Cisco 877 Zone-Based Firewall - is this right?

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi all,

I've made an attempt at configuring a zone-based firewall on my Cisco 877 12.24(T)2. Prior to today all was working really well, but I wanted to try to improve security for webhosting / mailhosting.

I've added some rules to my config, and I don't seem to have broken anything, but I don't know if my new ZBF rules are actually doing anything Is there an easy way for me to test them? The output from my show policy-map is always a bit....zero

Code:

Cisco877#sh policy-map type inspect zone-pair OutsideToInside

policy exists on zp OutsideToInside
 Zone-pair: OutsideToInside

  Service-policy inspect : OutsideToInside

    Class-map: ExternallyVisibleServices (match-all)
      Match: class-map match-any ExternallyVisibleProtocols
        Match: protocol http
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol https
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol smtp extended
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol pptp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol ftp
          0 packets, 0 bytes
          30 second rate 0 bps

   Inspect
        Session creations since subsystem startup or last reset 0
        Current session counts (estab/half-open/terminating) [0:0:0]
        Maxever session counts (estab/half-open/terminating) [0:0:0]
        Last session created never
        Last statistic reset never
        Last session creation rate 0
        Maxever session creation rate 0
        Last half-open session total 0

    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 byte

My config is below, and the newly-added lines are in bold. Please could somebody take a look and see if my new lines are actually doing anything? I've tried following this example, and the linked page, but I got a bit lost

Many thanks,


Jim

Code:

