Dilan77
asked on
Help with Router config
Hi
We are running an ISP managed 2501 router at our office. I have requested the config for analytical purposes and was wondering if anyone could help me out with a few queries I have, before I go back to them.
For munging purposes, I have removed any external IP's and replaced them with letters.
a= our external IP range which is a.240/28
b - f = other IP addresses that do not relate to our LAN
Config below and my comments in asterisks;
interface Ethernet0
ip address a.254 255.255.255.240
ip access-group 102 out
no ip directed-broadcast
no ip proxy-arp
traffic-shape rate 1024000 1024000 2048000 1000 !
interface Serial0
bandwidth 2048
ip unnumbered Ethernet0
ip access-group 151 in
ip access-group 101 out
no ip directed-broadcast
no ip mroute-cache
no fair-queue
traffic-shape rate 1024000 1024000 2048000 1000 !
interface Serial1
no ip address
no ip directed-broadcast
shutdown
!
ip classless
ip default-network b.0.0
ip route 0.0.0.0 0.0.0.0 Serial0
ip route b.0 255.255.0.0 Serial0
!
logging trap debugging
logging c.26
access-list 1 permit d.12
access-list 1 permit b.0 0.0.127.255
access-list 1 permit a.240 0.0.0.15 ***there is no mention of access-list 1 being applied to any interface, so why is it here?***
access-list 101 permit ip a.240 0.0.0.15 any
access-list 102 deny ip a.240 0.0.0.15 any ***prevent spoofing?***
access-list 102 permit icmp any any
access-list 102 deny udp any any eq 2049 ***following lines deny these ports to our network. virus used ports?***
access-list 102 deny tcp any any eq 2049
access-list 102 deny tcp any any eq 6000
access-list 102 permit tcp any any gt 1023
access-list 102 permit udp any any gt 1023
access-list 102 permit udp any any eq domain ***allow DNS?***
access-list 102 permit tcp any host a.241 eq smtp ***allow SMTP to our Mail Gateway on a.241***
access-list 102 permit tcp b.0 0.0.128.255 host a.241 eq domain
access-list 102 permit tcp host e.228 host a.241 eq domain
access-list 102 permit gre any any access-list 102 permit esp any any access-list 102 permit ahp any any
access-list 102 permit udp any any eq isakmp
access-list 102 permit tcp any any eq www
access-list 151 deny 53 any any log
access-list 151 deny 55 any any log
access-list 151 deny 77 any any log
access-list 151 deny pim any any log
access-list 151 deny udp any host a.254 eq snmp log
access-list 151 deny ip a.240 0.0.0.15 any log
access-list 151 deny tcp any host a.254 eq 1999
access-list 151 deny tcp any host a.254 eq 2001
access-list 151 deny tcp any host a.254 eq 4001
access-list 151 deny tcp any host a.254 eq 6001
access-list 151 deny ip host 0.0.0.0 host a.254 ***not sure about this?***
access-list 151 deny ip 10.0.0.0 0.255.255.255 any ***following lines deny non-routable addresses***
access-list 151 deny ip 172.16.0.0 0.15.255.255 any
access-list 151 deny ip 192.168.0.0 0.0.255.255 any
access-list 151 deny ip 127.0.0.0 0.255.255.255 any
access-list 151 deny ip 224.0.0.0 31.255.255.255 any
access-list 151 permit ip any any
tacacs-server host c.1
tacacs-server host f.116
tacacs-server attempts 2
tacacs-server timeout 6
banner login ^CC
A couple of questions;
access-list 102 deny ip a.240 0.0.0.15 any
This denies our own IP range from entering the LAN, to deny spoofing?
access-list 102 permit tcp any host a.241 eq smtp ***allow SMTP to our Mail Gateway on a.241***
Does this mean if we change our SMTP Gateway to another external address, mail won't be delivered?
access-list 102 permit tcp b.0 0.0.128.255 host a.241 eq domain
access-list 102 permit tcp host e.228 host a.241 eq domain
access-list 102 permit udp any any eq domain
Are these lines allowing DNS services through?
access-list 102 deny tcp any any eq 2049
access-list 102 deny tcp any any eq 6000
access-list 151 deny tcp any host a.254 eq 1999
access-list 151 deny tcp any host a.254 eq 2001
access-list 151 deny tcp any host a.254 eq 4001
access-list 151 deny tcp any host a.254 eq 6001
Are these known ports to deny?
access-list 151 deny ip 10.0.0.0 0.255.255.255 any
access-list 151 deny ip 172.16.0.0 0.15.255.255 any
access-list 151 deny ip 192.168.0.0 0.0.255.255 any
access-list 151 deny ip 127.0.0.0 0.255.255.255 any
access-list 151 deny ip 224.0.0.0 31.255.255.255 any
I thought routers didn't route internal IP address ranges by default? Or do you need to manually insert the commands as above? 224.0.0.0 is the multicast address, what is the purpose of denying that?
One final question - if, say we had the same config with a 2503 router with a bri interface, what commands would we enter to enable an ISDN backup?
Many thank in advance!
We are running an ISP managed 2501 router at our office. I have requested the config for analytical purposes and was wondering if anyone could help me out with a few queries I have, before I go back to them.
