Linux Tutorial Web Site


Keith's Software and Tutorials Home Page
Knowledge Is Power

Setting Up a DMZ
with
Cisco Routers







Companion pages:


How To Use Your CGI-BIN

About htaccess & XBitHack

Trying Sun Solaris For Intel x86

Automate Cisco Device Monitoring

CGI Scripts On Windows NT / IIS

Find Out About Bad Links To Your Websites

Beginners Guide To Linux
(My new Web site!)




Our other Cisco router pages:
Cisco VPN Routers with Windows PPTP Clients
Automate the Monitoring of Cisco Devices


Setting up a DMZ with Cisco routers not only helps protect your internal network, but the PAT (Port Address Translation) feature in the Cisco IOS means you can send traffic destined for a single IP address to muliple servers. It does this by routing traffic to the appropriate server based on the destination port number. Traffic destined for Port 25 is sent to your mail server, traffic destined for Port 80 is sent to your Web server, etc. In this way, multiple servers can share a single public (external) IP address.

Because you can share a single public IP address, there's no need to pay your ISP for multiple addresses to host multiple Internet servers and services. However, this setup will also work if you do have a public IP subnet with multiple addresses. Typically in this scenario, there will be some sort of ISDN router or DSL bridge provided by the ISP. The incoming connection can be anything from ISDN to DSL to cable to T1. In our example we're using a Cisco 806 router for the outside firewall. This model has two ethernet ports and a built-in hub. A good choice for DSL or cable connections. However, the configs given on this page should work with just about any Cisco router (although you may have to upgrade the IOS to one that has the "Firewall" feature set).

Note in following diagram that the DMZ is itself a totally separate private network. Requests, and subsequent responses, for external Internet services from clients on the internal LAN simply traverse the DMZ.

Cisco DMZ

Outside Filter Router (806)

This router is primarily used to do two things. First it does NAT (Network Address Translation) on outgoing traffic (changes the source IP address of the packets from an internal LAN address to the address of the external interface). Second, it appropriately routes incoming traffic to either the internal LAN or does PAT (Port Address Translation) to one of the DMZ servers based on the destination port number (port 80 to the Debian box and port 25 to the Solaris box). See the 806 config below. With some platforms you may have to upgrade to a Firewall feature set IOS on this router to get the NAT/PAT fucntionality. Even if not, you'll want that feature set on it to guard against the usual DoS and other types of pattern-based attacks.

Inside Filter Router (1720)

This router is primarily used to implement policies. It is used to restrict who can get to what on the Internet by restricting outbound traffic to several well-known port numbers. Only two types of inbound traffic are allowed. Because TCP is a connection-oriented protocol, when a system on the internal LAN requests one of the allowed services from an Internet server (including one of the DMZ servers), a connection is established between them. One of the types of traffic allowed in from the "outside" is response traffic received over this connection (as denoted by the established keyword in the 1720 config below). The other type allowed in is traffic from a known, external (ISP) DNS server. It is assumed this traffic represents responses to DNS queries from systems on the internal LAN. (The DMZ servers would also be configured to use these external DNS servers.) See the 1720 config below.

Cisco 806 routers are going for around $300 on eBay and 1720s for a couple hundred more. You don't need to have a 1720 to do this. Using two 806s will work just as well. It's just that the 1720 is a modular router with a couple WIC slots for a variety of interface needs (so it would likely be the better choice for the outside-filter router given the variety of broadband connections out there.)

Two things to note with this setup. Users on the local LAN would have their POP e-mail clients set to retrieve mail from the Solaris box (which is why port 110 is opened on the inside router). Also, they'll want to set their FTP client software to use "Passive" transfer mode.

NOTE:  These configs are from a lab setup and are presented for educational purposes only. They should NOT be used on production routers because they do not implement the security features necessary for securing Internet-connected routers. See the information below on the book "Hardening Cisco Routers" if you plan to set up production Internet-connected routers.


Outside (806) Filter Router Config
(primarily does NAT and PAT)


version 12.2
no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
enable secret 5 $1$QCbf$D7PDt6pAZek52ln8EFJt2/
!
hostname outside-filter
!
!
no ip dhcp-client network-discovery
no ip http server
no ip domain-lookup
ip subnet-zero
ip classless
!
!
!    DMZ interface
interface Ethernet0
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
!
!    ISP interface
interface Ethernet1
 ip address 216.93.82.8 255.255.255.240
 ip nat outside
!
!
!    Default route to ISP's gateway
ip route 0.0.0.0 0.0.0.0 216.93.82.1
!    Static route to inside filter router (internal LAN traffic)
ip route 172.17.0.0 255.255.0.0 10.10.10.2
!
!
!    Allow traffic from internal LAN out
access-list 1 permit 172.17.0.0 0.0.255.255
!
ip nat inside source list 1 interface Ethernet1 overload
!    Send incoming SMTP mail traffic Solaris box
ip nat inside source static tcp 10.10.10.5 21 216.93.82.8 25 extendable
!    Send incoming Web traffic to Debian box
ip nat inside source static tcp 10.10.10.3 80 216.93.82.8 80 extendable
!
!
line con 0
 exec-timeout 30 0
 stopbits 1
line vty 0 4
 no login
!
no scheduler allocate
end




