Building Cisco Firewall using routers

or poor man PIX

Network Diagram

Commands for Border Router

hostname BorderRouter ip subnet-zero ip name-server 192.168.8.1 interface Loopback0 ip address 10.0.0.254 255.255.255.255 interface FastEthernet0 ip address dhcp ip nat outside speed auto no cdp enable interface Serial0 bandwidth 128 ip address 10.0.0.1 255.255.255.252 ip nat inside clockrate 128000 interface Serial1 no ip address shutdown router ospf 1 log-adjacency-changes redistribute static subnets network 10.0.0.0 0.0.0.3 area 0 network 12.2.2.2 0.0.0.0 area 0 ip nat inside source list 1 interface FastEthernet0 overload ip classless ip route 0.0.0.0 0.0.0.0 192.168.8.1 no ip http server access-list 1 permit 10.0.0.0 0.255.255.255 snmp-server community secure RO line con 0 line aux 0 line vty 0 4 login end

Commands for Filtering Router

hostname FilterRouter ip subnet-zero interface FastEthernet0 no ip address speed auto interface FastEthernet0.1 encapsulation dot1Q 1 native ip address 10.0.1.1 255.255.255.128 ip access-group 101 in interface FastEthernet0.2 encapsulation dot1Q 2 ip address 10.1.2.1 255.255.252.0 ip access-group 102 in interface FastEthernet0.3 encapsulation dot1Q 3 ip address 10.1.5.1 255.255.255.0 ip access-group 103 in interface FastEthernet0.4 encapsulation dot1Q 4 ip address 10.1.4.1 255.255.255.0 ip access-group 104 in interface FastEthernet0.5 encapsulation dot1Q 5 ip address 10.0.1.193 255.255.255.248 ip access-group 105 in interface FastEthernet0.6 encapsulation dot1Q 6 ip access-group 106 in interface Serial0 bandwidth 128 ip address 10.0.0.2 255.255.255.252 no fair-queue interface Serial1 no ip address shutdown router ospf 1 log-adjacency-changes network 10.0.0.0 0.0.0.3 area 0 network 10.0.1.0 0.0.0.127 area 0 network 10.0.1.192 0.0.0.7 area 0 network 10.1.0.0 0.0.255.255 area 0 ip classless ip route 0.0.0.0 0.0.0.0 Serial0 no ip http server access-list 101 permit ip 10.0.1.0 0.0.0.127 10.0.0.0 0.0.255.255 access-list 101 deny ip any any access-list 102 permit tcp 10.0.1.192 0.0.0.7 any established access-list 102 deny ip any host 10.0.1.196 access-list 102 deny ip 10.1.2.0 0.0.1.255 10.1.4.0 0.0.0.255 access-list 102 deny ip 10.1.2.0 0.0.1.255 10.0.1.0 0.0.0.127 access-list 102 deny ip 10.1.2.0 0.0.1.255 10.1.5.0 0.0.0.255 access-list 102 permit ip any any access-list 102 deny ip any any access-list 103 deny ip 10.1.5.0 0.0.0.255 10.1.4.0 0.0.0.255 access-list 103 deny ip 10.1.5.0 0.0.0.255 10.0.1.0 0.0.0.127 access-list 103 deny ip 10.1.5.0 0.0.0.255 10.1.2.0 0.0.1.255 access-list 103 permit ip any any access-list 103 deny ip any any access-list 104 deny ip 10.1.4.0 0.0.0.255 10.1.5.0 0.0.0.255 access-list 104 deny ip 10.1.4.0 0.0.0.255 10.0.1.0 0.0.0.127 access-list 104 permit ip any any access-list 104 deny ip any any access-list 105 permit ip 10.0.1.192 0.0.0.7 any access-list 105 deny ip any any access-list 106 deny ip any any access-list 110 permit tcp any any eq www access-list 110 permit tcp any any eq domain access-list 110 permit udp any any eq domain access-list 110 permit tcp any any eq ftp access-list 110 permit tcp any any eq ftp-data access-list 110 permit tcp any any eq 443 access-list 110 permit ospf any any access-list 110 permit ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255 access-list 110 deny ip any any access-list 120 permit ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255 access-list 120 permit tcp any any eq domain access-list 120 permit tcp any any established access-list 120 permit ospf any any access-list 120 deny ip any any snmp-server community secure RO line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 login no scheduler allocate end