Stumbled across this article:
http://www.zdnet.com.au/news/security/soa/Build_a_poor_man_s_firewall_with_the_Cisco_IOS/0,130061744,120263906,00.htm

and now I might be on my way again

"proper firewalls"...
Stupidly I thought upgrading from a SMC router to a Cisco Router was moving to a "proper firewall". Turns out that I was wrong and the name of the device gives it away router !

Anyway, Im sure I should be able to get at least as much security out of the 2611 as my consumer SMC Barricade; its just more difficult to configure

I have now got traffic flowing in both directions, with some very simple ACLs limiting the traffic. The only thing that does not feel right about this config is that I am relying on NAT to stop most of the unsolicited traffic from getting on my LAN. I had thought that I would be able to deny everything, except where the traffic was a direct response to a NATed connection.

There in lies the question. What is wrong with this config and what should I be doing to stop unsolicited traffic whilst allowing NAT responses ?





Ive put a little request in with Mark to see if there is an IOS version newer than 12.2(28a) for this 2611 w/ CBAC and NBAR. If theres not I will have to try working around my previous issues with 12.2(28a).

In all honesty I am quickly reaching the point of "PCWorld are doing uPNP enabled cable routers for £40"...

youre too kind

Ill knock out a setup diagram and send you my existing (and sort of working) config so that you can have a giggle

Quick note boys, if youre going to upgrade to FW services make sure you chat about it in PM as its illegal to do so without purchasing the necessary license and therefore against forums rules. Ive also seen CCO accounts revoked for doing precisely this.

But for the record, yes if you get it onto a FW services version it should act like a cut down PIX.

You can only get updates if you have a valid support contract, these you can buy from any vendor.

Ok, next question
Here is my Live config !! Ive dropped back to version 12.2 for the time being...

I am having a problem that I cannot resolve...

The router hooks up to NTL fine and allows everything to access the web as required but after n minutes (variable time) the connection drops out

Is there anything obvious in my config causing the problem ? Like the bootps/bootpc ACL entry I had to make in order to get an NTL IP ?

Any pointers would be great