dslreports logo
site
spacer

spacer
 
    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»
spc

spacer




how-to block ads



Suggested prerequisite reading:
»Cisco Forum FAQ »Basic Internet Firewall for Routers without IOS image Firewall feature

On these sample configurations, it is assumed the following occur

* There are at least three network segments; outside (i.e. WAN or The Internet), inside (LAN), DMZ
* These segments are within their own subnet (Layer-3 separation)
* Inside subnet is 10.0.0.0/24 and DMZ subnet is 10.0.1.0/24

Sample #1: Total Separation between Inside and DMZ

This sample assumes the following
* Internet-only access for DMZ
* DMZ cannot access inside
* Inside cannot access DMZ

ACL Approach

1. Using One Router

interface Ethernet0
description LAN interface
ip address 10.0.0.1 255.255.255.0
ip access-group 100 in
ip nat inside
!
interface Ethernet1
description WAN interface
ip address 1.1.1.2 255.255.255.252
ip nat outside
!
interface Ethernet2
description DMZ interface
ip address 10.0.1.1 255.255.255.0
ip access-group 101 in
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
ip nat inside source list 10 interface Ethernet1 overload
!
access-list 10 remark Permited Subnets to go out to the Internet
access-list 10 permit 10.0.0.0 0.0.1.255
access-list 100 remark Restricted Inside network Access
access-list 100 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 101 remark Restricted DMZ network Access
access-list 101 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.0.1.0 0.0.0.255 any
 

2. Using Two Routers, which one is the Internet Router and another is internal router

Internet Router
interface Ethernet0
description To Internal Router (DMZ)
ip address 10.0.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
!
interface Ethernet1
description WAN interface (To Internet)
ip address dhcp
ip nat outside
!
ip route 10.0.0.0 255.255.255.0 10.0.1.2
! Note that the DHCP process with the ISP results in both 
! getting the Internet Router WAN interface to receive 
! (Public) IP address and also default gateway to reach 
! the Internet.
! You can always issue "show ip route" to confirm the 
! router's routing table
!
ip nat inside source list 10 interface Ethernet1 overload
!
access-list 10 remark Permited Subnets to go out to the Internet
access-list 10 permit 10.0.0.0 0.0.1.255
access-list 100 remark Restricted Inside network Access
access-list 100 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.1.255 any
 

Internal Router
interface Ethernet0
description LAN interface
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet1
description To Internet Router (DMZ)
ip address 10.0.1.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.0.1.1
 

VRF Routing Approach

ip cef
!
ip vrf LAN
!
ip vrf DMZ
!
interface Ethernet0
description LAN interface
ip vrf forwarding LAN
ip address 10.0.0.1 255.255.255.0
ip nat inside
!
interface Ethernet1
description WAN interface
ip address 1.1.1.2 255.255.255.252
ip nat outside
!
interface Ethernet2
description DMZ interface
ip vrf forwarding DMZ
ip address 10.0.1.1 255.255.255.0
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route vrf LAN 0.0.0.0 0.0.0.0 1.1.1.1 global
ip route vrf DMZ 0.0.0.0 0.0.0.0 1.1.1.1 global
!
ip nat pool GlobalIP 1.1.1.2 1.1.1.2 netmask 255.255.255.252 add-route
ip nat inside source list 10 pool GlobalIP vrf LAN overload
ip nat inside source list 10 pool GlobalIP vrf DMZ overload
!
access-list 10 remark Permited Subnets to go out to the Internet
access-list 10 permit 10.0.0.0 0.0.1.255
 

Sample #2: Restricted Access on DMZ specific services from Inside

This sample assumes the following
* Internet-only access for DMZ
* DMZ cannot access inside
* Inside can access DMZ only for web (TCP port 80) and email (TCP port 25)

interface Ethernet0
description LAN interface
ip address 10.0.0.1 255.255.255.0
ip access-group 100 in
ip nat inside
!
interface Ethernet1
description WAN interface
ip address 1.1.1.2 255.255.255.252
ip nat outside
!
interface Ethernet2
description DMZ interface
ip address 10.0.1.1 255.255.255.0
ip access-group 101 in
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
ip nat inside source list 10 interface Ethernet1 overload
!
access-list 10 remark Permited Subnets to go out to the Internet
access-list 10 permit 10.0.0.0 0.0.1.255
access-list 100 remark Restricted Inside network Access
access-list 100 permit tcp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 eq 25
access-list 100 permit tcp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 eq 80
access-list 100 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 101 remark Restricted DMZ network Access
access-list 101 permit tcp 10.0.1.0 0.0.0.255 eq 25 10.0.0.0 0.0.0.255
access-list 101 permit tcp 10.0.1.0 0.0.0.255 eq 80 10.0.0.0 0.0.0.255
access-list 101 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.0.1.0 0.0.0.255 any
 

Sample #3: Restricted Access on DMZ most applications from Inside

This sample assumes the following
* Internet-only access for DMZ
* DMZ cannot access inside
* Inside can access DMZ on any TCP-based application and DNS (TCP and UDP port 53)
* Note that most applications are TCP-based. Therefore this sample applies to most network

interface Ethernet0
description LAN interface
ip address 10.0.0.1 255.255.255.0
ip access-group 100 in
ip nat inside
!
interface Ethernet1
description WAN interface
ip address 1.1.1.2 255.255.255.252
ip nat outside
!
interface Ethernet2
description DMZ interface
ip address 10.0.1.1 255.255.255.0
ip access-group 101 in
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
ip nat inside source list 10 interface Ethernet1 overload
!
access-list 10 remark Permited Subnets to go out to the Internet
access-list 10 permit 10.0.0.0 0.0.1.255
access-list 100 remark Restricted Inside network Access
access-list 100 permit tcp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 100 permit udp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 eq 53
access-list 100 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 101 remark Restricted DMZ network Access
access-list 101 permit tcp 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255 established
access-list 101 permit udp 10.0.1.0 0.0.0.255 eq 53 10.0.0.0 0.0.0.255
access-list 101 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.0.1.0 0.0.0.255 any
 

Some Discussions

»[Config] SMTP Between 2 routers

Expand got feedback?

by aryoba See Profile
last modified: 2012-02-27 19:38:50