Microsoft
Software
Hardware
Network
Question : Problem: Cisco 851 Router - need help with access-lists for firewall
Hello all,
I recommended the purchase of a Cisco 851 router for a home network but have had no luck in implementing it. The requirements are simple:
1) The 851 needs to route traffic to the internet through a cable modem
2) The 851 should provide basic firewall features (i.e. only allow connections that initiate from the private network)
3) The 851 should act as a DHCP server for the private network and pass on the DHCP data it receives on the external interface to the internal clients
Basically it should act as a replacement for a faulty Linksys firewall/router. Being familiar with IOS but not an expert on it, I tried configuring the 851 firewall features through the GUI but found out the hard way that this will not work on this unit with version 12.4 of IOS.
So on I went to the cli and followed examples in the configuration guide as well as some I found on the forums like this one. My problem is that I think I have my access-lists screwy. Last night I was able to get internet access through the router from my PCs without a problem, only all connections originating from the outside were being allowed. That is, I could see that http access to my router was available on the external interface. I realized I needed a deny line in my access-lists but every time I add it, no one from the private network can get anywhere. They can ping the router, I can ssh to the router, but the connections either don't make it past the router or they can't get back in, I can't tell which.
I've attached the current router config, but below are the significant parts I believe. Any and all help is very much appreciated.
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet4
ip access-group 105 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
HWIC 4ESW$
ip address 192.168.1.1 255.255.255.0
ip access-group 102 in
ip inspect firewall in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
-snip-
ip dns server
ip nat inside source list 1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 permit tcp 192.168.1.0 0.0.0.255 any
access-list 102 permit udp 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp 192.168.1.0 0.0.0.255 any
access-list 102 deny ip any any log
access-list 105 permit icmp any any
access-list 105 deny ip any any log
Answer : Problem: Cisco 851 Router - need help with access-lists for firewall
Add this:
interface FastEthernet4
ip inspect firewall out
Random Solutions
Problem: ARCserve and Shutting Down SQL Database for WSUS
Problem: Anti-shock software to pause hard disk on MacBook when it gets bumped around?
Problem: What is the function of capacitors within power supply units?
Problem: COMPUTER DOES NOT TURN ON.
Problem: Exceed max RAM for Sony VAIO notebook? (384MB)
Problem: Link to ICA executable file cannot resolve in IE, but resolves fine in Firefox or Opera
Problem: Intermittent Connection Loss
Problem: How to configure IE to access VPN Server
Problem: PC Fan Very Loud
Problem: Cannot install drivers for Creative X-Fi in Vista PC