[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco 2620 config - lines for DNS and HTTP

Posted on 2004-11-18
10
Medium Priority
?
695 Views
Last Modified: 2008-01-09
We're getting a new full T1 next week and I'm getting ready to change the config.  Is there anything that needs to be changed when going from a burstable t1 to a full?  

Also, is it necessary to have the dns servers in the config?  I noticed that our Win2k servers have their forwarders configed to use a different dns ip's than the ones in the router config.

ip name-server 198.6.1.121  <--
ip name-server 198.6.1.196  <--- are these even necessary?

Last, what's the point of this?
ip http server
ip http port 8000

I already have nat translations set up for the web server.  Do I still need the http lines above?

Thanks in advance!


0
Comment
Question by:zenportafino
10 Comments
 
LVL 36

Assisted Solution

by:grblades
grblades earned 400 total points
ID: 12622978
Hi zenportafino,
Not sure about the T1 question.

The name server lines in the configuration are just for the benefit of the router. With them present it means when you are logged into it you can telnet onto another device by specifying its name instead of remembering the IP address. It is not necessary.

The 'ip http' lines are for the built in web server used for configuration. If you don't use it I recomend that you disable it using 'no ip http server'.
0
 
LVL 3

Assisted Solution

by:fatlad
fatlad earned 200 total points
ID: 12623633
I would remove these, certainly if there are no access control lists preventing the web gui being accessed from inappropriate addresses. The webserver is one of the most common ways of exploiting a cisco box
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 400 total points
ID: 12624826
>Last, what's the point of this?
>ip http server
>ip http port 8000
This enabled the router's own internal web server to run, and you can access the router's web interface by using the non-standard port of 8000
    http://<ipaddress>:8000

>Is there anything that needs to be changed when going from a burstable t1 to a full?  
Probably. Are you changing providers? Are you getting new IP addresses? You might have to change the channel assignments on the CSU/DSU. Need more details from you.
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
LVL 3

Assisted Solution

by:CBozeman
CBozeman earned 400 total points
ID: 12626588
About the burstable t1 to full t1 question...

I've only seen burstable t1's as full t1's with a special billing arrangement.  In this case there would be no difference between a burstable and full.

I agree with the comments above, get rid of the http service on the router.

CBozeman
0
 
LVL 1

Author Comment

by:zenportafino
ID: 12629280
Thanks guys.  Yes this is a whole new ISP with new IP's and DNS servers.  Last issue...  I sucessfully configured a 2500 to hold a pool of addresses on the serial int - thanks in great part to lrmoore - I noticed that our 2620 doesn't have a pool specified in the config that I can see.  We're being assigned a block from 62.62.62.129/25 to 62.62.62.254/25.

Is it necessary to specify a pool on the 2620 or is the set up to use all of those public IP's any different? (I just want to make sure that when I nat an outside to inside address that the outside address is in fact available to the public)

Thanks!
0
 
LVL 11

Assisted Solution

by:PennGwyn
PennGwyn earned 200 total points
ID: 12631458
Specifying DNS servers on the router lets you use hostnames when talking to the router.  It's a convenience; there's no requirement that the router use the same DNS servers as anything else in the network, although this is normally a reasonable idea.

The http server is an alternate management interface to the router.  Routers don't make great web servers, and every so often a serious bug will be found in Cisco's web server code.  Turn it off!

0
 
LVL 1

Author Comment

by:zenportafino
ID: 12631594
This is kind of weird and I have not seen this before.  I got the serial address(WAN) and my public ip's are issued to me in a separate block.  I was told by the isp that the block of addresses does not have to be assigned to any interface. Just use them for nat translations.

ISP WAN    57.57.57.101/30

Our Serial0 57.57.57.102/30 <-- assigned to S0

Block of public IP's - 63.63.63.128 - 63.63.63.254 /25 <-- not assigned to an int - use for nat?

My guess is that the 63.x.x.x network is an entry in their routers.  What was odd is that I asked why they do this and was told that they can monitor what IP's we use and what we use them for.  Not so sure I like that.
0
 
LVL 36

Expert Comment

by:grblades
ID: 12633097
Personally the way they have done it is the way I prefer it done. It means you allocate one of the IP's to the ethernet interface of the router and you can have your firewall performing the Network Address Translation.

If you get multiple IP's on the serial interface you have to do NAT on the router which is not as advanced as most firewall so you have problems with some protocols such as FTP and have to implement workarounds which means it is not as secure.
0
 
LVL 1

Author Comment

by:zenportafino
ID: 12633128
So would I assign any of the 63.x.x.x IP's to E0 or does 192.168.1.1 (LAN Gateway) get assigned to the E0?
0
 
LVL 36

Expert Comment

by:grblades
ID: 12633148
I would assign 63.63.63.129 to E0 and then connect the router to a firewall.
Give the firewall 63.63.63.130 and configure it to do NAT.
You can now configure the firewall with static NAT translations for any of the spare 63.x.x.x addresses to particular machines.

Do you have a firewall already?
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question