!
! Last configuration change at 10:39:37 GMT Mon Oct 11 2010 by root
! NVRAM config last updated at 10:06:34 GMT Mon Oct 11 2010 by root
!
version 12.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service internal
!
hostname Cisco877
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 16386
logging rate-limit 100 except warnings
no logging console
no logging monitor
enable secret 5 xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time GMT recurring
!
!
dot11 syslog
ip source-route
!
!
!
!
no ip cef
ip domain name xxx.local
ip inspect log drop-pkt
ip inspect name firewall tcp timeout 3600
ip inspect name firewall udp timeout 3600
login block-for 180 attempts 3 within 180
login on-failure log
login on-success log
no ipv6 cef
ntp server ip time-a.nist.gov
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
[B]parameter-map type inspect pmap-audit
 audit-trail on
[/B]!
!
object-group network L1_Allow_NTP 
 description Allow NTP from these hosts
 129.x.xx.xx 255.255.255.255
!
object-group network L2_Allow_SSH 
 description Allow SSH from these hosts
 192.168.1.0 255.255.255.0
!
username xxx password 7 xxx
username xxx password 7 xxx
username xxx privilege 15 secret 5 xxx
! 
!
!
archive
 log config
  hidekeys
!
!
ip ssh version 2
!
[B]class-map type inspect match-any ExternallyVisibleProtocols
 description Externally-visible protocols   
 match protocol http
 match protocol https
 match protocol smtp extended
 match protocol pptp
 match protocol ftp
class-map type inspect match-all ExternallyVisibleServices
 description Externally-visible protocols headed to LAN   
 match class-map ExternallyVisibleProtocols
[/B]!
!
[B]policy-map type inspect OutsideToInside
 description Internet to LAN (server)   
 class type inspect ExternallyVisibleServices
  inspect pmap-audit
 class class-default
  drop log
[/B]!
[B]zone security Inside
zone security Outside
[/B]!
!
[B]zone-pair security OutsideToInside source Outside destination Inside
 service-policy type inspect OutsideToInside[/B]
!
interface ATM0
 description ADSL Connection
 no ip address
 [B]zone-member security Outside[/B]
 no atm ilmi-keepalive
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl enable-training-log 
 dsl bitswap both
 hold-queue 200 in
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1
 ip unnumbered Vlan1
 ip nat inside
 ip virtual-reassembly
 [B]zone-member security Inside
[/B] peer default ip address pool VPNPOOL
 no keepalive
 ppp encrypt mppe auto required
 ppp authentication ms-chap-v2
!
interface Vlan1
 description LAN
 ip address 192.168.0.254 255.255.255.0 secondary
 ip address 192.168.19.254 255.255.255.0 secondary
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip nat enable
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 hold-queue 100 in
 hold-queue 100 out
!
interface Dialer0
 bandwidth inherit
 ip address negotiated
 ip access-group EXT-IN in
 ip access-group EXT-OUT out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp header-compression iphc-format
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap chap callin
 ppp chap hostname [EMAIL="[email protected]"][email protected][/EMAIL]
 ppp chap password 7 xxx
 ppp ipcp dns request
 ppp ipcp wins request
 ip rtp header-compression iphc-format
!
ip local pool VPNPOOL 192.168.1.251 192.168.1.253
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
!
ip dns server
no ip nat service sip udp port 5060
ip nat inside source static tcp 192.168.1.50 25 interface Dialer0 25
ip nat inside source static tcp 192.168.1.50 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.50 443 interface Dialer0 443
ip nat inside source static tcp 192.168.1.50 995 interface Dialer0 995
ip nat inside source static tcp 192.168.1.50 20 interface Dialer0 20
ip nat inside source static tcp 192.168.1.50 21 interface Dialer0 21
ip nat inside source static tcp 192.168.1.20 3389 interface Dialer0 3389
ip nat inside source list NAT-RANGES interface Dialer0 overload
!
ip access-list standard Allowed_SNMP
 permit 192.168.1.0 0.0.0.255
 deny   any
ip access-list standard NAT-RANGES
 remark Define NAT internal ranges
 permit 192.168.1.0 0.0.0.255
!
ip access-list extended EXT-IN
 remark Inbound external interface
 remark The below set the rfc1918 private exclusions
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 remark Allow established sessions back in
 permit tcp any any established
 remark Any new ports opened in the IP NAT INSIDE SOURCE STATIC lines should also be added here
 permit tcp any any eq smtp
 permit tcp any any eq www
 permit udp object-group L1_Allow_NTP any eq ntp
 permit tcp object-group L2_Allow_SSH any eq 22 log
 permit tcp any any eq 443
 permit tcp any any eq 995
 permit tcp any any eq 3389
 permit tcp any any eq 1723
 permit tcp any any eq ftp
 permit tcp any any eq ftp-data
 remark Passive FTP ports matching vsftpd config
 permit tcp any any range 50000 50050
 permit gre any any
 permit udp any eq domain any
 remark Standard acceptable icmp rules
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any source-quench
 permit icmp any any packet-too-big
 permit icmp any any time-exceeded
 deny   ip any any
ip access-list extended EXT-OUT
 remark Allow all outbound IP
 permit ip any any
!
ip access-list logging interval 10
logging trap debugging
logging facility local6
logging 192.168.1.50
dialer-list 1 protocol ip permit
!
!
!
!
snmp-server community XXX RW Allowed_SNMP
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 no modem enable
 transport output all
line aux 0
 transport output all
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 length 40
 width 160
 transport input ssh
 transport output all
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
time-range WEEKDAY
 periodic weekdays 8:00 to 18:00
!
end

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi Jim,

There a few problems with your config. The main problem is that although you have specified a zone-pair to allow some traffic in, you have not added any interfaces to any zones (except virtual-template1), so the policy is not in use. You have atm0 a member of the Outside zone but dialer0 should be in Outside and vlan1 in Inside. Also, you only have a policy for traffic inbound, you should make an inside to outside, and outside to self policy as well, and then you can tidy up (or remove) the EXT-IN/EXT-OUT access-lists - you are currently accepting RDP from anywhere.

The zone-based firewall is nice, and has a lot of good features, but the cbac/ip inspect ios firewall is handy and quick to set up, especially for simple internal lan/external internet type of situations.

Spice_Weasel

 

Many thanks for your time spice_weasel, your posting is valuable to me. I will have a go at reconfiguring, taking your suggestions/pointers on board. Zone-based does seem to provide a more complex config but, as you say, it has some nice features.

We do have a simple setup - single internet IP address, web/mail hosting behind the router, NAT (but hey, you can see that from the config ). Do you think a zone-based is worth the configuration hassle? I want something that's secure - in your view is zone-based more secure than what I have at present?

