Solved

Help with Router config

Posted on 2006-11-30
6
403 Views
Last Modified: 2012-05-05
Hi

We are running an ISP managed 2501 router at our office. I have requested the config for analytical purposes and was wondering if anyone could help me out with a few queries I have, before I go back to them.

For munging purposes, I have removed any external IP's and replaced them with letters.

a= our external IP range which is a.240/28
b - f = other IP addresses that do not relate to our LAN

Config below and my comments in asterisks;

interface Ethernet0
 ip address a.254 255.255.255.240
 ip access-group 102 out  
 no ip directed-broadcast  
 no ip proxy-arp  
 traffic-shape rate 1024000 1024000 2048000 1000 !
interface Serial0
 bandwidth 2048
 ip unnumbered Ethernet0
 ip access-group 151 in
 ip access-group 101 out
 no ip directed-broadcast
 no ip mroute-cache
 no fair-queue
 traffic-shape rate 1024000 1024000 2048000 1000 !
interface Serial1
 no ip address
 no ip directed-broadcast
 shutdown
!
ip classless
ip default-network b.0.0
ip route 0.0.0.0 0.0.0.0 Serial0
ip route b.0 255.255.0.0 Serial0
!
logging trap debugging
logging c.26
access-list 1 permit d.12
access-list 1 permit b.0 0.0.127.255
access-list 1 permit a.240 0.0.0.15 ***there is no mention of access-list 1 being applied to any interface, so why is it here?***
access-list 101 permit ip a.240 0.0.0.15 any
access-list 102 deny   ip a.240 0.0.0.15 any ***prevent spoofing?***
access-list 102 permit icmp any any
access-list 102 deny   udp any any eq 2049 ***following lines deny these ports to our network. virus used ports?***
access-list 102 deny   tcp any any eq 2049
access-list 102 deny   tcp any any eq 6000
access-list 102 permit tcp any any gt 1023
access-list 102 permit udp any any gt 1023
access-list 102 permit udp any any eq domain ***allow DNS?***
access-list 102 permit tcp any host a.241 eq smtp  ***allow SMTP to our Mail Gateway on a.241***
access-list 102 permit tcp b.0 0.0.128.255 host a.241 eq domain
access-list 102 permit tcp host e.228 host a.241 eq domain
access-list 102 permit gre any any access-list 102 permit esp any any access-list 102 permit ahp any any
access-list 102 permit udp any any eq isakmp
access-list 102 permit tcp any any eq www
access-list 151 deny   53 any any log
access-list 151 deny   55 any any log
access-list 151 deny   77 any any log
access-list 151 deny   pim any any log
access-list 151 deny   udp any host a.254 eq snmp log
access-list 151 deny   ip a.240 0.0.0.15 any log
access-list 151 deny   tcp any host a.254 eq 1999
access-list 151 deny   tcp any host a.254 eq 2001
access-list 151 deny   tcp any host a.254 eq 4001
access-list 151 deny   tcp any host a.254 eq 6001
access-list 151 deny   ip host 0.0.0.0 host a.254 ***not sure about this?***
access-list 151 deny   ip 10.0.0.0 0.255.255.255 any ***following lines deny non-routable addresses***
access-list 151 deny   ip 172.16.0.0 0.15.255.255 any
access-list 151 deny   ip 192.168.0.0 0.0.255.255 any
access-list 151 deny   ip 127.0.0.0 0.255.255.255 any
access-list 151 deny   ip 224.0.0.0 31.255.255.255 any
access-list 151 permit ip any any
tacacs-server host c.1
tacacs-server host f.116
tacacs-server attempts 2
tacacs-server timeout 6
banner login ^CC

A couple of questions;

access-list 102 deny ip a.240 0.0.0.15 any
This denies our own IP range from entering the LAN, to deny spoofing?

access-list 102 permit tcp any host a.241 eq smtp  ***allow SMTP to our Mail Gateway on a.241***
Does this mean if we change our SMTP Gateway to another external address, mail won't be delivered?

access-list 102 permit tcp b.0 0.0.128.255 host a.241 eq domain
access-list 102 permit tcp host e.228 host a.241 eq domain
access-list 102 permit udp any any eq domain
Are these lines allowing DNS services through?

access-list 102 deny   tcp any any eq 2049
access-list 102 deny   tcp any any eq 6000
access-list 151 deny   tcp any host a.254 eq 1999
access-list 151 deny   tcp any host a.254 eq 2001
access-list 151 deny   tcp any host a.254 eq 4001
access-list 151 deny   tcp any host a.254 eq 6001
Are these known ports to deny?

access-list 151 deny   ip 10.0.0.0 0.255.255.255 any
access-list 151 deny   ip 172.16.0.0 0.15.255.255 any
access-list 151 deny   ip 192.168.0.0 0.0.255.255 any
access-list 151 deny   ip 127.0.0.0 0.255.255.255 any
access-list 151 deny   ip 224.0.0.0 31.255.255.255 any

I thought routers didn't route internal IP address ranges by default? Or do you need to manually insert the commands as above? 224.0.0.0 is the multicast address, what is the purpose of denying that?

