Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Router as a Firewall

Status
Not open for further replies.
vzrogers

vzrogers

MIS
Sep 12, 2005
11
US
Hello,

We are a small company with a managed Cisco Router. We do not have the budget to add a Firewall just yet, and I'd like to instruct my ISP to modify the Router's Access-list to block potentially harmful traffic in the interim, basically to act as a firewall.

I need this T1 for 2 reasons; 1 is to allow employees to access the internet, and 2 is to host some web sites and ftp servers. Everything else I would want blocked to safeguard the network.

I do not know enough to be able to tell if my ISP has configured the router in a way where my netowrk is protected, or what to ask of them to improve this if possible.

Here is the existing router config (please note I have blocked out some IP addresses or portions of IP addresses using "x"'s):

Router#sh run
Building configuration...

Current configuration : 10092 bytes
!

!
version 12.2
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec
service timestamps log datetime

!
hostname Router
!
logging queue-limit 100
logging buffered 4096 debugging

ip subnet-zero
no ip source-route
!
!
ip name-server x.x.x.X
ip name-server x.x.x.x
!
no ip bootp server
!
!
!
!
interface FastEthernet0/0
description connection to Customer LAN
ip address 121.x.x.1 255.x.x.x
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
speed auto
no cdp enable
!
interface Serial0/0
description connection to Location1
bandwidth 1536
ip address 121.x.x.50 255.255.x.x
ip access-group 101 in
encapsulation ppp
no fair-queue
service-module t1 remote-alarm-enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
no ip http server
!
!

access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny pim any any
access-list 101 deny ip 121.x.x.0 0.0.0.63 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 permit icmp host x.x.x.x host 121.x.x.3 echo
access-list 101 permit icmp host x.x.x.x host 121.x.x.4 echo
access-list 101 permit icmp host x.x.x.x host 121.x.x.5 echo
access-list 101 permit icmp host x.x.x.x host 121.x.x.6 echo
access-list 101 permit icmp host x.x.x.x host 121.x.x.7 echo
access-list 101 permit icmp host x.x.x.x host 121.x.x.8 echo
access-list 101 permit icmp host x.x.x.x host 12.x.x.9 echo
access-list 101 permit tcp any host 121.x.x.3 eq www
access-list 101 permit tcp any host 121.x.x.3 eq 443
access-list 101 permit tcp any host 121.x.x.3 range ftp-data ftp
access-list 101 permit tcp any host 121.x.x.3 eq smtp
access-list 101 permit udp any host 121.x.x.3 eq 80
access-list 101 permit udp any host 121.x.x.3 eq 443
access-list 101 permit udp any host 121.x.x.3 range 20 21
access-list 101 permit udp any host 121.x.x.3 eq 25
access-list 101 permit udp any host 121.x.x.4 eq 80
access-list 101 permit udp any host 121.x.x.4 eq 443
access-list 101 permit tcp any host 121.x.x.4 eq www
access-list 101 permit tcp any host 121.x.x.4 eq 443
access-list 101 permit tcp any host 121.x.x.5 eq www
access-list 101 permit tcp any host 121.x.x.5 eq 443
access-list 101 permit udp any host 121.x.x.5 eq 80
access-list 101 permit udp any host 121.x.x.5 eq 443
access-list 101 permit tcp any host 121.x.x.6 eq www
access-list 101 permit tcp any host 121.x.x.6 eq 443
access-list 101 permit udp any host 121.x.x.6 eq 80
access-list 101 permit udp any host 121.x.x.6 eq 443
access-list 101 permit tcp any host 121.x.x.8 eq www
access-list 101 permit tcp any host 121.x.x.8 eq 443
access-list 101 permit tcp any host 121.x.x.8 range ftp-data 22
access-list 101 permit udp any host 121.x.x.8 eq 80
access-list 101 permit udp any host 121.x.x.8 eq 443
access-list 101 permit udp any host 121.x.x.8 range 20 22
access-list 101 permit tcp any host 121.x.x.9 eq www
access-list 101 permit tcp any host 121.x.x.9 eq 443
access-list 101 permit udp any host 121.x.x.9 eq 80
access-list 101 permit udp any host 121.x.x.9 eq 443
access-list 101 deny tcp any any eq www
access-list 101 deny udp any any eq 80
access-list 101 deny tcp any any eq 443
access-list 101 deny udp any any eq 443
access-list 101 deny tcp any any range ftp-data ftp
access-list 101 deny udp any any range 20 21
access-list 101 deny tcp any any eq smtp
access-list 101 deny udp any any eq 25
access-list 101 deny tcp any any range 989 990
access-list 101 deny udp any any range 989 990
access-list 101 deny tcp any any range 1050 1060
access-list 101 deny udp any any range 1050 1060
access-list 101 deny icmp any host 121.x.x..3 echo
access-list 101 deny icmp any host 121.x.x..4 echo
access-list 101 deny icmp any host 121.x.x..5 echo
access-list 101 deny icmp any host 121.x.x..6 echo
access-list 101 deny icmp any host 121.x.x..7 echo
access-list 101 deny icmp any host 121.x.x..8 echo
access-list 101 deny icmp any host 121.x.x..9 echo
access-list 101 deny udp any any eq snmp
access-list 101 deny udp any any eq snmptrap
access-list 101 deny tcp any any eq 135
access-list 101 deny udp any any eq 135
access-list 101 deny tcp any any eq 139
access-list 101 deny udp any any eq netbios-ss
access-list 101 deny tcp any any eq 137
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny tcp any any eq 445
access-list 101 deny udp any any eq 445
access-list 101 deny tcp any any eq 1025
access-list 101 deny udp any any eq 1025
access-list 101 deny tcp any any eq 1433
access-list 101 deny udp any any eq 1433
access-list 101 deny tcp any any eq 2745
access-list 101 deny udp any any eq 2745
access-list 101 deny tcp any any eq 5000
access-list 101 deny udp any any eq 5000
access-list 101 permit ip any any
access-list 103 deny 53 any any
access-list 103 deny 55 any any
access-list 103 deny 77 any any
access-list 103 deny pim any any
access-list 103 deny tcp any any eq 135
access-list 103 deny udp any any eq 135
access-list 103 deny tcp any any eq 139
access-list 103 deny udp any any eq netbios-ss
access-list 103 deny tcp any any eq 137
access-list 103 deny udp any any eq netbios-ns
access-list 103 deny tcp any any eq 445
access-list 103 deny udp any any eq 445
access-list 103 deny tcp any any eq 1025
access-list 103 deny udp any any eq 1025
access-list 103 deny tcp any any eq 1433
access-list 103 deny udp any any eq 1433
access-list 103 deny tcp any any eq 2745
access-list 103 deny udp any any eq 2745
access-list 103 deny tcp any any eq 5000
access-list 103 deny udp any any eq 5000
access-list 103 permit ip any any

