ip 111.0.0.0 0.255.255.255 any log
deny ip 112.0.0.0 0.255.255.255 any log
deny ip 113.0.0.0 0.255.255.255 any log
deny ip 114.0.0.0 0.255.255.255 any log
deny ip 115.0.0.0 0.255.255.255 any log
deny ip 116.0.0.0 0.255.255.255 any log
deny ip 117.0.0.0 0.255.255.255 any log
deny ip 118.0.0.0 0.255.255.255 any log
deny ip 119.0.0.0 0.255.255.255 any log
deny ip 120.0.0.0 0.255.255.255 any log
deny ip 121.0.0.0 0.255.255.255 any log
deny ip 122.0.0.0 0.255.255.255 any log
deny ip 123.0.0.0 0.255.255.255 any log
deny ip 124.0.0.0 0.255.255.255 any log
deny ip 125.0.0.0 0.255.255.255 any log
deny ip 126.0.0.0 0.255.255.255 any log
deny ip 197.0.0.0 0.255.255.255 any log
deny ip 201.0.0.0 0.255.255.255 any log
remark RFC 1918 private addresses
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
remark Other bogons
deny ip 224.0.0.0 15.255.255.255 any log
deny ip 240.0.0.0 15.255.255.255 any log
deny ip 0.0.0.0 0.255.255.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 192.0.2.0 0.0.0.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
permit icmp any any echo-reply
!
ip access-list extended outgoing-filter
remark Allow List for Public IP
remark General ports for WWW, SSH, DNS, Telnet, Email and Time Server
permit tcp host 172.100.100.55 any eq www
permit tcp host 172.100.100.55 any eq 443
permit tcp host 172.100.100.55 any eq smtp
permit tcp host 172.100.100.55 any eq telnet
permit tcp host 172.100.100.55 any eq pop3
permit tcp host 172.100.100.55 any eq domain
permit udp host 172.100.100.55 any eq domain
permit udp host 172.100.100.55 any eq ntp
remark MSN Messenger
permit tcp host 172.100.100.55 any eq 1863
remark AOL
permit tcp host 172.100.100.55 any range 5190 5193
remark Quake 4
permit udp host 172.100.100.55 any eq 27650
permit udp host 172.100.100.55 any eq 27950
permit udp host 172.100.100.55 any eq 28004
permit udp 192.168.10.0 0.0.0.255 any eq 27950
remark Vonage VoIP Phone Service
permit udp host 172.100.100.55 any range 5060 5070
permit udp host 172.100.100.55 any range 10000 25000
permit udp host 172.100.100.55 any eq tftp
permit icmp any any
remark Allow List for Local LAN
remark General ports for WWW, SSH, DNS, Telnet, Email and Time Server
permit tcp 192.168.10.0 0.0.0.255 any eq www
permit tcp 192.168.10.0 0.0.0.255 any eq 443
permit tcp 192.168.10.0 0.0.0.255 any eq smtp
permit tcp 192.168.10.0 0.0.0.255 any eq telnet
permit tcp 192.168.10.0 0.0.0.255 any eq pop3
permit tcp 192.168.10.0 0.0.0.255 any eq domain
permit udp 192.168.10.0 0.0.0.255 any eq domain
permit udp 192.168.10.0 0.0.0.255 any eq ntp
remark MSN Messenger
permit tcp 192.168.10.0 0.0.0.255 any eq 1863
remark AOL
permit tcp 192.168.10.0 0.0.0.255 any range 5190 5193
remark Quake 4
permit udp 192.168.10.0 0.0.0.255 any eq 28004
permit udp 192.168.10.0 0.0.0.255 any eq 27650
remark Vonage VoIP Phone Service
permit udp 192.168.10.0 0.0.0.255 any range 5060 5070
permit udp 192.168.10.0 0.0.0.255 any range 10000 25000
permit udp 192.168.10.0 0.0.0.255 any eq tftp
deny ip any any log
!
access-list 1 permit 192.168.10.0 0.0.0.255
!
access-list 2 permit 192.168.10.2
access-list 2 permit 192.168.10.5
!
no cdp run
!
control-plane
!
bridge 1 route ip
!
line con 0
exec-timeout 60 0
password cisco
login
no modem enable
transport preferred all
transport output all
line aux 0
login
transport preferred all
transport output all
line vty 0
access-class 2 in
exec-timeout 5 0
password cisco
login
transport preferred all
transport input telnet ssh
transport output all
line vty 1 4
login
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
end

