Monday, 24 March 2008

Cisco Router DMZ

I did say before I would most likely come back to DMZ at a later date and I have, but first we will need to clear up some terms so that we don't get confused, first the naming for this blog I'm going to call the interfaces as follows public, private and DMZ this should keep things nice and clear also with the source and destination. The source is the IP and port that the traffic is coming from and the destination is well you guessed it.

Part one in bound traffic
in this example I have an private range of 192.168.32.x and a DMZ range of 192.168.30.x

now because the ranges of 192.168.x.x and others like 10.x.x.x and 172.16.x.x are well known to hackers and other spy programmes the first thing we are going to do is stop spoof packets entering the network

access-list 100 deny ip 192.168.30.0 0.0.0.255 any
access-list 100 deny ip 192.168.32.0 0.0.0.255 any
access-list 100 permit ip any any

this access list is applied to my public interface in this case serial0/0

interface serial0/0
access-group 100 in

notice the word in is used if i had use out I would have blocked all traffic with this ip leaving my network but as I've changed to in i am blocking all traffic with these ip entering my network.

now I'm going to create another access-list to allow only the DMZ traffic on the DMZ interface

access-list 101 permit ip 192.168.30.0 0.0.0.255 any

and apply it to my DMZ interface in this case ethernet0/0

interface ethernet0/0
access-group 101 in

now I'm going to the private network and stop all but my internal range from being able to use this interface.

access-list 102 permit ip 192.168.32.0 0.0.0.255 any

and apply this to my private interface that in this case is ethernet0/1

interface ethernet0/1
access-group 102 in

OK now we have the first part done we have setup what traffic can enter our network on each interface but we haven't yet said what can leave it, at the moment any traffic an leave our network as long as it has the right ip range for that interface, so it time to create three more access lists one for each interface with the out command, first up is the public interface.

just before we begin on creating these list we need to look at what we need to allow and where from... we don't want to allow everything as this would make the list useless and at the same time we need to allow some traffic so make a quick list of what services need access to the outside world.

in my case I have an email, DNS, web and Proxy server on the DMZ these are access from both the public and private networks.

Part Two out bound traffic
first lets say we want to be ping the outside world and the DMZ from the private LAN so we will need ICMP, I'm also going to need my DNS server to be able to send a receive DNS zone updates and requests.

now I've put my server on the following IP this will make it easier when you read the access lists to see where the traffic is going.

eMail 192.168.30.4
DNS 192.168.30.3
Web 192.168.30.2
Proxy 192.168.30.1

I'm also going to apply the out going access list on the interfaces like this
list 103 Public interface
list 104 DMZ interface
list 105 Private interface

First we'll build the ACL for the public interface this should allow all you out bound connection to go to the internet from your DMZ


access-list 103 permit tcp any host 192.168.30.0 0.0.0.255 established
access-list 103 permit udp host 192.168.30.3 eq domain any eq domain
access-list 103 permit udp host 192.168.30.3 gt 1023 any eq domain
access-list 103 permit udp host 192.168.30.3 eq domain any gt 1023
access-list 103 permit tcp host 192.168.30.3 any eq domain
access-list 103 permit icmp 192.168.30.0 0.0.0.255 any echo-reply
access-list 103 permit tcp host 192.168.30.1 any
access-list 103 permit tcp host 192.168.30.4 any eq smtp


After that we have the all important DMZ this has to allow traffic back to the internet and to the LAN but only what is needed


access-list 104 permit tcp any host 192.168.30.0 0.0.0.255 established
access-list 104 permit udp any eq domain host 192.168.30.3 eq domain
access-list 104 permit udp any eq domain host 192.168.30.3 gt 1023
access-list 104 permit udp any gt 1023 host 192.168.30.3 eq domain
access-list 104 permit icmp any 192.168.30.0 0.0.0.255 echo
access-list 104 permit tcp any host 192.168.30.2 eq www
access-list 104 permit tcp 192.168.32.0 0.0.0.255 host 192.168.30.1 range ftp-data ftp
access-list 104 permit tcp 192.168.32.0 0.0.0.255 host 192.168.30.1 eq telnet
access-list 104 permit tcp 192.168.32.0 0.0.0.255 host 192.168.30.1 eq 8080
access-list 104 permit tcp any eq ftp-data host 192.168.30.1 gt 1023
access-list 104 permit tcp any host 192.168.30.4 eq smtp
access-list 104 permit tcp host 172.16.1.2 host 192.168.30.3 eq domain
access-list 104 permit tcp host 172.16.1.4 host 192.168.30.3 eq domain


And finally we configure the private interface to let traffic on the DMZ into the LAN reply to request from the LAN

access-list 105 permit tcp 192.168.30.0 0.0.0.255 192.168.32.0 0.0.0.255 established
access-list 105 permit icmp 192.168.30.0 0.0.0.255 192.168.32.0 0.0.0.255 echo-reply
access-list 105 permit tcp host 192.168.30.1 eq ftp-data 192.168.32.0 0.0.0.255 gt 1023
access-list 105 permit tcp host 192.168.30.4 192.168.32.0 0.0.0.255 eq smtp

now that all the access list have been written we need to apply them to the interface like so.

interface serial0/0
access-group 100 in
access-group 103 out

interface ethernet0/0
access-group 101 in
access-group 104 out

interface ethernet0/1
access-group 102 in
access-group 105 out

I hope all this hasn't a lost you, if I have or you need more detail on something write me a comment I do read them.

5 comments:

Anonymous said...
This comment has been removed by a blog administrator.
John Hall said...
This comment has been removed by the author.
Anonymous said...
This comment has been removed by a blog administrator.
John Hall said...
This comment has been removed by the author.
Anonymous said...
This comment has been removed by a blog administrator.