Thanks again,



Jim

 

Aaarrrrggghhhhhhhhhhhhhhhhhhhh

So near yet so far. Okay, all seems to be working well, I have inside to out and outside to in. The ONLY thing I've tried to get wokring, and failed, is the VPN. I can no longer VPN into my unit from outside (the router is a PPTP terminator). I get the "connecting" message, but I never get the "verifying username" or "registering..." messages. Looking at my syslog I get this:

%FW-6-DROP_PKT: Dropping tcp session <my router IP>:1723 <Remote VPN Client IP>:31366 on zone-pair RouterToOutside class class-default due to DROP action found in policy-map with ip ident 0

I'm confused, as my RouterToOutside pair class-default doesn't have a drop, it has a pass.

If anyone is kind enough to still be watching, my config is this:

Code:

!
version 12.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service internal
!
hostname Cisco877
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 16386
logging rate-limit 100 except warnings
no logging console
no logging monitor
enable secret 5 xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time GMT recurring
!
!
dot11 syslog
ip source-route
!
!
!
!
no ip cef
ip domain name xxx.local
ip port-map user-PassiveFTP port tcp from xxx to xxx  description Passive FTP
ip port-map user-BNIRDP port tcp xx description BNI Remote Desktop
ip port-map user-RDP port tcp 3389 description Terminal Services
ip port-map user-ExtraSMTP port tcp xx description Additional SMTP Listener
ip inspect log drop-pkt
ip inspect name firewall tcp timeout 3600
ip inspect name firewall udp timeout 3600
login block-for 180 attempts 3 within 180
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!