One final question - if, say we had the same config with a 2503 router with a bri interface, what commands would we enter to enable an ISDN backup?

Many thank in advance!
0
Comment
Question by:Dilan77
  • 3
  • 3
6 Comments
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
ID: 18044500
>This denies our own IP range from entering the LAN, to deny spoofing?
Yes.

>Does this mean if we change our SMTP Gateway to another external address, mail won't be delivered?
Yes.

>Are these lines allowing DNS services through?
Yes.

>Are these known ports to deny?
Not sure. 2049 in NFS, 6000-6063 is X windows, 4001 is "NewOak" and 2001 is "dc".

>I thought routers didn't route internal IP address ranges by default?
Routers route everything (well, almost) by default. :-) Internet routers (the one's managed by the ISP's) are configured to discard any traffic to/from the private and the loopback addresses. Most ISP's also won't accept multicast from customers unless you pay for it.

0
 
LVL 2

Author Comment

by:Dilan77
ID: 18044605
Hello again Donjohnston. All makes sense apart from

>access-list 102 permit tcp b.0 0.0.128.255 host a.241 eq domain
>access-list 102 permit tcp host e.228 host a.241 eq domain
>access-list 102 permit udp any any eq domain
>Are these lines allowing DNS services through?
>Yes

I'm confused by this. a.241 is our SMTP Gateway, and does not provide any DNS services. In addition, access-list 102 is in outbound ACL on E0, i.e. to our network, so this is for machines connecting *to* our DNS ports. Why would anyone from the outside want to use our DNS services for a start, and in particular, our Gateway?
Our external DNS is handled by our ISP, who hold our A, MX, www records etc. So are these lines redundant?

 >Does this mean if we change our SMTP Gateway to another external address, mail won't be delivered?
>Yes

We have an ACL on our PIX that routes SMTP traffic to a.241, so I don't see the point of this rule. Is it common for routers to have ACL's such as this? Surely this line is redundant too?

>interface Ethernet0
>ip address a.254 255.255.255.240
> ip access-group 102 out  
> no ip directed-broadcast  
> no ip proxy-arp  
> traffic-shape rate 1024000 1024000 2048000 1000 !
>interface Serial0
> bandwidth 2048
> ip unnumbered Ethernet0
> ip access-group 151 in
> ip access-group 101 out
> no ip directed-broadcast
> no ip mroute-cache
> no fair-queue
> traffic-shape rate 1024000 1024000 2048000 1000 !

Why does S0 not have an IP address?

From your experience of routers held at local offices that connecto to the internet. Is this pretty standard or too complicated/simplistic?


Thanks.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 18044725
>I'm confused by this. a.241 is our SMTP Gateway, and does not provide any DNS services.
But it uses DNS to resolve domain names when it sends and receives mail.

>We have an ACL on our PIX that routes SMTP traffic to a.241, so I don't see the point of this rule. Is it common for routers >to have ACL's such as this? Surely this line is redundant too?
If you have a PIX that's filtering traffic then yes, it's redudnant.

>Why does S0 not have an IP address?
Because you're using "IP unnumbered". The idea is that the serial interfaces are not a destination so why waste an IP address on them. So for purposes where an ip address is needed (routing protocols, for example), the router will "borrow" the IP address from the ethernet 0 interface.

>From your experience of routers held at local offices that connecto to the internet. Is this pretty standard or too >complicated/simplistic?

Aw geeze! "Standard"? :-) I've seen routers with nothing more than an IP address and routers with ACL's so long they almost run out of NVRAM. Some of the lines you've got seem, for lack of a better word, redundant. But the ACL's are small enough that it's not going to cause any performance problems and "if it ain't broke"...
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 2

Author Comment

by:Dilan77
ID: 18044791
Thanks.

Final question -

>I'm confused by this. a.241 is our SMTP Gateway, and does not provide any DNS services.
But it uses DNS to resolve domain names when it sends and receives mail

Our Gateway is for incoming mail only, so DNS is not needed (unless DNS is needed for inbound Gateways too). Is this line redundant too? I'm still unsure about the need for these lines below;

>access-list 102 permit tcp b.0 0.0.128.255 host a.241 eq domain
>access-list 102 permit tcp host e.228 host a.241 eq domain
>access-list 102 permit udp any any eq domain

If our Exchange is handling sending mail (as it does) then where is the line that allows DNS to either our PAT address (our Exchange is not NAT'd to an external address, but we have a Port Address Translation address of y.243) or any? And where is the line that allows DNS to our DNS server? Surely there are no hosts connecting from the outside to our DNS ports (if 'eq domain' refers to the DNS ports)?

BTW, good Cisco document on ip unnumbered below for anyone that reads this and is interested

http://www.cisco.com/warp/public/701/20.html
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 18044838
On second thought, that line is unneccessary for email. It's to allow DNS traffic from the outside.
0
 
LVL 2

Author Comment

by:Dilan77
ID: 18044996
Cool, thanks...
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now