1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cisco 877 Zone-Based Firewall - is this right?

Discussion in 'General Cisco Certifications' started by jimwillsher, Oct 11, 2010.

  1. jimwillsher

    jimwillsher New Member

    4
    0
    1
    Hi all,

    I've made an attempt at configuring a zone-based firewall on my Cisco 877 12.24(T)2. Prior to today all was working really well, but I wanted to try to improve security for webhosting / mailhosting.

    I've added some rules to my config, and I don't seem to have broken anything, but I don't know if my new ZBF rules are actually doing anything Is there an easy way for me to test them? The output from my show policy-map is always a bit....zero :oops:


    Code:
    Cisco877#sh policy-map type inspect zone-pair OutsideToInside
    
    policy exists on zp OutsideToInside
     Zone-pair: OutsideToInside
    
      Service-policy inspect : OutsideToInside
    
        Class-map: ExternallyVisibleServices (match-all)
          Match: class-map match-any ExternallyVisibleProtocols
            Match: protocol http
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol https
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol smtp extended
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol pptp
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol ftp
              0 packets, 0 bytes
              30 second rate 0 bps
    
       Inspect
            Session creations since subsystem startup or last reset 0
            Current session counts (estab/half-open/terminating) [0:0:0]
            Maxever session counts (estab/half-open/terminating) [0:0:0]
            Last session created never
            Last statistic reset never
            Last session creation rate 0
            Maxever session creation rate 0
            Last half-open session total 0
    
        Class-map: class-default (match-any)
          Match: any
          Drop
            0 packets, 0 byte
    

    My config is below, and the newly-added lines are in bold. Please could somebody take a look and see if my new lines are actually doing anything? I've tried following this example, and the linked page, but I got a bit lost :cry:

