Setting Up A Cisco Router Firewall and DMZ https://www.parkansky.com/tutorials/dmz.

htm

Setting Up a DMZ
with
Knowledge Is Power
Cisco Routers

Companion pages:
How To Use Your CGI-BIN

About htaccess & XBitHack

Trying Sun Solaris For Intel x86

Automate Cisco Device Monitoring

CGI Scripts On Windows NT / IIS

Find Out About Bad Links To Your Websites

Our other Cisco router pages:

Cisco VPN Routers with Windows PPTP Clients
Automate the Monitoring of Cisco Devices

Setting up a DMZ with Cisco routers not only helps protect your internal network, but the PAT
(Port Address Translation) feature in the Cisco IOS means you can send traffic destined for a
single IP address to muliple servers. It does this by routing traffic to the appropriate server
based on the destination port number. Traffic destined for Port 25 is sent to your mail server,
traffic destined for Port 80 is sent to your Web server, etc. In this way, multiple servers can share
a single public (external) IP address.

Because you can share a single public IP address, there's no need to pay your ISP for multiple
addresses to host multiple Internet servers and services. However, this setup will also work if you
do have a public IP subnet with multiple addresses. Typically in this scenario, there will be some
sort of ISDN router or DSL bridge provided by the ISP. The incoming connection can be anything
from ISDN to DSL to cable to T1. In our example we're using a Cisco 806 router for the outside
firewall. This model has two ethernet ports and a built-in hub. A good choice for DSL or cable
connections. However, the configs given on this page should work with just about any Cisco
router (although you may have to upgrade the IOS to one that has the "Firewall" feature set).

1 of 6 1/6/2021, 9:19 PM
Setting Up A Cisco Router Firewall and DMZ https://www.parkansky.com/tutorials/dmz.htm

Note in following diagram that the DMZ is itself a totally separate private network. Requests, and
subsequent responses, for external Internet services from clients on the internal LAN simply
traverse the DMZ.

Outside Filter Router (806)

This router is primarily used to do two things. First it does NAT (Network Address Translation)
on outgoing traffic (changes the source IP address of the packets from an internal LAN address
to the address of the external interface). Second, it appropriately routes incoming traffic to either
the internal LAN or does PAT (Port Address Translation) to one of the DMZ servers based on the
destination port number (port 80 to the Debian box and port 25 to the Solaris box). See the 806
config below. With some platforms you may have to upgrade to a Firewall feature set IOS on this
router to get the NAT/PAT fucntionality. Even if not, you'll want that feature set on it to guard
against the usual DoS and other types of pattern-based attacks.

Inside Filter Router (1720)

This router is primarily used to implement policies. It is used to restrict who can get to what on
the Internet by restricting outbound traffic to several well-known port numbers. Only two types
of inbound traffic are allowed. Because TCP is a connection-oriented protocol, when a system on
the internal LAN requests one of the allowed services from an Internet server (including one of
the DMZ servers), a connection is established between them. One of the types of traffic allowed
in from the "outside" is response traffic received over this connection (as denoted by the
established keyword in the 1720 config below). The other type allowed in is traffic from a
known, external (ISP) DNS server. It is assumed this traffic represents responses to DNS queries
from systems on the internal LAN. (The DMZ servers would also be configured to use these
external DNS servers.) See the 1720 config below.

Cisco 806 routers are going for around $300 on eBay and 1720s for a couple hundred more. You
don't need to have a 1720 to do this. Using two 806s will work just as well. It's just that the 1720
is a modular router with a couple WIC slots for a variety of interface needs (so it would likely be
the better choice for the outside-filter router given the variety of broadband connections out
there.)

Two things to note with this setup. Users on the local LAN would have their POP e-mail clients
set to retrieve mail from the Solaris box (which is why port 110 is opened on the inside router).
Also, they'll want to set their FTP client software to use "Passive" transfer mode.

2 of 6 1/6/2021, 9:19 PM
Setting Up A Cisco Router Firewall and DMZ https://www.parkansky.com/tutorials/dmz.htm

NOTE: These configs are from a lab setup and are presented for
educational purposes only. They should NOT be used on production
routers because they do not implement the security features necessary
for securing Internet-connected routers. See the information below on
the book "Hardening Cisco Routers" if you plan to set up production
Internet-connected routers.

Outside (806) Filter Router Config

(primarily does NAT and PAT)

version 12.2
no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
enable secret 5 $1$QCbf$D7PDt6pAZek52ln8EFJt2/
!
hostname outside-filter
!
!
no ip dhcp-client network-discovery
no ip http server
no ip domain-lookup
ip subnet-zero
ip classless
!
!
! DMZ interface
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip nat inside
!
! ISP interface
interface Ethernet1
ip address 216.93.82.8 255.255.255.240
ip nat outside
!
!
! Default route to ISP's gateway
ip route 0.0.0.0 0.0.0.0 216.93.82.1
! Static route to inside filter router (internal LAN traffic)
ip route 172.17.0.0 255.255.0.0 10.10.10.2
!
!
! Allow traffic from internal LAN out
access-list 1 permit 172.17.0.0 0.0.255.255
!
ip nat inside source list 1 interface Ethernet1 overload
! Send incoming SMTP mail traffic Solaris box
ip nat inside source static tcp 10.10.10.5 21 216.93.82.8 25 extendable
! Send incoming Web traffic to Debian box
ip nat inside source static tcp 10.10.10.3 80 216.93.82.8 80 extendable
!
!
line con 0
exec-timeout 30 0

