[c-nsp] Using Cisco 3825 as Firewall Replacement

Darin Herteen synack at live.com
Wed Apr 15 10:24:01 EDT 2009 

I have a customer who's firewall recently bricked and is unusable. This
device had previously served as a VPN to their LAN from the outside
world, restricted access between internal VLAN's, and provided NAT for
internal addresses to reach the internet. They happened to have a Cisco
3825 laying around and I've been attempting to get this router
configured to duplicate the functionality of the now deceased firewall.

The customer is requesting the following setup:

VLAN 2 must not have internet access or access to VLAN 41
VLAN 42 must have internet access but no access to VLAN 41
VLAN 41 must have internet access and allowed access to VLAN's 2 and 42


My
intent has been to use Reflexive Access Control List(s) to allow
traffic originating from VLAN 41 into VLAN 2 & 42 and back. But
numerous configuration attempts seem to break the NAT for VLAN 41 &
42, but according to customer internal segmentation of VLAN's appeared
to work as requested but have since removed the RACL to restore connectivity.

The 3825 is currently configured as follows:

interface GigabitEthernet0/0.2
 encapsulation dot1Q 2
 ip address 192.168.15.254 255.255.240.0
 no cdp enable

interface GigabitEthernet0/0.41
 encapsulation dot1Q 41
 ip address 192.168.31.254 255.255.240.0
 ip nat inside
 ip virtual-reassembly
 no cdp enable

interface GigabitEthernet0/0.42
 encapsulation dot1Q 42
 ip address 192.168.47.254 255.255.240.0
 ip nat inside
 ip virtual-reassembly
 no cdp enable

interface GigabitEthernet0/1.30
 encapsulation dot1Q 30
 ip address x.x.x.137 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 no cdp enable
 crypto map SDM_CMAP_1

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1.30 overload

route-map SDM_RMAP_1 permit 1
 match ip address 100

access-list 100 remark SDM_ACL Category=2
access-list 100 deny   ip 192.168.32.0 0.0.15.255 10.0.0.0 0.0.0.15
access-list 100 deny   ip 192.168.16.0 0.0.15.255 10.0.0.0 0.0.0.15
access-list 100 deny   ip 192.168.0.0 0.0.15.255 10.0.0.0 0.0.0.15
access-list 100 deny   ip any 10.0.0.0 0.0.0.15
access-list 100 permit ip 192.168.16.0 0.0.15.255 any
access-list 100 permit ip 192.168.0.0 0.0.15.255 any

The 3825 is running the following IOS:

(C3825-ADVIPSERVICESK9-M), Version 12.4(23)


Does anybody have any recommendations or advice to offer regarding this setup and whether or not it can be accomplished.

Thanks in advance,

Darin Herteen


_________________________________________________________________
Windows Live™: Keep your life in sync.
http://windowslive.com/explore?ocid=TXT_TAGLM_WL_allup_1a_explore_042009

More information about the cisco-nsp mailing list