end

Router#



 
Sort by date Sort by votes
My advice always would be to pay someone else to host your websites.

For $5 a month or whatever you pass on all the major security issues of opening doors into your network to somebody with all the expertise to do is properly.

I would try to do it yourself without even using appropriate kit.

You haven't said what router you have already, does it even have firewall capabilities, (stateful packet inspection etc)?

Don't try to save a few dollars on what will be a very serious problem for you if you get it wrong!
 
Upvote 0 Downvote
Cisco 1700 series. If that was an option to me, I would do that. It is not my decision.
 
Upvote 0 Downvote
In 99.9% of IT jobs the people with the technical know-how have to defer to muppets who do not understand what they ask you to do, or any of the implications of it.

I think you'll be ok with a 1721, make sure your IOS image has FW capabilities, or download a new one, (have you got Smartnet?) then it's just a matter of adding the necessary inspection rules. Then it's a fairly involvled bit of NAT setup to get a to work safely.

Are you REALLY sure that you NEED to provide website access and FTP into your LAN?

Other companies do it for you for very little cash and they have fast data pipes and any security headaches themselves. look at as an example.
 
Upvote 0 Downvote
Is this the only router in operation????
If it is and I read your config correctly then every device on the LAN side has an IP routeable address. You need to add a second router or firewall device behind this for your internal PC's and other devices that do not need internet exposure. You could then leave those devices that need internet exposure in the DMZ thus reducing the risk to other machines and devices in your LAN. The 2621 would be a good router for this and can be found on Ebay for a good price.
 
Upvote 0 Downvote
Yes, we absolutely need to have these web and ftp services internal, and yes this request is coming from a Muppet above.

The existing 1700 series router is a managed circuit, therefore I do not have access to the console and can only ask the ISP for changes or copies of the config.

Internal users are using another managed circuit for accessing the internet.

I do have a Cisco 2600 series router that the company owned prior to having all services managed (when they actually employed a real Network person.) If there is anyway I could use that in this situation, please let me know.

The goal is to limit access to those web servers as per the ACL shown above and to protect any other internal resources behind it.
 
Upvote 0 Downvote
This is the sort of situation where you stick a letter on the muppet's desk stating that the current configuration does not provide adequate protection the network, that you have pointed it out, and that you want management to sign off on the fact that they are aware of the situation and knowingly choose to ignore it and thereby agree to hold you harmless in the event that a major breach or event should occur. I had to do that at one of the places that I worked and it was enough to make them wake up and smell the coffee and cough up the bucks to make it right, rather than take the responsibility on themselves.
 
Upvote 0 Downvote
I was able to speak a technical person familiar with my network. Turns out I have two T1's, one managed and one not, that come into a load balancer.

The managed T1 has has a firewall in place and all internal hosts use NAT to get out to the internet. The unmanged T1 is not using this firewall, and is used as an alternate means for users to get out onto the internet and in case the primary T1 goes down.

Knowing this new info, does is the router config initially posted secure enough? Is there anything that should be modified?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

jobsp90
  • Question
I have a issue in my office hospital network regarding using IPPBX software.
Replies
2
Views
268
DavetheChef
DavetheChef
CPM86
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
368
CPM86
CPM86
B
  • Locked
  • Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
228
badwolf1686
B
quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
254
quazimotto
quazimotto
jarod_paris
  • Locked
  • Question
firmware for an AP2800 WiFi terminal
Replies
0
Views
446
jarod_paris
jarod_paris

Part and Inventory Search

Sponsor

Back
Top