Options

CISCO Advanced Firewall on 2911 router using CCP

ahmedahmedahmedahmed Member Posts: 41 ■■□□□□□□□□
in CCNP Security
Guys I am using a cisco 2911 router with three interfaces: Gi0/0 connected through a switch to all my servers and Gi0/2 which will connect to another server, and Gi0/1 is my outside interface connecting through a switch to two ISP's.
I have webservers and Terminal servers/File Servers with 10.0.0.0 network address connected throught My Gi0/0 interface.
Now I want to implement a Cisco Advanced firewall for security on my router using CCP.I want the firewall to work such that it allows external users to access the servers on Gi0/0 through ports 80,23,25,20,21,53, 110,3389. and to access the SIP server on Gi0/2. My issue is can i just create two DMZ's for both interface Gi0/0 and Gi0/2 without creating an inside zone and Gi0/1 as outside zone as my internal traffic is mostly server based and the users connect remotely through terminal server to access resourcess using RDP, secondly how do I open the relevant ports.I have checked alot and all I have seen is just basic process on using the wizard I have no idea how to go about this issue.

Would appreciate some assistance on this.
· Share on FacebookShare on Twitter

Comments

  • Options
    SteveO86SteveO86 Member Posts: 1,423
    I'd look into the Zone Based Firewall configurations

    Zone-Based Policy Firewall Design and Application Guide - Cisco Systems
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
    · Share on FacebookShare on Twitter
  • Options
    ahmedahmedahmedahmed Member Posts: 41 ■■□□□□□□□□
    I configured a Zone Base Firewall for my router to allow resource access to my internal servers in in-zone and full in/out access for the gi0/2 server.
    Would appreciate if someone can have a look at my configuration.

    Zone security out-zone
    zone security in-zone
    zone security teleworker


    interface gi0/1
    Zone-member security out-zone


    interface gi0/0
    zone-member security in-zone


    interface gi0/2
    zone-member security teleworker
    exit


    ip port-map user-RDP port tcp 3389


    zone-pair security OUT-IN source out-zone destination in-zone
    zone-pair security OUT-TELEWORKER source out-zone destination teleworker
    zone-pair security TELEWORKER-OUT source teleworker destination out-zone


    ip access-list extended OUTSIDE-TO-INSIDE-WEB
    permit tcp any host 10.0.0.23 eq 80
    permit tcp any host 10.0.0.59 eq 80
    permit tcp any host 10.0.0.61 eq 80
    permit tcp any host 10.0.0.228 eq 80
    permit tcp any host 10.0.0.16 eq 80
    permit tcp any host 10.0.0.30 eq 80


    class-map type inspect match-all OUTSIDE-TO-INSIDE-WEB-CLASS
    match protocol http
    match access-group name OUTSIDE-TO-INSIDE-WEB


    ip access-list extended OUTSIDE-TO-INSIDE-FTP
    permit tcp any host 10.0.0.52 eq 20:21
    permit tcp any host 10.0.0.23 eq 20:21
    permit tcp any host 10.0.0.59 eq 20:21
    permit tcp any host 10.0.0.61 eq 20:21
    permit tcp any host 10.0.0.228 eq 20:21


    class-map type inspect match-all OUTSIDE-TO-INSIDE-FTP-CLASS
    match protocol ftp
    match access-group name OUTSIDE-TO-INSIDE-FTP


    ip access-list extended OUTSIDE-TO-INSIDE-SMTP
    permit tcp any host 10.0.0.52 eq 25
    permit tcp any host 10.0.0.23 eq 25
    permit tcp any host 10.0.0.59 eq 25
    permit tcp any host 10.0.0.61 eq 25
    permit tcp any host 10.0.0.228 eq 25


    class-map type inspect match-all OUTSIDE-TO-INSIDE-SMTP-CLASS
    match protocol smtp
    match access-group name OUTSIDE-TO-INSIDE-SMTP


    ip access-list extended OUTSIDE-TO-INSIDE-DNS
    permit tcp any host 10.0.0.23 eq 53
    permit udp any host 10.0.0.23 eq 53
    permit tcp any host 10.0.0.59 eq 53
    permit udp any host 10.0.0.59 eq 53
    permit tcp any host 10.0.0.61 eq 53
    permit udp any host 10.0.0.61 eq 53
    permit tcp any host 10.0.0.228 eq 53
    permit udp any host 10.0.0.228 eq 53


    class-map type inspect match-all OUTSIDE-TO-INSIDE-DNS-CLASS
    match protocol dns
    match access-group name OUTSIDE-TO-INSIDE-DNS