    Many thanks,


    Jim


    Code:
    !
    ! Last configuration change at 10:39:37 GMT Mon Oct 11 2010 by root
    ! NVRAM config last updated at 10:06:34 GMT Mon Oct 11 2010 by root
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec localtime
    service timestamps log datetime msec localtime
    service password-encryption
    service internal
    !
    hostname Cisco877
    !
    boot-start-marker
    boot-end-marker
    !
    logging message-counter syslog
    logging buffered 16386
    logging rate-limit 100 except warnings
    no logging console
    no logging monitor
    enable secret 5 xxx
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication ppp default local
    !
    !
    aaa session-id common
    clock timezone GMT 0
    clock summer-time GMT recurring
    !
    !
    dot11 syslog
    ip source-route
    !
    !
    !
    !
    no ip cef
    ip domain name xxx.local
    ip inspect log drop-pkt
    ip inspect name firewall tcp timeout 3600
    ip inspect name firewall udp timeout 3600
    login block-for 180 attempts 3 within 180
    login on-failure log
    login on-success log
    no ipv6 cef
    ntp server ip time-a.nist.gov
    !
    multilink bundle-name authenticated
    !
    vpdn enable
    !
    vpdn-group 1
    ! Default PPTP VPDN group
     accept-dialin
      protocol pptp
      virtual-template 1
    !
    [B]parameter-map type inspect pmap-audit
     audit-trail on
    [/B]!
    !
    object-group network L1_Allow_NTP 
     description Allow NTP from these hosts
     129.x.xx.xx 255.255.255.255
    !
    object-group network L2_Allow_SSH 
     description Allow SSH from these hosts
     192.168.1.0 255.255.255.0
    !
    username xxx password 7 xxx
    username xxx password 7 xxx
    username xxx privilege 15 secret 5 xxx
    ! 
    !
    !
    archive
     log config
      hidekeys
    !
    !
    ip ssh version 2
    !
    [B]class-map type inspect match-any ExternallyVisibleProtocols
     description Externally-visible protocols   
     match protocol http
     match protocol https
     match protocol smtp extended
     match protocol pptp
     match protocol ftp
    class-map type inspect match-all ExternallyVisibleServices
     description Externally-visible protocols headed to LAN   
     match class-map ExternallyVisibleProtocols
    [/B]!
    !
    [B]policy-map type inspect OutsideToInside
     description Internet to LAN (server)   
     class type inspect ExternallyVisibleServices
      inspect pmap-audit
     class class-default
      drop log
    [/B]!
    [B]zone security Inside
    zone security Outside
    [/B]!
    !
    [B]zone-pair security OutsideToInside source Outside destination Inside
     service-policy type inspect OutsideToInside[/B]
    !
    interface ATM0
     description ADSL Connection
     no ip address
     [B]zone-member security Outside[/B]
     no atm ilmi-keepalive
     pvc 0/38 
      encapsulation aal5mux ppp dialer
      dialer pool-member 1
     !
     dsl enable-training-log 
     dsl bitswap both
     hold-queue 200 in
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Virtual-Template1
     ip unnumbered Vlan1
     ip nat inside
     ip virtual-reassembly
     [B]zone-member security Inside
    [/B] peer default ip address pool VPNPOOL
     no keepalive
     ppp encrypt mppe auto required
     ppp authentication ms-chap-v2
    !
    interface Vlan1
     description LAN
     ip address 192.168.0.254 255.255.255.0 secondary
     ip address 192.168.19.254 255.255.255.0 secondary
     ip address 192.168.1.1 255.255.255.0
     ip nat inside
     ip nat enable
     ip virtual-reassembly
     ip tcp adjust-mss 1452
     hold-queue 100 in
     hold-queue 100 out
    !
    interface Dialer0
     bandwidth inherit
     ip address negotiated
     ip access-group EXT-IN in
     ip access-group EXT-OUT out
     ip nat outside
     ip virtual-reassembly
     encapsulation ppp
     ip tcp header-compression iphc-format
     ip tcp adjust-mss 1452
     dialer pool 1
     dialer-group 1
     no cdp enable
     ppp authentication pap chap callin
     ppp chap hostname [EMAIL="xxx@xxx.xxx.co.uk"]xxx@xxx.xxx.co.uk[/EMAIL]
     ppp chap password 7 xxx
     ppp ipcp dns request
     ppp ipcp wins request
     ip rtp header-compression iphc-format
    !
    ip local pool VPNPOOL 192.168.1.251 192.168.1.253
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer0
    no ip http server
    no ip http secure-server
    !
    !
    ip dns server
    no ip nat service sip udp port 5060
    ip nat inside source static tcp 192.168.1.50 25 interface Dialer0 25
    ip nat inside source static tcp 192.168.1.50 80 interface Dialer0 80
    ip nat inside source static tcp 192.168.1.50 443 interface Dialer0 443
    ip nat inside source static tcp 192.168.1.50 995 interface Dialer0 995
    ip nat inside source static tcp 192.168.1.50 20 interface Dialer0 20
    ip nat inside source static tcp 192.168.1.50 21 interface Dialer0 21
    ip nat inside source static tcp 192.168.1.20 3389 interface Dialer0 3389
    ip nat inside source list NAT-RANGES interface Dialer0 overload
    !
    ip access-list standard Allowed_SNMP
     permit 192.168.1.0 0.0.0.255
     deny   any
    ip access-list standard NAT-RANGES
     remark Define NAT internal ranges
     permit 192.168.1.0 0.0.0.255
    !
    ip access-list extended EXT-IN
     remark Inbound external interface
     remark The below set the rfc1918 private exclusions
     deny   ip 192.168.0.0 0.0.255.255 any
     deny   ip 10.0.0.0 0.255.255.255 any
     remark Allow established sessions back in
     permit tcp any any established
     remark Any new ports opened in the IP NAT INSIDE SOURCE STATIC lines should also be added here
     permit tcp any any eq smtp
     permit tcp any any eq www
     permit udp object-group L1_Allow_NTP any eq ntp
     permit tcp object-group L2_Allow_SSH any eq 22 log
     permit tcp any any eq 443
     permit tcp any any eq 995
     permit tcp any any eq 3389
     permit tcp any any eq 1723
     permit tcp any any eq ftp
     permit tcp any any eq ftp-data
     remark Passive FTP ports matching vsftpd config
     permit tcp any any range 50000 50050
     permit gre any any
     permit udp any eq domain any
     remark Standard acceptable icmp rules
     permit icmp any any echo
     permit icmp any any echo-reply
     permit icmp any any source-quench
     permit icmp any any packet-too-big
     permit icmp any any time-exceeded
     deny   ip any any
    ip access-list extended EXT-OUT
     remark Allow all outbound IP
     permit ip any any
    !
    ip access-list logging interval 10
    logging trap debugging
    logging facility local6
    logging 192.168.1.50
    dialer-list 1 protocol ip permit
    !
    !
    !
    !
    snmp-server community XXX RW Allowed_SNMP
    !
    control-plane
    !
    !
    line con 0
     exec-timeout 0 0
     no modem enable
     transport output all
    line aux 0
     transport output all
    line vty 0 4
     exec-timeout 0 0
     privilege level 15
     length 40
     width 160
     transport input ssh
     transport output all
    !
    scheduler max-task-time 5000
    scheduler allocate 20000 1000
    time-range WEEKDAY
     periodic weekdays 8:00 to 18:00
    !
    end
    