parameter-map type inspect pmap-audit
 audit-trail on
!
!
object-group network L1_Allow_NTP 
 description Allow NTP from these hosts
 129.6.15.28 255.255.255.255
!
object-group network L1_BNI_VPC 
 host 192.168.1.65
!
object-group network L1_Webserver 
 host 192.168.1.50
!
object-group network L2_Allow_SSH 
 description Allow SSH from these hosts
 192.168.1.0 255.255.255.0
!
username vpn-xx password 7 xx
username vpn-xx password 7 xx
username root privilege 15 secret 5 $ss$xx$xxxx.
! 
!
!
archive
 log config
  hidekeys
!
!
ip ssh version 2
!
class-map type inspect match-any ExtVisBNIProtocols
 description Externally-visible protocols
 match protocol user-BNIRDP
 match access-group name BNI_VPC
class-map type inspect match-any ExtVisWebserverProtocols
 description Externally-visible protocols
 match protocol http
 match protocol https
 match protocol smtp extended
 match protocol pop3s
 match protocol user-RDP
 match protocol user-ExtraSMTP
 match protocol user-PassiveFTP
 match protocol ftp
class-map type inspect match-any AllowedOut
 description Permitted Traffic to internet
 match protocol tcp
 match protocol udp
 match protocol icmp
class-map type inspect match-all ICMPReply
 description Only certain pings permitted to router
 match access-group name ICMPReply
class-map type inspect match-any RouterToOutside
 description Permit router-generated traffic out
 match protocol tcp
 match protocol udp
 match protocol icmp
class-map type inspect match-all ExtVisBNIServices
 description Externally-visible protocols headed to BNI VPC
 match class-map ExtVisBNIProtocols
 match access-group name BNI_VPC
class-map type inspect match-all PPTP-Terminated-Traffic
 match access-group name PPTP-TERMINATED
class-map type inspect match-all ExtVisWebserverServices
 description Externally-visible protocols headed to webserver
 match class-map ExtVisWebserverProtocols
 match access-group name WebServer
!
!
policy-map type inspect RouterToInside
 description Router to LAN
 class class-default
  pass
policy-map type inspect InsideToRouter
 description LAN to router   
 class class-default
  pass
policy-map type inspect InsideToOutside
 description LAN to Internet
 class type inspect AllowedOut
  inspect 
 class class-default
  drop log
policy-map type inspect OutsideToInside
 description Internet to LAN (server)
 class type inspect ExtVisBNIServices
  inspect pmap-audit
 class type inspect ExtVisWebserverServices
  inspect pmap-audit
 class class-default
  drop log
policy-map type inspect OutSideToRouter
 description Permitted traffic from internet to router
 class type inspect ICMPReply
  pass
 class type inspect PPTP-Terminated-Traffic
  pass
 class class-default
  drop log
policy-map type inspect RouterToOutSide
 description Router to internet
 class type inspect RouterToOutside
  inspect pmap-audit
 class class-default
  pass
!
zone security Inside
zone security Outside
zone-pair security InsideToOutside source Inside destination Outside
 service-policy type inspect InsideToOutside
zone-pair security RouterToInside source self destination Inside
 service-policy type inspect RouterToInside
zone-pair security InsideToRouter source Inside destination self
 service-policy type inspect InsideToRouter
zone-pair security OutsideToRouter source Outside destination self
 service-policy type inspect OutSideToRouter
zone-pair security RouterToOutside source self destination Outside
 service-policy type inspect RouterToOutSide
zone-pair security OutsideToInside source Outside destination Inside
 service-policy type inspect OutsideToInside
!
!
!
interface ATM0
 description ADSL Connection
 no ip address
 no atm ilmi-keepalive
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl enable-training-log 
 dsl bitswap both
 hold-queue 200 in
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1
 ip unnumbered Vlan1
 ip nat inside
 ip virtual-reassembly
 peer default ip address pool VPNPOOL
 no keepalive
 ppp encrypt mppe auto required
 ppp authentication ms-chap-v2
!
interface Vlan1
 description xx LAN
 ip address 192.168.0.254 255.255.255.0 secondary
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip nat enable
 ip virtual-reassembly
 zone-member security Inside
 ip tcp adjust-mss 1452
 hold-queue 100 in
 hold-queue 100 out
!
interface Dialer0
 bandwidth inherit
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 zone-member security Outside
 encapsulation ppp
 ip tcp header-compression iphc-format
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap chap callin
 ppp chap hostname [email protected]
 ppp chap password 7 xx
 ppp ipcp dns request
 ppp ipcp wins request
 ip rtp header-compression iphc-format
!
ip local pool VPNPOOL 192.168.1.251 192.168.1.253
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
!
ip dns server
no ip nat service sip udp port 5060
ip nat inside source static tcp 192.168.1.50 25 interface Dialer0 25
ip nat inside source static tcp 192.168.1.50 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.50 443 interface Dialer0 443
ip nat inside source static tcp 192.168.1.50 995 interface Dialer0 995
ip nat inside source static tcp 192.168.1.50 xx interface Dialer0 xx
ip nat inside source static tcp 192.168.1.50 20 interface Dialer0 20
ip nat inside source static tcp 192.168.1.50 21 interface Dialer0 21
ip nat inside source static tcp 192.168.1.20 3389 interface Dialer0 3389
ip nat inside source list NAT-RANGES interface Dialer0 overload
ip nat inside source static tcp 192.168.1.65 xx interface Dialer0 xx
!
ip access-list standard Allowed_SNMP
 permit xx.22.xx.136
 permit xx.74.xx.71
 permit 192.168.1.0 0.0.0.255
 deny   any
ip access-list standard NAT-RANGES
 remark Define NAT internal ranges
 permit 192.168.1.0 0.0.0.255
!
ip access-list extended BNI_VPC
 remark Traffic to BNI VPN
 permit ip any host 192.168.1.65

ip access-list extended ICMPReply
 permit icmp any any host-unreachable
 permit icmp any any port-unreachable
 permit icmp any any ttl-exceeded
 permit icmp any any packet-too-big
ip access-list extended PPTP-TERMINATED
 permit gre any any
 permit tcp any any eq 1723
ip access-list extended WebServer
 remark Traffic to Webserver
 permit ip any host 192.168.1.50
!
ip access-list logging interval 10
logging trap debugging
logging facility local6
logging 192.168.1.50
dialer-list 1 protocol ip permit
!
!
!
!
snmp-server community xx RW Allowed_SNMP
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 no modem enable
 transport output all
line aux 0
 transport output all
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 length 40
 width 160
 transport input ssh
 transport output all
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
time-range WEEKDAY
 periodic weekdays 8:00 to 18:00
!
end

Many thanks!


