Cisco: A nice and simple firewall
09. May 2010 
3 comments
This is just a very quick and brief guide, basically this setup should provide a very basic firewall that performs the following:
- Block all traffic initated externally, except the ports required for public accessible services
- Allow external traffic initated by a internal connection
In short, blocks everything except your public services but at the same time not blocking your users traffic.
This example we have the following public services:
- RDP(3389
- SMTP(25)
- SSH(22)
- WWW(80
- HTTPS(443)
The example also allows IPSEC traffic so we do not break the tunnels created in the last example, however at the same time please remember that if you have a VPN network all it takes is 1 site/user to be hacked and this firewall is useless. For example Site A has this applied but Site B doesn’t, Site B becomes compromised, because Site B accesses Site A by a Tunnel interface it is not regulated by the firewall setup in this example.
xxx.xxx.xxx.xxx = public ip address of service
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
!
interface Dialer1
ip access-group FIREWALL-ACL in
ip inspect FIREWALL out
!
ip access-list extended FIREWALL-ACL
permit tcp any host xxx.xxx.xxx.xxx eq 3389
permit tcp any host xxx.xxx.xxx.xxx eq 22
permit tcp any host xxx.xxx.xxx.xxx eq smtp
permit tcp any host xxx.xxx.xxx.xxx eq www
permit tcp any host xxx.xxx.xxx.xxx eq pop3
permit tcp any host xxx.xxx.xxx.xxx eq 443
permit esp any any
permit udp any any eq isakmp
permit gre any any
deny tcp any any
deny udp any any
deny ip any any
!
Commentary
Leave a reply
Please do not use the blog as a support desk, requests for support on the blog are not supported, please use the help desk
Thx for this article !
Thk xxx
Thanks for the article, i was looking for this config