Knowledge Is Power
Setting Up a DMZ
Our other Cisco router pages:
Cisco VPN Routers with Windows PPTP Clients
Automate the Monitoring of Cisco Devices
Setting up a DMZ with Cisco routers not only helps protect your internal network, but the PAT (Port Address Translation) feature in the Cisco IOS means you can send traffic destined for a single IP address to muliple servers. It does this by routing traffic to the appropriate server based on the destination port number. Traffic destined for
Port 25is sent to your mail server, traffic destined for Port 80is sent to your Web server, etc. In this way, multiple servers can share a single public (external) IP address.
Because you can share a single public IP address, there's no need to pay your ISP for multiple addresses to host multiple Internet servers and services. However, this setup will also work if you do have a public IP subnet with multiple addresses. Typically in this scenario, there will be some sort of ISDN router or DSL bridge provided by the ISP. The incoming connection can be anything from ISDN to DSL to cable to T1. In our example we're using a Cisco 806 router for the outside firewall. This model has two ethernet ports and a built-in hub. A good choice for DSL or cable connections. However, the configs given on this page should work with just about any Cisco router (although you may have to upgrade the IOS to one that has the "Firewall" feature set).
Note in following diagram that the DMZ is itself a totally separate private network. Requests, and subsequent responses, for external Internet services from clients on the internal LAN simply traverse the DMZ.
Outside Filter Router (806)
This router is primarily used to do two things. First it does NAT (Network Address Translation) on outgoing traffic (changes the source IP address of the packets from an internal LAN address to the address of the external interface). Second, it appropriately routes incoming traffic to either the internal LAN or does PAT (Port Address Translation) to one of the DMZ servers based on the destination port number (port 80 to the Debian box and port 25 to the Solaris box). See the 806 config below. With some platforms you may have to upgrade to a Firewall feature set IOS on this router to get the NAT/PAT fucntionality. Even if not, you'll want that feature set on it to guard against the usual DoS and other types of pattern-based attacks.
Inside Filter Router (1720)
This router is primarily used to implement policies. It is used to restrict who can get to what on the Internet by restricting outbound traffic to several well-known port numbers. Only two types of inbound traffic are allowed. Because TCP is a connection-oriented protocol, when a system on the internal LAN requests one of the allowed services from an Internet server (including one of the DMZ servers), a connection is established between them. One of the types of traffic allowed in from the "outside" is response traffic received over this connection (as denoted by the established keyword in the 1720 config below). The other type allowed in is traffic from a known, external (ISP) DNS server. It is assumed this traffic represents responses to DNS queries from systems on the internal LAN. (The DMZ servers would also be configured to use these external DNS servers.) See the 1720 config below.
Cisco 806 routers are going for around $300 on eBay and 1720s for a couple hundred more. You don't need to have a 1720 to do this. Using two 806s will work just as well. It's just that the 1720 is a modular router with a couple WIC slots for a variety of interface needs (so it would likely be the better choice for the outside-filter router given the variety of broadband connections out there.)
Two things to note with this setup. Users on the local LAN would have their POP e-mail clients set to retrieve mail from the Solaris box (which is why port 110 is opened on the inside router). Also, they'll want to set their FTP client software to use "Passive" transfer mode.
NOTE: These configs are from a lab setup and are presented for educational purposes only. They should NOT be used on production routers because they do not implement the security features necessary for securing Internet-connected routers. See the information below on the book "Hardening Cisco Routers" if you plan to set up production Internet-connected routers.
