This tutorial is the first in a series of howtos that will walk through the basic steps of using Firewall Builder to configure each of the supported firewall platforms. In this tutorial we will configure Access Control Lists (ACL) on a Cisco router.
The diagram below shows a simple 2 interface router configuration with the router acting as a gateway to the Internet for a private LAN network.
We will use Firewall Builder to implement the following basic rules as access lists on the router.
- Allow inside traffic (10.0.0.0/24) through the router to any Internet address for the HTTP and HTTPS protocols
- Allow inside traffic (10.0.0.0/24) through the router to a specific IP address (198.51.100.1) for the POP3 protocol.
- Allow inside traffic (10.0.0.0/24) to the router's inside interface (FastEthernet0/1) for the SSH protocol.
- Block all incoming traffic to the rotuer's outside interface FastEthernet0/0.
The NAT configuration on the router is as follows:
interface FastEthernet0/0
ip nat outside
interface FastEthernet0/1
ip nat inside
access-list 1 permit 10.0.0.0 0.0.0.255
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat outside
interface FastEthernet0/1
ip nat inside
access-list 1 permit 10.0.0.0 0.0.0.255
ip nat inside source list 1 interface FastEthernet0/0 overload
Step 1: Create Network Objects
We are going to start by creating the objects that will be used in the rules. Firewall Builder includes hundreds of predefined objects, including most standard protocols, so to implement the rules above we will only need to create the objects that are specific to our network. For our rules this means we need to create objects for the internal 10.0.0.0/24 network and for the POP3 server with an IP address of 198.51.100.1.
Source
No comments:
Post a Comment