CISCO Advanced Firewall on 2911 router using CCP
ahmedahmed
Member Posts: 41 ■■□□□□□□□□
Guys I am using a cisco 2911 router with three interfaces: Gi0/0 connected through a switch to all my servers and Gi0/2 which will connect to another server, and Gi0/1 is my outside interface connecting through a switch to two ISP's.
I have webservers and Terminal servers/File Servers with 10.0.0.0 network address connected throught My Gi0/0 interface.
Now I want to implement a Cisco Advanced firewall for security on my router using CCP.I want the firewall to work such that it allows external users to access the servers on Gi0/0 through ports 80,23,25,20,21,53, 110,3389. and to access the SIP server on Gi0/2. My issue is can i just create two DMZ's for both interface Gi0/0 and Gi0/2 without creating an inside zone and Gi0/1 as outside zone as my internal traffic is mostly server based and the users connect remotely through terminal server to access resourcess using RDP, secondly how do I open the relevant ports.I have checked alot and all I have seen is just basic process on using the wizard I have no idea how to go about this issue.
Would appreciate some assistance on this.
I have webservers and Terminal servers/File Servers with 10.0.0.0 network address connected throught My Gi0/0 interface.
Now I want to implement a Cisco Advanced firewall for security on my router using CCP.I want the firewall to work such that it allows external users to access the servers on Gi0/0 through ports 80,23,25,20,21,53, 110,3389. and to access the SIP server on Gi0/2. My issue is can i just create two DMZ's for both interface Gi0/0 and Gi0/2 without creating an inside zone and Gi0/1 as outside zone as my internal traffic is mostly server based and the users connect remotely through terminal server to access resourcess using RDP, secondly how do I open the relevant ports.I have checked alot and all I have seen is just basic process on using the wizard I have no idea how to go about this issue.
Would appreciate some assistance on this.
Comments
-
SteveO86
Member Posts: 1,423
I'd look into the Zone Based Firewall configurations
Zone-Based Policy Firewall Design and Application Guide - Cisco SystemsMy Networking blog
Latest blog post: Let's review EIGRP Named Mode
Currently Studying: CCNP: Wireless - IUWMS -
ahmedahmed
Member Posts: 41 ■■□□□□□□□□
I configured a Zone Base Firewall for my router to allow resource access to my internal servers in in-zone and full in/out access for the gi0/2 server.
Would appreciate if someone can have a look at my configuration.
Zone security out-zone
zone security in-zone
zone security teleworker
interface gi0/1
Zone-member security out-zone
interface gi0/0
zone-member security in-zone
interface gi0/2
zone-member security teleworker
exit
ip port-map user-RDP port tcp 3389
zone-pair security OUT-IN source out-zone destination in-zone
zone-pair security OUT-TELEWORKER source out-zone destination teleworker
zone-pair security TELEWORKER-OUT source teleworker destination out-zone
ip access-list extended OUTSIDE-TO-INSIDE-WEB
permit tcp any host 10.0.0.23 eq 80
permit tcp any host 10.0.0.59 eq 80
permit tcp any host 10.0.0.61 eq 80
permit tcp any host 10.0.0.228 eq 80
permit tcp any host 10.0.0.16 eq 80
permit tcp any host 10.0.0.30 eq 80
class-map type inspect match-all OUTSIDE-TO-INSIDE-WEB-CLASS
match protocol http
match access-group name OUTSIDE-TO-INSIDE-WEB
ip access-list extended OUTSIDE-TO-INSIDE-FTP
permit tcp any host 10.0.0.52 eq 20:21
permit tcp any host 10.0.0.23 eq 20:21
permit tcp any host 10.0.0.59 eq 20:21
permit tcp any host 10.0.0.61 eq 20:21
permit tcp any host 10.0.0.228 eq 20:21
class-map type inspect match-all OUTSIDE-TO-INSIDE-FTP-CLASS
match protocol ftp
match access-group name OUTSIDE-TO-INSIDE-FTP
ip access-list extended OUTSIDE-TO-INSIDE-SMTP
permit tcp any host 10.0.0.52 eq 25
permit tcp any host 10.0.0.23 eq 25
permit tcp any host 10.0.0.59 eq 25