    
     
  2. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    Hi Jim,

    There a few problems with your config. The main problem is that although you have specified a zone-pair to allow some traffic in, you have not added any interfaces to any zones (except virtual-template1), so the policy is not in use. You have atm0 a member of the Outside zone but dialer0 should be in Outside and vlan1 in Inside. Also, you only have a policy for traffic inbound, you should make an inside to outside, and outside to self policy as well, and then you can tidy up (or remove) the EXT-IN/EXT-OUT access-lists - you are currently accepting RDP from anywhere.

    The zone-based firewall is nice, and has a lot of good features, but the cbac/ip inspect ios firewall is handy and quick to set up, especially for simple internal lan/external internet type of situations.

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  3. jimwillsher

    jimwillsher New Member

    4
    0
    1
    Many thanks for your time spice_weasel, your posting is valuable to me. I will have a go at reconfiguring, taking your suggestions/pointers on board. Zone-based does seem to provide a more complex config but, as you say, it has some nice features.

    We do have a simple setup - single internet IP address, web/mail hosting behind the router, NAT (but hey, you can see that from the config :-) ). Do you think a zone-based is worth the configuration hassle? I want something that's secure - in your view is zone-based more secure than what I have at present?

    Thanks again,



    Jim
     
  4. jimwillsher

    jimwillsher New Member

    4
    0
    1
    Aaarrrrggghhhhhhhhhhhhhhhhhhhh:(:(:(

    So near yet so far. Okay, all seems to be working well, I have inside to out and outside to in. The ONLY thing I've tried to get wokring, and failed, is the VPN. I can no longer VPN into my unit from outside (the router is a PPTP terminator). I get the "connecting" message, but I never get the "verifying username" or "registering..." messages. Looking at my syslog I get this:

    %FW-6-DROP_PKT: Dropping tcp session <my router IP>:1723 <Remote VPN Client IP>:31366 on zone-pair RouterToOutside class class-default due to DROP action found in policy-map with ip ident 0

    I'm confused, as my RouterToOutside pair class-default doesn't have a drop, it has a pass.

    If anyone is kind enough to still be watching, my config is this:

    Code:
    
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec localtime
    service timestamps log datetime msec localtime
    service password-encryption
    service internal
    !
    hostname Cisco877
    !
    boot-start-marker
    boot-end-marker
    !
    logging message-counter syslog
    logging buffered 16386
    logging rate-limit 100 except warnings
    no logging console
    no logging monitor
    enable secret 5 xxx
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication ppp default local
    !
    !
    aaa session-id common
    clock timezone GMT 0
    clock summer-time GMT recurring
    !
    !
    dot11 syslog
    ip source-route
    !
    !
    !
    !
    no ip cef
    ip domain name xxx.local
    ip port-map user-PassiveFTP port tcp from xxx to xxx  description Passive FTP
    ip port-map user-BNIRDP port tcp xx description BNI Remote Desktop
    ip port-map user-RDP port tcp 3389 description Terminal Services
    ip port-map user-ExtraSMTP port tcp xx description Additional SMTP Listener
    ip inspect log drop-pkt
    ip inspect name firewall tcp timeout 3600
    ip inspect name firewall udp timeout 3600
    login block-for 180 attempts 3 within 180
    login on-failure log
    login on-success log
    no ipv6 cef
    !
    multilink bundle-name authenticated
    !
    vpdn enable
    !
    vpdn-group 1
    ! Default PPTP VPDN group
     accept-dialin
      protocol pptp
      virtual-template 1
    !
    