TEST#

 

[marty9876]

Sorry, silly question. I'm not a Cisco guy--

Per you config:

deny ip 72.0.0.0 0.255.255.255 any log

Does this mean this device will drop anything from 72.any.ip.here ? IE. 72.11.99.75

Just curious because I've got a network in this range and some had a Cisco device blocking wm coming into their network (approved incoming communications we could not get working till the router was reconfiged).

I'm just trying to figure out why this IP range is black listed. I think it use to be a range not used, but not it is I'd assume since I have it.

 

[richcom23]

Sorry, silly question. I'm not a Cisco guy--

Per you config:

deny ip 72.0.0.0 0.255.255.255 any log

Does this mean this device will drop anything from 72.any.ip.here ? IE. 72.11.99.75

Just curious because I've got a network in this range and some had a Cisco device blocking wm coming into their network (approved incoming communications we could not get working till the router was reconfiged).

I'm just trying to figure out why this IP range is black listed. I think it use to be a range not used, but not it is I'd assume since I have it.

Well how it is supposed to work with a stateful firewall is that if I initiate the connection to 72.11.99.75 from my LAN, I get a dynamic ACL allowing traffic to and from that address. But if you were to try to connect to me from 72.11.99.75 and I didn't initiate it, my ACL will deny the connection. I got that 72.0.0.0 0.255.255.255 entry from the firewall book I have, its listed under the IANA reserved block. It has a link to http://www.iana.org/assignments/ipv4-address-space to check for updates. I went there but didn't spend much time, I figured I would check all that out in detail later and tweak the list.

EDIT: looks like "ARIN (whois.arin.net)" owns that block now since Aug 04 . I'll go thru and fix my ACL soon. I mean either way the traffic is denied in... it's just a manner of how it is logged I beleive. There is an implicit "deny all" at the end of Cisco ACLs been reading the book -- trying to do similar to what they did. Posting here to get someone elses opinion and suggestions on stuff you can't learn from a book perhaps

 

[marty9876]

EDIT: looks like "ARIN (whois.arin.net)" owns that block now since Aug 04 . I'll go thru and fix my ACL soon.

Thanks, can you get the rest of the world to do this too?

Basically yea, thats what happened. My box on their network could hit my network, but nothing would get back to the box. I'd ping out of their network, see the ping hit my firewall but nothing ever ended up getting back to the box. Turned out to be something (this) in their router. I think it comes from routers configed before (or using guides posted) before 9/04.

Sorry for the thread crap, just trying to learn something new. Was a pain to work through the problem at the time, not something most folks look for. I think this issue causes this 72.x.x.x to show up as a spammer network for email sometimes.

 

[richcom23]

bump

 

[Arch]

Rich,

I think your configuration is overly complex. You needn't make it so involved. I have the same router, and I'm using it for the same purpose. A couple of critiques:

ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
ip inspect name firewall h323
ip inspect name firewall netshow
ip inspect name firewall ftp
ip inspect name firewall sqlnet
ip inspect name firewall http
ip inspect name firewall icmp

Once you have inspect tcp and udp, the h.323, network, ftp, sqlnet, and http inspects are pointless. TCP and UDP cover all of those applications. Unless you are serving something from the inside I've found I only need the following inspects:

ip inspect name firewall icmp
ip inspect name firewall dns
ip inspect name firewall tcp
ip inspect name firewall udp

I have the DNS inspect because I'm running my own DNS server internally. Having the inspect allows the server to go out and do the looksup for me.

For ACLs I only have the following:
ip access-list extended firewall
permit udp any eq bootps any eq bootpc
permit udp any eq ntp any eq ntp
permit tcp any any eq www
permit tcp any any eq 3724
permit tcp any eq 3724 any
deny ip any any log
!

This ACL allows the following:
dhcp for the fastethernet4 interface so it can get an IP address from my cable modem.
ntp so that the router can get its time from time.nist.gov.
www because I'm running a www server internally.
TCP port 3724 for world of warcraft.