Inside (1720) Filter Router Config
(primarily does traffic restrictions)


version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no logging buffered
memory-size iomem 25
enable secret 5 $1$NeV1$I3MvlMKWG2HnKKxYq2KjJ1
!
hostname inside-filter
!
!
ip audit notify log
ip audit po max-events 100
no ip finger
no ip domain-lookup
no ip http server
ip subnet-zero
ip classless
!
!
!    DMZ interface
interface FastEthernet0
 ip address 10.10.10.2 255.255.255.0
 ip access-group 101 in
!
!    LAN interface
interface Ethernet0
 ip address 172.17.0.1 255.255.0.0
 ip access-group 111 in
!
!
!    Default route to inside (DMZ) interface
!    of outside filter router
ip route 0.0.0.0 0.0.0.0 10.10.10.1
!
!
!    Allow INbound responses from Internet DNS server
access-list 101 permit udp host 216.93.82.5 172.17.0.0 0.0.255.255
!    Allow INbound responses from connection-oriented (TCP) requests
access-list 101 permit tcp any 172.17.0.0 0.0.255.255 established
!
!    Allow OUTbound requests to DNS, Web and SSL,
!    Mail (both SMTP and POP), and FTP (both control and data)
access-list 111 permit udp 172.17.0.0 0.0.255.255 any eq 53
access-list 111 permit tcp 172.17.0.0 0.0.255.255 any eq 80
access-list 111 permit tcp 172.17.0.0 0.0.255.255 any eq 443
access-list 111 permit tcp 172.17.0.0 0.0.255.255 any eq 25
access-list 111 permit tcp 172.17.0.0 0.0.255.255 any eq 110
access-list 111 permit tcp 172.17.0.0 0.0.255.255 any eq 21
access-list 111 permit tcp 172.17.0.0 0.0.255.255 any eq 20
!
!
line con 0
 exec-timeout 30 0
 transport input none
line aux 0
line vty 0 4
 login
 password LETMEIN
!
no scheduler allocate
end



If you're going to have any Cisco router interface connected to the Internet or any other type of "untrusted" network (trading partner extranet, etc.) I strongly suggest you get this book:

Hardening Cisco Routers
More info...
Any kind of Internet connection is risky. If you connect Cisco routers to the Internet you'll want Hardening Cisco Routers. It's an administrator's book. Threats and the IOS commands needed to mitigate them are given. Each chapter has a checklist you can use to check your routers to make sure they comply with all of the points mentioned. Just the information on setting up your routers for secure remote access alone is worth the price of the book. It also shows you how to limit your router's SNMP exposure which, if you've looked at Cisco's "IOS Upgrade Planner" Web page lately, you know presents a big security threat to IOS devices. At $18 it's got to be the biggest bargain in the Cisco world. Another fine book in the O'Reilly tradition of real world info for real world situtations. (After you get the book be sure to check O'Reilly's Web site - www.oreilly.com - for the errata. There are a couple minor things and some reader comments that are important, more so with a book of this nature which focuses on securing routers.)



Did you find this page helpful ?
If so, please use the Amazon book links to help pay
the costs associated with making this page available.


Top of page






Powered by Apache On Debian Linux


Contents, diagrams, and images    Copyright © 2004-2014    Keith Parkansky    All rights reserved.
"Bestdam Logger" and the BDL graphic logo are trademarks of Keith Parkansky.
Certain graphics, symbols, and terms used on this site and in its documents are registered trademarks
of their respective owners and are contained herein for identification purposes only.
No endorsement of this site, its contents, or its documents by these owners is expressed or implied.

LIABILITY
IN NO EVENT WILL KEITH PARKANSKY BE LIABLE TO ANY PARTY (i) FOR ANY DIRECT, INDIRECT, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF PROGRAMS OR INFORMATION, AND THE LIKE), OR ANY OTHER DAMAGES ARISING IN ANY WAY OUT OF THE AVAILABILITY, USE, RELIANCE ON, OR INABILITY TO USE THE INFORMATION, METHODS, HTML OR COMPUTER CODE, OR "KNOWLEDGE" PROVIDED ON OR THROUGH THIS WEBSITE OR ANY OF ITS' ASSOCIATED DOCUMENTS, DIAGRAMS, IMAGES, REPRODUCTIONS, COMPUTER EXECUTED CODE, OR ELECTRONICALLY STORED OR TRANSMITTED FILES OR GENERATED COMMUNICATIONS OR DATA EVEN IF KEITH PARKANSKY SHALL HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, AND REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT, OR OTHERWISE; OR (ii) FOR ANY CLAIM ATTRIBUTABLE TO ERRORS, OMISSIONS, OR OTHER INACCURACIES IN, OR DESTRUCTIVE PROPERTIES OF ANY INFORMATION, METHODS, HTML OR COMPUTER CODE, OR "KNOWLEDGE" PROVIDED ON OR THROUGH THIS WEBSITE OR ANY OF ITS' ASSOCIATED DOCUMENTS, DIAGRAMS, IMAGES, REPRODUCTIONS, COMPUTER EXECUTED CODE, OR ELECTRONICALLY STORED, TRANSMITTED, OR GENERATED FILES, COMMUNICATIONS, OR DATA. USE OF THIS SITE CONSTITUTES ACCEPTANCE OF ALL STATED TERMS AND CONDITIONS.