    parameter-map type inspect pmap-audit
     audit-trail on
    !
    !
    object-group network L1_Allow_NTP 
     description Allow NTP from these hosts
     129.6.15.28 255.255.255.255
    !
    object-group network L1_BNI_VPC 
     host 192.168.1.65
    !
    object-group network L1_Webserver 
     host 192.168.1.50
    !
    object-group network L2_Allow_SSH 
     description Allow SSH from these hosts
     192.168.1.0 255.255.255.0
    !
    username vpn-xx password 7 xx
    username vpn-xx password 7 xx
    username root privilege 15 secret 5 $ss$xx$xxxx.
    ! 
    !
    !
    archive
     log config
      hidekeys
    !
    !
    ip ssh version 2
    !
    class-map type inspect match-any ExtVisBNIProtocols
     description Externally-visible protocols
     match protocol user-BNIRDP
     match access-group name BNI_VPC
    class-map type inspect match-any ExtVisWebserverProtocols
     description Externally-visible protocols
     match protocol http
     match protocol https
     match protocol smtp extended
     match protocol pop3s
     match protocol user-RDP
     match protocol user-ExtraSMTP
     match protocol user-PassiveFTP
     match protocol ftp
    class-map type inspect match-any AllowedOut
     description Permitted Traffic to internet
     match protocol tcp
     match protocol udp
     match protocol icmp
    class-map type inspect match-all ICMPReply
     description Only certain pings permitted to router
     match access-group name ICMPReply
    class-map type inspect match-any RouterToOutside
     description Permit router-generated traffic out
     match protocol tcp
     match protocol udp
     match protocol icmp
    class-map type inspect match-all ExtVisBNIServices
     description Externally-visible protocols headed to BNI VPC
     match class-map ExtVisBNIProtocols
     match access-group name BNI_VPC
    class-map type inspect match-all PPTP-Terminated-Traffic
     match access-group name PPTP-TERMINATED
    class-map type inspect match-all ExtVisWebserverServices
     description Externally-visible protocols headed to webserver
     match class-map ExtVisWebserverProtocols
     match access-group name WebServer
    !
    !
    policy-map type inspect RouterToInside
     description Router to LAN
     class class-default
      pass
    policy-map type inspect InsideToRouter
     description LAN to router   
     class class-default
      pass
    policy-map type inspect InsideToOutside
     description LAN to Internet
     class type inspect AllowedOut
      inspect 
     class class-default
      drop log
    policy-map type inspect OutsideToInside
     description Internet to LAN (server)
     class type inspect ExtVisBNIServices
      inspect pmap-audit
     class type inspect ExtVisWebserverServices
      inspect pmap-audit
     class class-default
      drop log
    policy-map type inspect OutSideToRouter
     description Permitted traffic from internet to router
     class type inspect ICMPReply
      pass
     class type inspect PPTP-Terminated-Traffic
      pass
     class class-default
      drop log
    policy-map type inspect RouterToOutSide
     description Router to internet
     class type inspect RouterToOutside
      inspect pmap-audit
     class class-default
      pass
    !
    zone security Inside
    zone security Outside
    zone-pair security InsideToOutside source Inside destination Outside
     service-policy type inspect InsideToOutside
    zone-pair security RouterToInside source self destination Inside
     service-policy type inspect RouterToInside
    zone-pair security InsideToRouter source Inside destination self
     service-policy type inspect InsideToRouter
    zone-pair security OutsideToRouter source Outside destination self
     service-policy type inspect OutSideToRouter
    zone-pair security RouterToOutside source self destination Outside
     service-policy type inspect RouterToOutSide
    zone-pair security OutsideToInside source Outside destination Inside
     service-policy type inspect OutsideToInside
    !
    !
    !
    interface ATM0
     description ADSL Connection
     no ip address
     no atm ilmi-keepalive
     pvc 0/38 
      encapsulation aal5mux ppp dialer
      dialer pool-member 1
     !
     dsl enable-training-log 
     dsl bitswap both
     hold-queue 200 in
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Virtual-Template1
     ip unnumbered Vlan1
     ip nat inside
     ip virtual-reassembly
     peer default ip address pool VPNPOOL
     no keepalive
     ppp encrypt mppe auto required
     ppp authentication ms-chap-v2
    !
    interface Vlan1
     description xx LAN
     ip address 192.168.0.254 255.255.255.0 secondary
     ip address 192.168.1.1 255.255.255.0
     ip nat inside
     ip nat enable
     ip virtual-reassembly
     zone-member security Inside
     ip tcp adjust-mss 1452
     hold-queue 100 in
     hold-queue 100 out
    !
    interface Dialer0
     bandwidth inherit
     ip address negotiated
     ip nat outside
     ip virtual-reassembly
     zone-member security Outside
     encapsulation ppp
     ip tcp header-compression iphc-format
     ip tcp adjust-mss 1452
     dialer pool 1
     dialer-group 1
     no cdp enable
     ppp authentication pap chap callin
     ppp chap hostname xxx@xx.xx.co.uk
     ppp chap password 7 xx
     ppp ipcp dns request
     ppp ipcp wins request
     ip rtp header-compression iphc-format
    !
    ip local pool VPNPOOL 192.168.1.251 192.168.1.253
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer0
    no ip http server
    no ip http secure-server
    !
    !
    ip dns server
    no ip nat service sip udp port 5060
    ip nat inside source static tcp 192.168.1.50 25 interface Dialer0 25
    ip nat inside source static tcp 192.168.1.50 80 interface Dialer0 80
    ip nat inside source static tcp 192.168.1.50 443 interface Dialer0 443
    ip nat inside source static tcp 192.168.1.50 995 interface Dialer0 995
    ip nat inside source static tcp 192.168.1.50 xx interface Dialer0 xx
    ip nat inside source static tcp 192.168.1.50 20 interface Dialer0 20
    ip nat inside source static tcp 192.168.1.50 21 interface Dialer0 21
    ip nat inside source static tcp 192.168.1.20 3389 interface Dialer0 3389
    ip nat inside source list NAT-RANGES interface Dialer0 overload
    ip nat inside source static tcp 192.168.1.65 xx interface Dialer0 xx
    !
    ip access-list standard Allowed_SNMP
     permit xx.22.xx.136
     permit xx.74.xx.71
     permit 192.168.1.0 0.0.0.255
     deny   any
    ip access-list standard NAT-RANGES
     remark Define NAT internal ranges
     permit 192.168.1.0 0.0.0.255
    !
    ip access-list extended BNI_VPC
     remark Traffic to BNI VPN
     permit ip any host 192.168.1.65
    