It denies everything else. Why? Because the inspects dynamically poke holes in the ACL to allow traffic in and out only when necessary.

I have it applies on the ingress direction on FastEthernet4. I'm not doing anything in the outbound direction because I trust the devices within my network.

I see you have an ACL for Vonage. Do you have Vonage? I have a QoS configuration for you if you would like to see it.

 

[richcom23]

Rich,

I think your configuration is overly complex. You needn't make it so involved. I have the same router, and I'm using it for the same purpose. A couple of critiques:

ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
ip inspect name firewall h323
ip inspect name firewall netshow
ip inspect name firewall ftp
ip inspect name firewall sqlnet
ip inspect name firewall http
ip inspect name firewall icmp

Once you have inspect tcp and udp, the h.323, network, ftp, sqlnet, and http inspects are pointless. TCP and UDP cover all of those applications. Unless you are serving something from the inside I've found I only need the following inspects:

ip inspect name firewall icmp
ip inspect name firewall dns
ip inspect name firewall tcp
ip inspect name firewall udp

I have the DNS inspect because I'm running my own DNS server internally. Having the inspect allows the server to go out and do the looksup for me.

For ACLs I only have the following:
ip access-list extended firewall
permit udp any eq bootps any eq bootpc
permit udp any eq ntp any eq ntp
permit tcp any any eq www
permit tcp any any eq 3724
permit tcp any eq 3724 any
deny ip any any log
!

This ACL allows the following:
dhcp for the fastethernet4 interface so it can get an IP address from my cable modem.
ntp so that the router can get its time from time.nist.gov.
www because I'm running a www server internally.
TCP port 3724 for world of warcraft.

It denies everything else. Why? Because the inspects dynamically poke holes in the ACL to allow traffic in and out only when necessary.

I have it applies on the ingress direction on FastEthernet4. I'm not doing anything in the outbound direction because I trust the devices within my network.

I see you have an ACL for Vonage. Do you have Vonage? I have a QoS configuration for you if you would like to see it.

Well thanks so much for looking at my config.. I think the ACLs are way complex myself also, which was one of the reasons I posted. In this book (yay books lol) the explanation for having so many are this:

Quote: "One question that I commonly am asked is "Why use deny statements to block this wehen the implicit deny will do this anyway?" Well, in some cases, your implicit deny will block this traffic. However, if you omit the deny statements that I have listed in the code example, you basically are permitting anyone to send traffic to your permitted internal services with any kind of source address. Typically these permit statemetns use the keyword any for the source address. Therefore, you want to put these bogon deny statements at the beginning, to prevent bogon DoS attacks against your internal resources."

Maybe this is more for places with internal servers also, I don't know. I would like to know though becuase shortly I will have a job where I can use my CCNA skills on a daily basis..

I would LOVE to see the QoS configuration, yes I have Vonage, I would also like to be able to prioritize my Quake 4 connection so that if people are downloading like crazy on my connection at the same time I am playing my packets get priority.... Question: Did you have to upgrade your router to be able to hold the image with the QoS in the IOS?

Thanks again for looking I appreciate it.

 

[Arch]

Rich,

My router is currently running IOS version 12.4(4)T1. Advanced IP Services feature set. I'm not sure if the QoS outlined below will work on the Advanced Security feature set it comes with. Hold on to your hats, the QoS explanation is lengthy

To configure the QoS for Vonage you don't have to do a whole lot. Here's the configuration you need:

!
class-map match-all voice-traffic
match ip rtp 10000 10000
!
!
policy-map voice-policy
class voice-traffic
priority 200
class class-default
fair-queue
policy-map shaper
class class-default
shape average 350000 3500 0
service-policy voice-policy
!
interface FastEthernet4
service-policy output shaper
!

