Question : Problem: Cisco 851 Router - need help with access-lists for firewall

Hello all,

I recommended the purchase of a Cisco 851 router for a home network but have had no luck in implementing it.   The requirements are simple:

1) The 851 needs to route traffic to the internet through a cable modem
2) The 851 should provide basic firewall features (i.e. only allow connections that initiate from the private network)
3) The 851 should act as a DHCP server for the private network and pass on the DHCP data it receives on the external interface to the internal clients

Basically it should act as a replacement for a faulty Linksys firewall/router.   Being familiar with IOS but not an expert on it, I tried configuring the 851 firewall features through the GUI but found out the hard way that this will not work on this unit with version 12.4 of IOS.  

So on I went to the cli and followed examples in the configuration guide as well as some I found on the forums like this one.   My problem is that I think I have my access-lists screwy.    Last night I was able to get internet access through the router from my PCs without a problem, only all connections originating from the outside were being allowed.   That is, I could see that http access to my router was available on the external interface.    I realized I needed a deny line in my access-lists but every time I add it, no one from the private network can get anywhere.   They can ping the router, I can ssh to the router, but the connections either don't make it past the router or they can't get back in, I can't tell which.

I've attached the current router config, but below are the significant parts I believe.    Any and all help is very much appreciated.  

interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address dhcp client-id FastEthernet4
 ip access-group 105 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 192.168.1.1 255.255.255.0
 ip access-group 102 in
 ip inspect firewall in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
-snip-
ip dns server
ip nat inside source list 1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 permit tcp 192.168.1.0 0.0.0.255 any
access-list 102 permit udp 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp 192.168.1.0 0.0.0.255 any
access-list 102 deny ip any any log
access-list 105 permit icmp any any
access-list 105 deny ip any any log

Answer : Problem: Cisco 851 Router - need help with access-lists for firewall

Add this:

interface FastEthernet4
ip inspect firewall out
Random Solutions  
 
programming4us programming4us