    ip access-list extended ICMPReply
     permit icmp any any host-unreachable
     permit icmp any any port-unreachable
     permit icmp any any ttl-exceeded
     permit icmp any any packet-too-big
    ip access-list extended PPTP-TERMINATED
     permit gre any any
     permit tcp any any eq 1723
    ip access-list extended WebServer
     remark Traffic to Webserver
     permit ip any host 192.168.1.50
    !
    ip access-list logging interval 10
    logging trap debugging
    logging facility local6
    logging 192.168.1.50
    dialer-list 1 protocol ip permit
    !
    !
    !
    !
    snmp-server community xx RW Allowed_SNMP
    !
    control-plane
    !
    !
    line con 0
     exec-timeout 0 0
     no modem enable
     transport output all
    line aux 0
     transport output all
    line vty 0 4
     exec-timeout 0 0
     privilege level 15
     length 40
     width 160
     transport input ssh
     transport output all
    !
    scheduler max-task-time 5000
    scheduler allocate 20000 1000
    time-range WEEKDAY
     periodic weekdays 8:00 to 18:00
    !
    end
    
    

    Many thanks!


    Jim
     
    Last edited: Oct 15, 2010
  5. jimwillsher

    jimwillsher New Member

    4
    0
    1
    All working :D:D:D

    Code:
    
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec localtime
    service timestamps log datetime msec localtime
    service password-encryption
    service internal
    !
    hostname Cisco877
    !
    boot-start-marker
    boot-end-marker
    !
    logging message-counter syslog
    logging buffered 16386
    logging rate-limit 100 except warnings
    no logging console
    no logging monitor
    enable secret 5 xxxx
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication ppp default local
    !
    !
    aaa session-id common
    clock timezone GMT 0
    clock summer-time GMT recurring
    !
    !
    dot11 syslog
    ip source-route
    !
    !
    !
    !
    no ip cef
    ip domain name xx.local
    ip port-map user-PassiveFTP port tcp from xx to xx  description Passive FTP
    ip port-map user-BNIRDP port tcp xx description BNI Remote Desktop
    ip port-map user-RDP port tcp 3389 description Terminal Services
    ip port-map user-ExtraSMTP port tcp xx description Additional SMTP Listener
    ip inspect log drop-pkt
    login block-for 180 attempts 3 within 180
    login on-failure log
    login on-success log
    no ipv6 cef
    !
    multilink bundle-name authenticated
    !
    vpdn enable
    !
    vpdn-group 1
    ! Default PPTP VPDN group
     accept-dialin
      protocol pptp
      virtual-template 1
    !
    