The above configuration was taken directly from my router. I'll explain each portion of the above config so you know what it's doing.

a. The class map defines what type of packets you want to specify for quality of service. In this case the class-map is specifying all RTP packets, start at port 10000, for a range of 10000 ports. So in essence, any RTP packets to ports 10000-20000 will be targeted for quality of service.

b. The policy-map voice-policy is how you define how much bandwidth each class gets. In this case the voice-traffic class (the one I defined in the class-map) is getting 200kbps of bandwidth. This is more than enough for a single Vonage phone call. Specifying more than necessary doesn't hurt anything as it will only reserve the bandwidth if needed. Class-default is all your other traffic. Here we aren't specifying any bandwidth to be reserved, as such it will be handled in a standard fair-queueing type fashion where each traffic flow will be given an equal portion of the remaining bandwidth.

c. The policy-map shaper is VERY important. This slows down your interface to the speed of your upload stream. In most cases, your cable modem will have an Ethernet or Fast Ethernet connection to your router. Quality of service on kicks in when a link is congested. If you don't slow down the connection to the cable modem itself the congestion will happen on the cable modem instead of the router. You don't control the cable modem, so you need to handle the congestion on the router. I hope that part made sense. The shape average command is how you define how much you want to limit the interface. In this case I"ve specified 350kbps, 350000. The next value should always be a 100th of the first, hence the 3500. The last value should ALWAYS be 0. So, for example, if your upload speed was, 230, the command would be "shape average 230000 2300 0". The service-policy voice-policy hooks the bandwidth settings you've configure for your voice traffic to the policy-map you are using to slow the interface down.

d. Lastly, you need to apply all this to an interface. On the 871 the WAN interface is Fast Ethernet 4. As such, I've applied the service-policy, shaper, in the outbound direction on this interface.

What will all this stuff do? Well, assuming your upload speed is sufficient, you can do whatever you want on your connection, from an upstream perspective, while talking on the phone and the person you are talking to will never notice. Slowing the interface down will also decrease your overall upload speed. This is a small price to pay to ensure good, consistent voice quality to the people you call.

How do you tell whether or not the QoS is actually working? Simply enter the command "show policy-map interface" from enable mode on the router. You will see output like this. I'll explain each section:

Bunson#sho policy-map interface
FastEthernet4

Service-policy output: shaper <---this is the shaper, this lets you know how the interface shaping is going.

Class-map: class-default (match-any)
1297876 packets, 290952072 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any
Traffic Shaping
Target/Average Byte Sustain Excess Interval Increment
Rate Limit bits/int bits/int (ms) (bytes)
350000/350000 437 3500 0 10 437

Adapt Queue Packets Bytes Packets Bytes Shaping
Active Depth Delayed Delayed Active
- 0 1281156 277127074 193027 110851465 no <----this tells you whether or not shaping is currently active. When you don't come near the levels you set, it will say its not active. When it is active it will let you know how many packets and how many bytes were delayed by the shaping. This is good because it indicates that you are handling the congestion on the router instead of overrunning the cable modem.

Service-policy : voice-policy

Class-map: voice-traffic (match-all) 340390 packets, 87771896 bytes <---This part tells you how many voice packets you've matched. This is important because it tells you that the quality of service is working. When you are on a call this will increment. Since the last time I reloaded the 871 it matched 340 thousand voice packets.

30 second offered rate 0 bps, drop rate 0 bps
Match: ip rtp 10000 10000
Queueing
Strict Priority
Output Queue: Conversation 40
Bandwidth 200 (kbps) Burst 5000 (Bytes)
(pkts matched/bytes matched) 1122/321197
(total drops/bytes drops) 0/0 <----You should check this value. For the voice-policy it should always be 0. If it isn't you need to increase the amount of bandwidth you specified in the "priority" statement under the voice-traffic section of the policy-map.

Class-map: class-default (match-any) <---This is everything else. All the rest of your data falls into this category.
957486 packets, 203180176 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any
Queueing
Flow Based Fair Queueing
Maximum Number of Hashed Queues 32
(total queued/total drops/no-buffer drops) 0/11961/0 <---You should see drops here. This is exactly what it sounds like, dropped packets. This is ok because if you drop a data packet you can always send it again. Resending a voice packet is worthless because you can rewind a conversation, it would sound bizarre.

Note, none of this applies to the audio coming inbound to your phone. You have no control over that.

I know this is probably much longer than you anticipated. If you have any questions I'll be happy to answer them for you.

 

[richcom23]

Wow, that's quite a config! lol looks like a bunch of jargon to me -- so thanks for the explanations! =)

I appreciate it, I will implement that as soon as I get the advanced IP IOS...