Configure DMZ on routers Cisco Forum FAQ - dslreports.com

			Search:
	login · register

FAQs

how-to block ads

	Search for: in all FAQs
All FAQs » Cisco Forum FAQ » 40.2 Security Sample Configurations » 15913


Configure DMZ on routers (#15913)
Suggested prerequisite reading: »Cisco Forum FAQ »Basic Internet Firewall ACL for Routers without IOS image Firewall feature On these sample configurations, it is assumed the following occur * There are at least three network segments; outside (i.e. WAN or The Internet), inside (LAN), DMZ * These segments are within their own subnet (Layer-3 separation) * Inside subnet is 10.0.0.0/24 and DMZ subnet is 10.0.1.0/24 Sample #1: Total Separation between Inside and DMZ This sample assumes the following * Internet-only access for DMZ * DMZ cannot access inside * Inside cannot access DMZ ACL Approach 1. Using One Router interface Ethernet0 description LAN interface ip address 10.0.0.1 255.255.255.0 ip access-group 100 in ip nat inside ! interface Ethernet1 description WAN interface ip address 1.1.1.2 255.255.255.252 ip nat outside ! interface Ethernet2 description DMZ interface ip address 10.0.1.1 255.255.255.0 ip access-group 101 in ip nat inside ! ip route 0.0.0.0 0.0.0.0 1.1.1.1 ! ip nat inside source list 10 interface Ethernet1 overload ! access-list 10 remark Permited Subnets to go out to the Internet access-list 10 permit 10.0.0.0 0.0.1.255 access-list 100 remark Restricted Inside network Access access-list 100 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 access-list 100 permit ip 10.0.0.0 0.0.0.255 any access-list 101 remark Restricted DMZ network Access access-list 101 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 101 permit ip 10.0.1.0 0.0.0.255 any 2. Using Two Routers, which one is the Internet Router and another is internal router Internet Router interface Ethernet0 description To Internal Router (DMZ) ip address 10.0.1.1 255.255.255.0 ip access-group 100 in ip nat inside ! interface Ethernet1 description WAN interface (To Internet) ip address dhcp ip nat outside ! ip route 10.0.0.0 255.255.255.0 10.0.1.2 ! Note that the DHCP process with the ISP results in both ! getting the Internet Router WAN interface to receive ! (Public) IP address and also default gateway to reach ! the Internet. ! You can always issue "show ip route" to confirm the ! router's routing table ! ip nat inside source list 10 interface Ethernet1 overload ! access-list 10 remark Permited Subnets to go out to the Internet access-list 10 permit 10.0.0.0 0.0.1.255 access-list 100 remark Restricted Inside network Access access-list 100 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 100 permit ip 10.0.0.0 0.0.1.255 any Internal Router interface Ethernet0 description LAN interface ip address 10.0.0.1 255.255.255.0 ! interface Ethernet1 description To Internet Router (DMZ) ip address 10.0.1.2 255.255.255.0 ! ip route 0.0.0.0 0.0.0.0 10.0.1.1 VRF Routing Approach ip cef ! ip vrf LAN ! ip vrf DMZ ! interface Ethernet0 description LAN interface ip vrf forwarding LAN ip address 10.0.0.1 255.255.255.0 ip nat inside ! interface Ethernet1 description WAN interface ip address 1.1.1.2 255.255.255.252 ip nat outside ! interface Ethernet2 description DMZ interface ip vrf forwarding DMZ ip address 10.0.1.1 255.255.255.0 ip nat inside ! ip route 0.0.0.0 0.0.0.0 1.1.1.1 ip route vrf LAN 0.0.0.0 0.0.0.0 1.1.1.1 global ip route vrf DMZ 0.0.0.0 0.0.0.0 1.1.1.1 global ! ip nat pool GlobalIP 1.1.1.2 1.1.1.2 netmask 255.255.255.252 add-route ip nat inside source list 10 pool GlobalIP vrf LAN overload ip nat inside source list 10 pool GlobalIP vrf DMZ overload ! access-list 10 remark Permited Subnets to go out to the Internet access-list 10 permit 10.0.0.0 0.0.1.255 Sample #2: Restricted Access on DMZ specific services from Inside This sample assumes the following * Internet-only access for DMZ * DMZ cannot access inside * Inside can access DMZ only for web (TCP port 80) and email (TCP port 25) interface Ethernet0 description LAN interface ip address 10.0.0.1 255.255.255.0 ip access-group 100 in ip nat inside ! interface Ethernet1 description WAN interface ip address 1.1.1.2 255.255.255.252 ip nat outside ! interface Ethernet2 description DMZ interface ip address 10.0.1.1 255.255.255.0 ip access-group 101 in ip nat inside ! ip route 0.0.0.0 0.0.0.0 1.1.1.1 ! ip nat inside source list 10 interface Ethernet1 overload ! access-list 10 remark Permited Subnets to go out to the Internet access-list 10 permit 10.0.0.0 0.0.1.255 access-list 100 remark Restricted Inside network Access access-list 100 permit tcp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 eq 25 access-list 100 permit tcp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 eq 80 access-list 100 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 access-list 100 permit ip 10.0.0.0 0.0.0.255 any access-list 101 remark Restricted DMZ network Access access-list 101 permit tcp 10.0.1.0 0.0.0.255 eq 25 10.0.0.0 0.0.0.255 access-list 101 permit tcp 10.0.1.0 0.0.0.255 eq 80 10.0.0.0 0.0.0.255 access-list 101 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 101 permit ip 10.0.1.0 0.0.0.255 any Sample #3: Restricted Access on DMZ most applications from Inside This sample assumes the following * Internet-only access for DMZ * DMZ cannot access inside * Inside can access DMZ on any TCP-based application and DNS (TCP and UDP port 53) * Note that most applications are TCP-based. Therefore this sample applies to most network interface Ethernet0 description LAN interface ip address 10.0.0.1 255.255.255.0 ip access-group 100 in ip nat inside ! interface Ethernet1 description WAN interface ip address 1.1.1.2 255.255.255.252 ip nat outside ! interface Ethernet2 description DMZ interface ip address 10.0.1.1 255.255.255.0 ip access-group 101 in ip nat inside ! ip route 0.0.0.0 0.0.0.0 1.1.1.1 ! ip nat inside source list 10 interface Ethernet1 overload ! access-list 10 remark Permited Subnets to go out to the Internet access-list 10 permit 10.0.0.0 0.0.1.255 access-list 100 remark Restricted Inside network Access access-list 100 permit tcp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 access-list 100 permit udp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 eq 53 access-list 100 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 access-list 100 permit ip 10.0.0.0 0.0.0.255 any access-list 101 remark Restricted DMZ network Access access-list 101 permit tcp 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255 established access-list 101 permit udp 10.0.1.0 0.0.0.255 eq 53 10.0.0.0 0.0.0.255 access-list 101 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 101 permit ip 10.0.1.0 0.0.0.255 any feedback form by aryoba last modified: 2009-08-30 05:35:41


Friday, 27-Nov 12:46:30	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com.