Transparent IOS Firewall

Posted by October 5, 2011 in Security

Scenario:

You are part of the security team for the Rotterdam Harbor located in The Netherlands. One of your firewalls has crashed and due to decreased IT budgets you don’t have any spare firewalls around. You do have a spare router that you could use so you decide to turn it into a transparent firewall. Hopefully everything will be OK and your boss doesn’t send you to null0…

Goal:

  • All IP addresses have been configured for you.
  • Configure router Haven as a transparent firewall. You will need the bridge function to achieve this.
  • Use network 192.168.13.0 /24 so router Harbor and Terminal are in the same subnet.
  • Ensure router Harbor can reach router Terminal by using TELNET or HTTP, all other traffic should be dropped.
  • Ensure router Harbor and Terminal are unable to communicate using IPv6.

IOS:

c3725-adventerprisek9-mz.124-15.T7.bin

Topology:

Transparent IOS Firewall

Video Solution:

Configuration Files

You need to register to download the GNS3 topology file. (Registration is free!)

Once you are logged in you will find the configuration files right here.

Opt In Image
Do you want your CCNA or CCNP Certificate?

The How to Master series helps you to understand complex topics like spanning-tree, VLANs, trunks, OSPF, EIGRP, BGP and more.

Written by René Molenaar - CCIE #41726

Master CCNA and CCNP Today!

You May Also Like

No Picture

ACL Selective IP Options Drop

No Picture

Control Plane Policing

About the Author: Rene Molenaar

René - CCIE #41726 is the creator of GNS3Vault.com where he shares CCNA, CCNP and CCIE R&S labs. He also blogs about networking on http://networklessons.com

5 Comments

  1. Great Lab!!! Always impressed 🙂

    One problem with your final config.
    ARP "0x0806" isn’t permitted in the protocol-type access-list,
    so the ipv4 telnet/http wouldn’t work after the arp-cache times out.

    Thanks!!

  2. Hi,

    In the youtube sessions that I’ve come across its very hard to view what you are typing because of the resolution and not to mention you need to slow down a bit 😉

    regards,
    sky

  3. In Heaven and I did different router though has worked as goal:

    Terminal:

    interface FastEthernet0/0
    ip address 192.168.13.3 255.255.255.0
    ip access-group 100 in
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    ip forward-protocol nd
    !
    !
    ip http server
    no ip http secure-server
    !
    access-list 100 permit tcp any any eq telnet
    access-list 100 permit tcp any any eq www
    access-list 100 deny ip any any
    !
    !
    !
    control-plane
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    line con 0
    exec-timeout 0 0
    logging synchronous
    line aux 0
    line vty 0 4
    login
    !
    !
    end
    ==========================================

    Haven

    bridge irb
    !
    !
    !
    interface FastEthernet0/0
    no ip address
    duplex auto
    speed auto
    bridge-group 1
    !
    interface FastEthernet0/1
    no ip address
    duplex auto
    speed auto
    bridge-group 1
    !
    interface BVI1
    ip address 192.168.13.2 255.255.255.0
    !
    ip forward-protocol nd
    !
    !
    no ip http server
    no ip http secure-server
    !
    !
    !
    !
    control-plane
    !
    bridge 1 protocol ieee
    bridge 1 route ip
    !
    !
    !
    !
    !
    !
    !
    !
    !
    line con 0
    exec-timeout 0 0
    logging synchronous
    line aux 0
    line vty 0 4
    login
    !
    !
    end

    Is correct?

Comments are closed.