    parameter-map type inspect pmap-audit
     audit-trail on
    !
    !
    !
    username vpn-xx password 7 xx
    username vpn-xx password 7 xx
    username xx privilege 15 secret 5 $1$xx$xx.
    ! 
    !
    !
    archive
     log config
      hidekeys
    !
    !
    ip ssh version 2
    !
    class-map type inspect match-all cm-Allow-SSH
     description Allow SSH access to router
     match access-group name acl-Allow-SSH
    class-map type inspect match-any cm-ExtVisBNIProtocols
     description Externally visible protocols on the BNI VPC
     match protocol user-BNIRDP
    class-map type inspect match-any cm-AllowedOut
     description Permitted Traffic to internet
     match protocol tcp
     match protocol udp
     match protocol icmp
    class-map type inspect match-any cm-ExtVisWebserverProtocols
     description Externally visible protocols on the Webserver
     match protocol http
     match protocol https
     match protocol smtp extended
     match protocol pop3s
     match protocol user-RDP
     match protocol user-ExtraSMTP
     match protocol user-PassiveFTP
     match protocol ftp
    class-map type inspect match-all cm-PPTP-Passthrough
     match access-group name acl-PPTP-Passthrough
    class-map type inspect match-all cm-ICMP-Reply
     description Only certain pings permitted to router
     match access-group name acl-ICMP-Reply
    class-map type inspect match-all cm-ExtVisBNIServices
     description Externally-visible protocols headed to BNI VPC
     match access-group name acl-BNI_VPC
     match class-map cm-ExtVisBNIProtocols
    class-map type inspect match-all cm-PPTP-Terminated-Traffic
     match access-group name acl-PPTP-Terminated
    class-map type inspect match-all cm-ExtVisWebserverServices
     description Externally-visible protocols headed to webserver
     match class-map cm-ExtVisWebserverProtocols
     match access-group name acl-WebServer
    class-map type inspect match-any cm-RouterToOutside
     description Permit router-generated traffic out
     match protocol tcp
     match protocol udp
     match protocol icmp
    !
    !
    policy-map type inspect pm-RouterToInside
     description Router to LAN
     class class-default
      pass
    policy-map type inspect pm-InsideToRouter
     description LAN to router
     class class-default
      pass
    policy-map type inspect pm-RouterToOutSide
     description Router to internet
     class type inspect cm-PPTP-Terminated-Traffic
      pass
     class class-default
      pass
    policy-map type inspect pm-OutSideToRouter
     description Permitted traffic from internet to router
     class type inspect cm-Allow-SSH
      pass
     class type inspect cm-ICMP-Reply
      pass
     class type inspect cm-PPTP-Terminated-Traffic
      pass
     class class-default
      drop log
    policy-map type inspect pm-InsideToOutside
     description LAN to Internet
     class type inspect cm-PPTP-Passthrough
      pass
     class type inspect cm-AllowedOut
      inspect 
     class class-default
      drop log
    policy-map type inspect pm-OutsideToInside
     description Internet to LAN (server)
     class type inspect cm-PPTP-Passthrough
      pass
     class type inspect cm-ExtVisBNIServices
      inspect pmap-audit
     class type inspect cm-ExtVisWebserverServices
      inspect pmap-audit
     class class-default
      drop log
    !
    zone security Inside
    zone security Outside
    zone-pair security InsideToOutside source Inside destination Outside
     service-policy type inspect pm-InsideToOutside
    zone-pair security RouterToInside source self destination Inside
     service-policy type inspect pm-RouterToInside
    zone-pair security InsideToRouter source Inside destination self
     service-policy type inspect pm-InsideToRouter
    zone-pair security OutsideToRouter source Outside destination self
     service-policy type inspect pm-OutSideToRouter
    zone-pair security RouterToOutside source self destination Outside
     service-policy type inspect pm-RouterToOutSide
    zone-pair security OutsideToInside source Outside destination Inside