Jim

 

All working D

Code:

!
version 12.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service internal
!
hostname Cisco877
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 16386
logging rate-limit 100 except warnings
no logging console
no logging monitor
enable secret 5 xxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time GMT recurring
!
!
dot11 syslog
ip source-route
!
!
!
!
no ip cef
ip domain name xx.local
ip port-map user-PassiveFTP port tcp from xx to xx  description Passive FTP
ip port-map user-BNIRDP port tcp xx description BNI Remote Desktop
ip port-map user-RDP port tcp 3389 description Terminal Services
ip port-map user-ExtraSMTP port tcp xx description Additional SMTP Listener
ip inspect log drop-pkt
login block-for 180 attempts 3 within 180
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!

parameter-map type inspect pmap-audit
 audit-trail on
!
!
!
username vpn-xx password 7 xx
username vpn-xx password 7 xx
username xx privilege 15 secret 5 $1$xx$xx.
! 
!
!
archive
 log config
  hidekeys
!
!
ip ssh version 2
!
class-map type inspect match-all cm-Allow-SSH
 description Allow SSH access to router
 match access-group name acl-Allow-SSH
class-map type inspect match-any cm-ExtVisBNIProtocols
 description Externally visible protocols on the BNI VPC
 match protocol user-BNIRDP
class-map type inspect match-any cm-AllowedOut
 description Permitted Traffic to internet
 match protocol tcp
 match protocol udp
 match protocol icmp
class-map type inspect match-any cm-ExtVisWebserverProtocols
 description Externally visible protocols on the Webserver
 match protocol http
 match protocol https
 match protocol smtp extended
 match protocol pop3s
 match protocol user-RDP
 match protocol user-ExtraSMTP
 match protocol user-PassiveFTP
 match protocol ftp
class-map type inspect match-all cm-PPTP-Passthrough
 match access-group name acl-PPTP-Passthrough
class-map type inspect match-all cm-ICMP-Reply
 description Only certain pings permitted to router
 match access-group name acl-ICMP-Reply
class-map type inspect match-all cm-ExtVisBNIServices
 description Externally-visible protocols headed to BNI VPC
 match access-group name acl-BNI_VPC
 match class-map cm-ExtVisBNIProtocols
class-map type inspect match-all cm-PPTP-Terminated-Traffic
 match access-group name acl-PPTP-Terminated
class-map type inspect match-all cm-ExtVisWebserverServices
 description Externally-visible protocols headed to webserver
 match class-map cm-ExtVisWebserverProtocols
 match access-group name acl-WebServer
class-map type inspect match-any cm-RouterToOutside
 description Permit router-generated traffic out
 match protocol tcp
 match protocol udp
 match protocol icmp
!
!
policy-map type inspect pm-RouterToInside
 description Router to LAN
 class class-default
  pass
policy-map type inspect pm-InsideToRouter
 description LAN to router
 class class-default
  pass
policy-map type inspect pm-RouterToOutSide
 description Router to internet
 class type inspect cm-PPTP-Terminated-Traffic
  pass
 class class-default
  pass
policy-map type inspect pm-OutSideToRouter
 description Permitted traffic from internet to router
 class type inspect cm-Allow-SSH
  pass
 class type inspect cm-ICMP-Reply
  pass
 class type inspect cm-PPTP-Terminated-Traffic
  pass
 class class-default
  drop log
policy-map type inspect pm-InsideToOutside
 description LAN to Internet
 class type inspect cm-PPTP-Passthrough
  pass
 class type inspect cm-AllowedOut
  inspect 
 class class-default
  drop log
policy-map type inspect pm-OutsideToInside
 description Internet to LAN (server)
 class type inspect cm-PPTP-Passthrough
  pass
 class type inspect cm-ExtVisBNIServices
  inspect pmap-audit
 class type inspect cm-ExtVisWebserverServices
  inspect pmap-audit
 class class-default
  drop log
!
zone security Inside
zone security Outside
zone-pair security InsideToOutside source Inside destination Outside
 service-policy type inspect pm-InsideToOutside