    ip access-list extended OUTSIDE-TO-INSIDE-POP
    permit tcp any host 10.0.0.52 eq 110
    permit tcp any host 10.0.0.23 eq 110
    permit tcp any host 10.0.0.59 eq 110
    permit tcp any host 10.0.0.61 eq 110
    permit tcp any host 10.0.0.228 eq 110


    class-map type inspect match-all OUTSIDE-TO-INSIDE-POP-CLASS
    match protocol pop
    match access-group name OUTSIDE-TO-INSIDE-POP


    ip access-list extended OUTSIDE-TO-INSIDE-IMAP
    permit tcp any host 10.0.0.52 eq 143
    permit tcp any host 10.0.0.23 eq 143
    permit tcp any host 10.0.0.59 eq 143
    permit tcp any host 10.0.0.61 eq 143
    permit tcp any host 10.0.0.228 eq 143


    class-map type inspect match-all OUTSIDE-TO-INSIDE-IMAP-CLASS
    match protocol imap
    match access-group name OUTSIDE-TO-INSIDE-IMAP


    ip access-list extended OUTSIDE-TO-INSIDE-HTTPS
    permit tcp any host 10.0.0.52 eq 443
    permit tcp any host 10.0.0.23 eq 443
    permit tcp any host 10.0.0.59 eq 443
    permit tcp any host 10.0.0.61 eq 443
    permit tcp any host 10.0.0.228 eq 443


    class-map type inspect match-all OUTSIDE-TO-INSIDE-HTTPS-CLASS
    match protocol https
    match access-group name OUTSIDE-TO-INSIDE-HTTPS


    ip access-list extended OUTSIDE-TO-INSIDE-RDP
    permit tcp any host 10.0.0.52 eq 3389
    permit tcp any host 10.0.0.23 eq 3389
    permit tcp any host 10.0.0.59 eq 3389
    permit tcp any host 10.0.0.61 eq 3389
    permit tcp any host 10.0.0.228 eq 3389
    permit tcp any host 10.0.0.58 eq 3389
    permit tcp any host 10.0.0.33 eq 3389
    permit tcp any host 10.0.0.25 eq 3389
    permit tcp any host 10.0.0.44 eq 3389
    permit tcp any host 10.0.0.251 eq 3389
    permit tcp any host 10.0.0.21 eq 3389
    permit tcp any host 10.0.0.22 eq 3389
    ermit tcp any host 10.0.0.24 eq 3389
    permit tcp any host 10.0.0.30 eq 3389
    permit tcp any host 10.0.0.230 eq 3389


    class-map type inspect match-all OUTSIDE-TO-INSIDE-RDP-CLASS
    match protocol user-RDP
    match access-group name OUTSIDE-TO-INSIDE-RDP


    ip access-list extended TELEWORKER-TO-OUTSIDE
    permit ip host 10.0.3.254 any


    class-map type inspect match-all TELEWORKER-TO-OUTSIDE-CLASS
    match access-group name TELEWORKER-TO-OUTSIDE


    ip access-list extended OUTSIDE-TO-TELEWORKER
    permit ip any host 10.0.3.254


    class-map type inspect match-all OUTSIDE-TO-TELEWORKER-CLASS
    match access-group name OUTSIDE-TO-TELEWORKER




    policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
    class type inspect OUTSIDE-TO-INSIDE-WEB-CLASS
    inspect


    class type inspect OUTSIDE-TO-INSIDE-FTP-CLASS
    inspect


    class type inspect OUTSIDE-TO-INSIDE-SMTP-CLASS
    inspect


    class type inspect OUTSIDE-TO-INSIDE-DNS-CLASS
    inspect




    class type inspect OUTSIDE-TO-INSIDE-POP-CLASS
    inspect


    class type inspect OUTSIDE-TO-INSIDE-IMAP-CLASS
    inspect


    class type inspect OUTSIDE-TO-INSIDE-HTTPS-CLASS
    inspect


    class type inspect OUTSIDE-TO-INSIDE-RDP-CLASS
    inspect




    policy-map type inspect TELEWORKER-TO-OUTSIDE-POLICY
    class type inspect TELEWORKER-TO-OUTSIDE-CLASS
    inspect


    policy-map type inspect OUTSIDE-TO-TELEWORKER-POLICY
    class type inspect OUTSIDE-TO-TELEWORKER-CLASS
    inspect


    zone-pair security OUT-IN source out-zone destination in-zone
    service-policy type inspect OUTSIDE-TO-INSIDE-POLICY


    zone-pair security OUT-TELEWORKER source out-zone destination teleworker
    service-policy type inspect OUTSIDE-TO-TELEWORKER-POLICY


    zone-pair security TELEWORKER-OUT source teleworker destination out-zone
    service-policy type inspect TELEWORKER-TO-OUTSIDE-POLICY
    · Share on FacebookShare on Twitter
Sign In or Register to comment.