     service-policy type inspect pm-OutsideToInside
    !
    !
    !
    interface ATM0
     description ADSL Connection
     no ip address
     no atm ilmi-keepalive
     pvc 0/38 
      encapsulation aal5mux ppp dialer
      dialer pool-member 1
     !
     dsl enable-training-log 
     dsl bitswap both
     hold-queue 200 in
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Virtual-Template1
     ip unnumbered Vlan1
     ip nat inside
     ip virtual-reassembly
     zone-member security Inside
     peer default ip address pool VPNPOOL
     no keepalive
     ppp encrypt mppe auto required
     ppp authentication ms-chap-v2
    !
    interface Vlan1
     description XX LAN
     ip address 192.168.0.254 255.255.255.0 secondary
     ip address 192.168.1.1 255.255.255.0
     ip nat inside
     ip nat enable
     ip virtual-reassembly
     zone-member security Inside
     ip tcp adjust-mss 1452
     hold-queue 100 in
     hold-queue 100 out
    !
    interface Dialer0
     bandwidth inherit
     ip address negotiated
     ip nat outside
     ip virtual-reassembly
     zone-member security Outside
     encapsulation ppp
     ip tcp header-compression iphc-format
     ip tcp adjust-mss 1452
     dialer pool 1
     dialer-group 1
     no cdp enable
     ppp authentication pap chap callin
     ppp chap hostname xx@xx.xx.co.uk
     ppp chap password 7 xx
     ppp ipcp dns request
     ppp ipcp wins request
     ip rtp header-compression iphc-format
    !
    ip local pool VPNPOOL 192.168.1.251 192.168.1.253
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer0
    no ip http server
    no ip http secure-server
    !
    !
    ip dns server
    no ip nat service sip udp port 5060
    ip nat inside source static tcp 192.168.1.50 25 interface Dialer0 25
    ip nat inside source static tcp 192.168.1.50 80 interface Dialer0 80
    ip nat inside source static tcp 192.168.1.50 443 interface Dialer0 443
    ip nat inside source static tcp 192.168.1.50 995 interface Dialer0 995
    ip nat inside source static tcp 192.168.1.50 xx interface Dialer0 xx
    ip nat inside source static tcp 192.168.1.50 20 interface Dialer0 20
    ip nat inside source static tcp 192.168.1.50 21 interface Dialer0 21
    ip nat inside source static tcp 192.168.1.20 3389 interface Dialer0 3389
    ip nat inside source list NAT-RANGES interface Dialer0 overload
    ip nat inside source static tcp 192.168.1.65 xx interface Dialer0 xx
    !
    ip access-list standard Allowed_SNMP
     permit xx.22.xx.136
     permit xx.74.xx.71
     permit 192.168.1.0 0.0.0.255
     deny   any
    ip access-list standard NAT-RANGES
     remark Define NAT internal ranges
     permit 192.168.1.0 0.0.0.255
    !
    ip access-list extended acl-Allow-SSH
     permit tcp host 109.xx.xx.xx any eq 22
     remark Allow SSH from these EXTERNAL hosts
    ip access-list extended acl-BNI_VPC
     remark Traffic to BNI VPN
     permit ip any host 192.168.1.65
    ip access-list extended acl-ICMP-Reply
     permit icmp any any host-unreachable
     permit icmp any any port-unreachable
     permit icmp any any ttl-exceeded
     permit icmp any any packet-too-big
    ip access-list extended acl-PPTP-Passthrough
     permit gre any any
    ip access-list extended acl-PPTP-Terminated
     permit gre any any
     permit tcp any any eq 1723
    ip access-list extended acl-WebServer
     remark Traffic to Webserver
     permit ip any host 192.168.1.50
    !
    ip access-list logging interval 10
    logging trap debugging
    logging facility local6
    logging 192.168.1.50
    dialer-list 1 protocol ip permit
    !
    !
    !
    !
    snmp-server community xx RW Allowed_SNMP
    !
    control-plane
    !
    !
    line con 0
     exec-timeout 0 0
     no modem enable
     transport output all
    line aux 0
     transport output all
    line vty 0 4
     exec-timeout 0 0
     privilege level 15
     length 40
     width 160
     transport input ssh
     transport output all
    !
    scheduler max-task-time 5000
    scheduler allocate 20000 1000
    time-range WEEKDAY
     periodic weekdays 8:00 to 18:00
    !
    end
    
     

Share This Page

Loading...