permit tcp any host 10.0.0.61 eq 25
permit tcp any host 10.0.0.228 eq 25
class-map type inspect match-all OUTSIDE-TO-INSIDE-SMTP-CLASS
match protocol smtp
match access-group name OUTSIDE-TO-INSIDE-SMTP
ip access-list extended OUTSIDE-TO-INSIDE-DNS
permit tcp any host 10.0.0.23 eq 53
permit udp any host 10.0.0.23 eq 53
permit tcp any host 10.0.0.59 eq 53
permit udp any host 10.0.0.59 eq 53
permit tcp any host 10.0.0.61 eq 53
permit udp any host 10.0.0.61 eq 53
permit tcp any host 10.0.0.228 eq 53
permit udp any host 10.0.0.228 eq 53
class-map type inspect match-all OUTSIDE-TO-INSIDE-DNS-CLASS
match protocol dns
match access-group name OUTSIDE-TO-INSIDE-DNS
ip access-list extended OUTSIDE-TO-INSIDE-POP
permit tcp any host 10.0.0.52 eq 110
permit tcp any host 10.0.0.23 eq 110
permit tcp any host 10.0.0.59 eq 110
permit tcp any host 10.0.0.61 eq 110
permit tcp any host 10.0.0.228 eq 110
class-map type inspect match-all OUTSIDE-TO-INSIDE-POP-CLASS
match protocol pop
match access-group name OUTSIDE-TO-INSIDE-POP
ip access-list extended OUTSIDE-TO-INSIDE-IMAP
permit tcp any host 10.0.0.52 eq 143
permit tcp any host 10.0.0.23 eq 143
permit tcp any host 10.0.0.59 eq 143
permit tcp any host 10.0.0.61 eq 143
permit tcp any host 10.0.0.228 eq 143
class-map type inspect match-all OUTSIDE-TO-INSIDE-IMAP-CLASS
match protocol imap
match access-group name OUTSIDE-TO-INSIDE-IMAP
ip access-list extended OUTSIDE-TO-INSIDE-HTTPS
permit tcp any host 10.0.0.52 eq 443
permit tcp any host 10.0.0.23 eq 443
permit tcp any host 10.0.0.59 eq 443
permit tcp any host 10.0.0.61 eq 443
permit tcp any host 10.0.0.228 eq 443
class-map type inspect match-all OUTSIDE-TO-INSIDE-HTTPS-CLASS
match protocol https
match access-group name OUTSIDE-TO-INSIDE-HTTPS
ip access-list extended OUTSIDE-TO-INSIDE-RDP
permit tcp any host 10.0.0.52 eq 3389
permit tcp any host 10.0.0.23 eq 3389
permit tcp any host 10.0.0.59 eq 3389
permit tcp any host 10.0.0.61 eq 3389
permit tcp any host 10.0.0.228 eq 3389
permit tcp any host 10.0.0.58 eq 3389
permit tcp any host 10.0.0.33 eq 3389
permit tcp any host 10.0.0.25 eq 3389
permit tcp any host 10.0.0.44 eq 3389
permit tcp any host 10.0.0.251 eq 3389
permit tcp any host 10.0.0.21 eq 3389
permit tcp any host 10.0.0.22 eq 3389
ermit tcp any host 10.0.0.24 eq 3389
permit tcp any host 10.0.0.30 eq 3389
permit tcp any host 10.0.0.230 eq 3389
class-map type inspect match-all OUTSIDE-TO-INSIDE-RDP-CLASS
match protocol user-RDP
match access-group name OUTSIDE-TO-INSIDE-RDP
ip access-list extended TELEWORKER-TO-OUTSIDE
permit ip host 10.0.3.254 any
class-map type inspect match-all TELEWORKER-TO-OUTSIDE-CLASS
match access-group name TELEWORKER-TO-OUTSIDE
ip access-list extended OUTSIDE-TO-TELEWORKER
permit ip any host 10.0.3.254
class-map type inspect match-all OUTSIDE-TO-TELEWORKER-CLASS
match access-group name OUTSIDE-TO-TELEWORKER
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-WEB-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-FTP-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-SMTP-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-DNS-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-POP-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-IMAP-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-HTTPS-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-RDP-CLASS
inspect
policy-map type inspect TELEWORKER-TO-OUTSIDE-POLICY
class type inspect TELEWORKER-TO-OUTSIDE-CLASS
inspect
policy-map type inspect OUTSIDE-TO-TELEWORKER-POLICY
class type inspect OUTSIDE-TO-TELEWORKER-CLASS
inspect
zone-pair security OUT-IN source out-zone destination in-zone
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
zone-pair security OUT-TELEWORKER source out-zone destination teleworker
service-policy type inspect OUTSIDE-TO-TELEWORKER-POLICY
zone-pair security TELEWORKER-OUT source teleworker destination out-zone
service-policy type inspect TELEWORKER-TO-OUTSIDE-POLICY