I want to enable and view Top Websites in order to block users from accessing certain domains on the Netvanta 7100. I have read the Adtran Configuration Guide for URL Filtering/Top Websites Reporting and the first step is to enable the firewall.
"The following example enables the firewall:
#configure terminal
(config)#ip firewall"
My concern is that this device is operating as router and PBX; while the documentation makes it seem very straight forward, I'm guessing there is more to it and must be configured a certain way in order for it to continue operating without issue after the firewall is enabled. The last time I attempted to enable the firewall on the device remotely I lost connectivity and had to drive to the location and reboot for the changes to be undone. Is there a more complete guide or should running the commands above enable the firewall without disrupting existing traffic?
juad,
I would recommend setting up all your IP Policies prior to enabling the firewall that way all the allows are in place before the denies kick in. Here are some basic rules that should ensure that at the minimum management is not lost, modify IP information to match your needs. I would also recommend doing this on site plugged into the console port just in case.
!
ip access-list standard NAT
remark Internet Connection Sharing
permit any
!
!
ip access-list standard Remote
! Your Remote Management IP
permit 1.2.3.4 0.0.0.255
!
!
ip access-list extended Admin
remark Admin Access
permit tcp any any eq https log
!
ip access-list extended InterVLAN
remark Voice / Data VLAN Traffic
permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 10.10.0.0 0.0.255.255 10.10.20.0 0.0.0.255
!
ip policy-class Private
allow list self self
allow list InterVLAN stateless
nat source list NAT interface eth 0/0 overload
!
ip policy-class Public
allow list Admin self
allow list Remote
!
interface eth 0/0
ip address 1.2.3.4 255.255.255.252
ip access-policy Public
media-gateway ip primary
no shutdown
!
interface vlan 1
ip address 2.3.4.5 255.255.255.0
ip access-policy Private
no shutdown
!
interface vlan 2
ip address 3.4.5.6 255.255.255.0
ip access-policy Private
media-gateway ip primary
no shutdown
!
ip firewall
!
ip flow top-talkers
Message was edited by: matt - adjusted ACL name
juad,
I would recommend setting up all your IP Policies prior to enabling the firewall that way all the allows are in place before the denies kick in. Here are some basic rules that should ensure that at the minimum management is not lost, modify IP information to match your needs. I would also recommend doing this on site plugged into the console port just in case.
!
ip access-list standard NAT
remark Internet Connection Sharing
permit any
!
!
ip access-list standard Remote
! Your Remote Management IP
permit 1.2.3.4 0.0.0.255
!
!
ip access-list extended Admin
remark Admin Access
permit tcp any any eq https log
!
ip access-list extended InterVLAN
remark Voice / Data VLAN Traffic
permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 10.10.0.0 0.0.255.255 10.10.20.0 0.0.0.255
!
ip policy-class Private
allow list self self
allow list InterVLAN stateless
nat source list NAT interface eth 0/0 overload
!
ip policy-class Public
allow list Admin self
allow list Remote
!
interface eth 0/0
ip address 1.2.3.4 255.255.255.252
ip access-policy Public
media-gateway ip primary
no shutdown
!
interface vlan 1
ip address 2.3.4.5 255.255.255.0
ip access-policy Private
no shutdown
!
interface vlan 2
ip address 3.4.5.6 255.255.255.0
ip access-policy Private
media-gateway ip primary
no shutdown
!
ip firewall
!
ip flow top-talkers
Message was edited by: matt - adjusted ACL name
Another safeguard is to use the reload in command to schedule a reboot after a set number of minutes. If you accidentally make configuration changes that end up preventing remote access, the unit will reboot to its previously saved configuration. Use this command right before you are going to attempt the changes. If you then apply the changes and everything works you can cancel the scheduled reboot with the reload cancel command. An example is shown below. Just make sure to give yourself enough time to apply the changes, test, and cancel.
7100#reload in 5
Save System Configuration?[y/n]y
Reload scheduled in 5 minutes
You are about to reboot the system. Continue?[y/n]y
2014.07.07 12:24:08 OPERATING_SYSTEM System reboot scheduled in 5 minutes!
7100#
7100#reload cancel
2014.07.07 12:24:18 OPERATING_SYSTEM Scheduled system reboot cancelled.
7100#
Thanks,
Matt
Matt,
Shouldn't Save System Configuration be No instead of Yes? If you set it to Yes won't it save the changes you just made before it reboots leaving those settings active instead of going back? Or does it save the configuration at the time is ran?
John
John,
It saves the configuration the time this command is executed. You should do this with a known working configuration before making changes.
Thanks,
Matt
Matt,
Thanks for clearing that up.
John
My pleasure. Thanks for the follow-up question. I'm sure that will help someone else later too.