3 of 6 1/6/2021, 9:19 PM
Setting Up A Cisco Router Firewall and DMZ https://www.parkansky.com/tutorials/dmz.htm

stopbits 1
line vty 0 4
no login
!
no scheduler allocate
end

Inside (1720) Filter Router Config

(primarily does traffic restrictions)

version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no logging buffered
memory-size iomem 25
enable secret 5 $1$NeV1$I3MvlMKWG2HnKKxYq2KjJ1
!
hostname inside-filter
!
!
ip audit notify log
ip audit po max-events 100
no ip finger
no ip domain-lookup
no ip http server
ip subnet-zero
ip classless
!
!
! DMZ interface
interface FastEthernet0
ip address 10.10.10.2 255.255.255.0
ip access-group 101 in
!
! LAN interface
interface Ethernet0
ip address 172.17.0.1 255.255.0.0
ip access-group 111 in
!
!
! Default route to inside (DMZ) interface
! of outside filter router
ip route 0.0.0.0 0.0.0.0 10.10.10.1
!
!
! Allow INbound responses from Internet DNS server
access-list 101 permit udp host 216.93.82.5 172.17.0.0 0.0.255.255
! Allow INbound responses from connection-oriented (TCP) requests
access-list 101 permit tcp any 172.17.0.0 0.0.255.255 established
!
! Allow OUTbound requests to DNS, Web and SSL,
! Mail (both SMTP and POP), and FTP (both control and data)
access-list 111 permit udp 172.17.0.0 0.0.255.255 any eq 53
access-list 111 permit tcp 172.17.0.0 0.0.255.255 any eq 80
access-list 111 permit tcp 172.17.0.0 0.0.255.255 any eq 443
access-list 111 permit tcp 172.17.0.0 0.0.255.255 any eq 25
access-list 111 permit tcp 172.17.0.0 0.0.255.255 any eq 110

4 of 6 1/6/2021, 9:19 PM
Setting Up A Cisco Router Firewall and DMZ https://www.parkansky.com/tutorials/dmz.htm

access-list 111 permit tcp 172.17.0.0 0.0.255.255 any eq 21

access-list 111 permit tcp 172.17.0.0 0.0.255.255 any eq 20
!
!
line con 0
exec-timeout 30 0
transport input none
line aux 0
line vty 0 4
login
password LETMEIN
!
no scheduler allocate
end

If you're going to have any Cisco router interface connected to the Internet or any other type of
"untrusted" network (trading partner extranet, etc.) I strongly suggest you get this book:

Any kind of Internet connection is risky. If you connect Cisco

routers to the Internet you'll want Hardening Cisco Routers. It's
an administrator's book. Threats and the IOS commands needed to
mitigate them are given. Each chapter has a checklist you can use
to check your routers to make sure they comply with all of the
points mentioned. Just the information on setting up your routers
for secure remote access alone is worth the price of the book. It
also shows you how to limit your router's SNMP exposure which,
if you've looked at Cisco's "IOS Upgrade Planner" Web page
lately, you know presents a big security threat to IOS devices. At
$18 it's got to be the biggest bargain in the Cisco world. Another
More info... fine book in the O'Reilly tradition of real world info for real world
situtations. (After you get the book be sure to check O'Reilly's
Web site - www.oreilly.com - for the errata. There are a couple
minor things and some reader comments that are important, more
so with a book of this nature which focuses on securing routers.)

Did you find this page helpful ?

If so, please use the Amazon book links to help pay
the costs associated with making this page available.

Top of page

5 of 6 1/6/2021, 9:19 PM
Setting Up A Cisco Router Firewall and DMZ https://www.parkansky.com/tutorials/dmz.htm

Contents, diagrams, and images Copyright © 2004-2020 Keith Parkansky All rights reserved.
Certain graphics, symbols, and terms used on this site and in its documents are registered trademarks
of their respective owners and are contained herein for identification purposes only.
No endorsement of this site, its contents, or its documents by these owners is expressed or implied.

LIABILITY

IN NO EVENT WILL KEITH PARKANSKY BE LIABLE TO ANY PARTY (i) FOR ANY DIRECT, INDIRECT, SPECIAL, PUNITIVE OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS
INTERRUPTION, LOSS OF PROGRAMS OR INFORMATION, AND THE LIKE), OR ANY OTHER DAMAGES ARISING IN ANY WAY OUT OF
THE AVAILABILITY, USE, RELIANCE ON, OR INABILITY TO USE THE INFORMATION, METHODS, HTML OR COMPUTER CODE, OR
"KNOWLEDGE" PROVIDED ON OR THROUGH THIS WEBSITE OR ANY OF ITS' ASSOCIATED DOCUMENTS, DIAGRAMS, IMAGES,
REPRODUCTIONS, COMPUTER EXECUTED CODE, OR ELECTRONICALLY STORED OR TRANSMITTED FILES OR GENERATED
COMMUNICATIONS OR DATA EVEN IF KEITH PARKANSKY SHALL HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES,
AND REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT, OR OTHERWISE; OR (ii) FOR ANY CLAIM
ATTRIBUTABLE TO ERRORS, OMISSIONS, OR OTHER INACCURACIES IN, OR DESTRUCTIVE PROPERTIES OF ANY INFORMATION,
METHODS, HTML OR COMPUTER CODE, OR "KNOWLEDGE" PROVIDED ON OR THROUGH THIS WEBSITE OR ANY OF ITS'
ASSOCIATED DOCUMENTS, DIAGRAMS, IMAGES, REPRODUCTIONS, COMPUTER EXECUTED CODE, OR ELECTRONICALLY STORED,
TRANSMITTED, OR GENERATED FILES, COMMUNICATIONS, OR DATA. USE OF THIS SITE CONSTITUTES ACCEPTANCE OF ALL STATED
TERMS AND CONDITIONS.

6 of 6 1/6/2021, 9:19 PM