Outside (806) Filter Router Config
(primarily does NAT and PAT)
version 12.2 no parser cache no service single-slot-reload-enable no service pad service timestamps debug uptime service timestamps log uptime service password-encryption enable secret 5 $1$QCbf$D7PDt6pAZek52ln8EFJt2/ ! hostname outside-filter ! ! no ip dhcp-client network-discovery no ip http server no ip domain-lookup ip subnet-zero ip classless ! ! ! DMZ interface interface Ethernet0 ip address 10.10.10.1 255.255.255.0 ip nat inside ! ! ISP interface interface Ethernet1 ip address 220.127.116.11 255.255.255.240 ip nat outside ! ! ! Default route to ISP's gateway ip route 0.0.0.0 0.0.0.0 18.104.22.168 ! Static route to inside filter router (internal LAN traffic) ip route 172.17.0.0 255.255.0.0 10.10.10.2 ! ! ! Allow traffic from internal LAN out access-list 1 permit 172.17.0.0 0.0.255.255 ! ip nat inside source list 1 interface Ethernet1 overload ! Send incoming SMTP mail traffic Solaris box
ip nat inside source static tcp 10.10.10.5 21 22.214.171.124 25 extendable! Send incoming Web traffic to Debian box ip nat inside source static tcp 10.10.10.3 80 126.96.36.199 80 extendable ! ! line con 0 exec-timeout 30 0 stopbits 1 line vty 0 4 no login ! no scheduler allocate end
Inside (1720) Filter Router Config
(primarily does traffic restrictions)
version 12.1 no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime no logging buffered memory-size iomem 25 enable secret 5 $1$NeV1$I3MvlMKWG2HnKKxYq2KjJ1 ! hostname inside-filter ! ! ip audit notify log ip audit po max-events 100 no ip finger no ip domain-lookup no ip http server ip subnet-zero ip classless ! ! ! DMZ interface interface FastEthernet0 ip address 10.10.10.2 255.255.255.0 ip access-group 101 in ! ! LAN interface interface Ethernet0 ip address 172.17.0.1 255.255.0.0 ip access-group 111 in ! ! ! Default route to inside (DMZ) interface ! of outside filter router ip route 0.0.0.0 0.0.0.0 10.10.10.1 ! ! ! Allow INbound responses from Internet DNS server access-list 101 permit udp host 188.8.131.52 172.17.0.0 0.0.255.255 ! Allow INbound responses from connection-oriented (TCP) requests access-list 101 permit tcp any 172.17.0.0 0.0.255.255 established ! ! Allow OUTbound requests to DNS, Web and SSL, ! Mail (both SMTP and POP), and FTP (both control and data) access-list 111 permit udp 172.17.0.0 0.0.255.255 any eq 53 access-list 111 permit tcp 172.17.0.0 0.0.255.255 any eq 80 access-list 111 permit tcp 172.17.0.0 0.0.255.255 any eq 443 access-list 111 permit tcp 172.17.0.0 0.0.255.255 any eq 25 access-list 111 permit tcp 172.17.0.0 0.0.255.255 any eq 110 access-list 111 permit tcp 172.17.0.0 0.0.255.255 any eq 21 access-list 111 permit tcp 172.17.0.0 0.0.255.255 any eq 20 ! ! line con 0 exec-timeout 30 0 transport input none line aux 0 line vty 0 4 login password LETMEIN ! no scheduler allocate end
If you're going to have any Cisco router interface connected to the Internet or any other type of "untrusted" network (trading partner extranet, etc.) I strongly suggest you get this book:
Any kind of Internet connection is risky. If you connect Cisco routers to the Internet you'll want Hardening Cisco Routers. It's an administrator's book. Threats and the IOS commands needed to mitigate them are given. Each chapter has a checklist you can use to check your routers to make sure they comply with all of the points mentioned. Just the information on setting up your routers for secure remote access alone is worth the price of the book. It also shows you how to limit your router's SNMP exposure which, if you've looked at Cisco's "IOS Upgrade Planner" Web page lately, you know presents a big security threat to IOS devices. At $18 it's got to be the biggest bargain in the Cisco world. Another fine book in the O'Reilly tradition of real world info for real world situtations. (After you get the book be sure to check O'Reilly's Web site - www.oreilly.com - for the errata. There are a couple minor things and some reader comments that are important, more so with a book of this nature which focuses on securing routers.)
Did you find this page helpful ?|
If so, please use the Amazon book links to help pay
the costs associated with making this page available.
IN NO EVENT WILL KEITH PARKANSKY BE LIABLE TO ANY PARTY (i) FOR ANY DIRECT, INDIRECT, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF PROGRAMS OR INFORMATION, AND THE LIKE), OR ANY OTHER DAMAGES ARISING IN ANY WAY OUT OF THE AVAILABILITY, USE, RELIANCE ON, OR INABILITY TO USE THE INFORMATION, METHODS, HTML OR COMPUTER CODE, OR "KNOWLEDGE" PROVIDED ON OR THROUGH THIS WEBSITE OR ANY OF ITS' ASSOCIATED DOCUMENTS, DIAGRAMS, IMAGES, REPRODUCTIONS, COMPUTER EXECUTED CODE, OR ELECTRONICALLY STORED OR TRANSMITTED FILES OR GENERATED COMMUNICATIONS OR DATA EVEN IF KEITH PARKANSKY SHALL HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, AND REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT, OR OTHERWISE; OR (ii) FOR ANY CLAIM ATTRIBUTABLE TO ERRORS, OMISSIONS, OR OTHER INACCURACIES IN, OR DESTRUCTIVE PROPERTIES OF ANY INFORMATION, METHODS, HTML OR COMPUTER CODE, OR "KNOWLEDGE" PROVIDED ON OR THROUGH THIS WEBSITE OR ANY OF ITS' ASSOCIATED DOCUMENTS, DIAGRAMS, IMAGES, REPRODUCTIONS, COMPUTER EXECUTED CODE, OR ELECTRONICALLY STORED, TRANSMITTED, OR GENERATED FILES, COMMUNICATIONS, OR DATA. USE OF THIS SITE CONSTITUTES ACCEPTANCE OF ALL STATED TERMS AND CONDITIONS.