zone-pair security RouterToInside source self destination Inside
 service-policy type inspect pm-RouterToInside
zone-pair security InsideToRouter source Inside destination self
 service-policy type inspect pm-InsideToRouter
zone-pair security OutsideToRouter source Outside destination self
 service-policy type inspect pm-OutSideToRouter
zone-pair security RouterToOutside source self destination Outside
 service-policy type inspect pm-RouterToOutSide
zone-pair security OutsideToInside source Outside destination Inside
 service-policy type inspect pm-OutsideToInside
!
!
!
interface ATM0
 description ADSL Connection
 no ip address
 no atm ilmi-keepalive
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl enable-training-log 
 dsl bitswap both
 hold-queue 200 in
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1
 ip unnumbered Vlan1
 ip nat inside
 ip virtual-reassembly
 zone-member security Inside
 peer default ip address pool VPNPOOL
 no keepalive
 ppp encrypt mppe auto required
 ppp authentication ms-chap-v2
!
interface Vlan1
 description XX LAN
 ip address 192.168.0.254 255.255.255.0 secondary
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip nat enable
 ip virtual-reassembly
 zone-member security Inside
 ip tcp adjust-mss 1452
 hold-queue 100 in
 hold-queue 100 out
!
interface Dialer0
 bandwidth inherit
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 zone-member security Outside
 encapsulation ppp
 ip tcp header-compression iphc-format
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap chap callin
 ppp chap hostname [email protected]
 ppp chap password 7 xx
 ppp ipcp dns request
 ppp ipcp wins request
 ip rtp header-compression iphc-format
!
ip local pool VPNPOOL 192.168.1.251 192.168.1.253
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
!
ip dns server
no ip nat service sip udp port 5060
ip nat inside source static tcp 192.168.1.50 25 interface Dialer0 25
ip nat inside source static tcp 192.168.1.50 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.50 443 interface Dialer0 443
ip nat inside source static tcp 192.168.1.50 995 interface Dialer0 995
ip nat inside source static tcp 192.168.1.50 xx interface Dialer0 xx
ip nat inside source static tcp 192.168.1.50 20 interface Dialer0 20
ip nat inside source static tcp 192.168.1.50 21 interface Dialer0 21
ip nat inside source static tcp 192.168.1.20 3389 interface Dialer0 3389
ip nat inside source list NAT-RANGES interface Dialer0 overload
ip nat inside source static tcp 192.168.1.65 xx interface Dialer0 xx
!
ip access-list standard Allowed_SNMP
 permit xx.22.xx.136
 permit xx.74.xx.71
 permit 192.168.1.0 0.0.0.255
 deny   any
ip access-list standard NAT-RANGES
 remark Define NAT internal ranges
 permit 192.168.1.0 0.0.0.255
!
ip access-list extended acl-Allow-SSH
 permit tcp host 109.xx.xx.xx any eq 22
 remark Allow SSH from these EXTERNAL hosts
ip access-list extended acl-BNI_VPC
 remark Traffic to BNI VPN
 permit ip any host 192.168.1.65
ip access-list extended acl-ICMP-Reply
 permit icmp any any host-unreachable
 permit icmp any any port-unreachable
 permit icmp any any ttl-exceeded
 permit icmp any any packet-too-big
ip access-list extended acl-PPTP-Passthrough
 permit gre any any
ip access-list extended acl-PPTP-Terminated
 permit gre any any
 permit tcp any any eq 1723
ip access-list extended acl-WebServer
 remark Traffic to Webserver
 permit ip any host 192.168.1.50
!
ip access-list logging interval 10
logging trap debugging
logging facility local6
logging 192.168.1.50
dialer-list 1 protocol ip permit
!
!
!
!
snmp-server community xx RW Allowed_SNMP
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 no modem enable
 transport output all
line aux 0
 transport output all
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 length 40
 width 160
 transport input ssh
 transport output all
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
time-range WEEKDAY
 periodic weekdays 8:00 to 18:00
!
end