For munging purposes, I have removed any external IP's and replaced them with letters.
a= our external IP range which is a.240/28
b - f = other IP addresses that do not relate to our LAN
Config below and my comments in asterisks;
interface Ethernet0
ip address a.254 255.255.255.240
ip access-group 102 out
no ip directed-broadcast
no ip proxy-arp
traffic-shape rate 1024000 1024000 2048000 1000 !
interface Serial0
bandwidth 2048
ip unnumbered Ethernet0
ip access-group 151 in
ip access-group 101 out
no ip directed-broadcast
no ip mroute-cache
no fair-queue
traffic-shape rate 1024000 1024000 2048000 1000 !
interface Serial1
no ip address
no ip directed-broadcast
shutdown
!
ip classless
ip default-network b.0.0
ip route 0.0.0.0 0.0.0.0 Serial0
ip route b.0 255.255.0.0 Serial0
!
logging trap debugging
logging c.26
access-list 1 permit d.12
access-list 1 permit b.0 0.0.127.255
access-list 1 permit a.240 0.0.0.15 ***there is no mention of access-list 1 being applied to any interface, so why is it here?***
access-list 101 permit ip a.240 0.0.0.15 any
access-list 102 deny ip a.240 0.0.0.15 any ***prevent spoofing?***
access-list 102 permit icmp any any
access-list 102 deny udp any any eq 2049 ***following lines deny these ports to our network. virus used ports?***
access-list 102 deny tcp any any eq 2049
access-list 102 deny tcp any any eq 6000
access-list 102 permit tcp any any gt 1023
access-list 102 permit udp any any gt 1023
access-list 102 permit udp any any eq domain ***allow DNS?***
access-list 102 permit tcp any host a.241 eq smtp ***allow SMTP to our Mail Gateway on a.241***
access-list 102 permit tcp b.0 0.0.128.255 host a.241 eq domain
access-list 102 permit tcp host e.228 host a.241 eq domain
access-list 102 permit gre any any access-list 102 permit esp any any access-list 102 permit ahp any any
access-list 102 permit udp any any eq isakmp
access-list 102 permit tcp any any eq www
access-list 151 deny 53 any any log
access-list 151 deny 55 any any log
access-list 151 deny 77 any any log
access-list 151 deny pim any any log
access-list 151 deny udp any host a.254 eq snmp log
access-list 151 deny ip a.240 0.0.0.15 any log
access-list 151 deny tcp any host a.254 eq 1999
access-list 151 deny tcp any host a.254 eq 2001
access-list 151 deny tcp any host a.254 eq 4001
access-list 151 deny tcp any host a.254 eq 6001
access-list 151 deny ip host 0.0.0.0 host a.254 ***not sure about this?***
access-list 151 deny ip 10.0.0.0 0.255.255.255 any ***following lines deny non-routable addresses***
access-list 151 deny ip 172.16.0.0 0.15.255.255 any
access-list 151 deny ip 192.168.0.0 0.0.255.255 any
access-list 151 deny ip 127.0.0.0 0.255.255.255 any
access-list 151 deny ip 224.0.0.0 31.255.255.255 any
access-list 151 permit ip any any
tacacs-server host c.1
tacacs-server host f.116
tacacs-server attempts 2
tacacs-server timeout 6
banner login ^CC
A couple of questions;
access-list 102 deny ip a.240 0.0.0.15 any
This denies our own IP range from entering the LAN, to deny spoofing?
access-list 102 permit tcp any host a.241 eq smtp ***allow SMTP to our Mail Gateway on a.241***
Does this mean if we change our SMTP Gateway to another external address, mail won't be delivered?
access-list 102 permit tcp b.0 0.0.128.255 host a.241 eq domain
access-list 102 permit tcp host e.228 host a.241 eq domain
access-list 102 permit udp any any eq domain
Are these lines allowing DNS services through?
access-list 102 deny tcp any any eq 2049
access-list 102 deny tcp any any eq 6000
access-list 151 deny tcp any host a.254 eq 1999
access-list 151 deny tcp any host a.254 eq 2001
access-list 151 deny tcp any host a.254 eq 4001
access-list 151 deny tcp any host a.254 eq 6001
Are these known ports to deny?
access-list 151 deny ip 10.0.0.0 0.255.255.255 any
access-list 151 deny ip 172.16.0.0 0.15.255.255 any
access-list 151 deny ip 192.168.0.0 0.0.255.255 any
access-list 151 deny ip 127.0.0.0 0.255.255.255 any
access-list 151 deny ip 224.0.0.0 31.255.255.255 any
I thought routers didn't route internal IP address ranges by default? Or do you need to manually insert the commands as above? 224.0.0.0 is the multicast address, what is the purpose of denying that?
One final question - if, say we had the same config with a 2503 router with a bri interface, what commands would we enter to enable an ISDN backup?
Many thank in advance!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>I'm confused by this. a.241 is our SMTP Gateway, and does not provide any DNS services.
But it uses DNS to resolve domain names when it sends and receives mail.
>We have an ACL on our PIX that routes SMTP traffic to a.241, so I don't see the point of this rule. Is it common for routers >to have ACL's such as this? Surely this line is redundant too?
If you have a PIX that's filtering traffic then yes, it's redudnant.
>Why does S0 not have an IP address?
Because you're using "IP unnumbered". The idea is that the serial interfaces are not a destination so why waste an IP address on them. So for purposes where an ip address is needed (routing protocols, for example), the router will "borrow" the IP address from the ethernet 0 interface.
>From your experience of routers held at local offices that connecto to the internet. Is this pretty standard or too >complicated/simplistic?
Aw geeze! "Standard"? :-) I've seen routers with nothing more than an IP address and routers with ACL's so long they almost run out of NVRAM. Some of the lines you've got seem, for lack of a better word, redundant. But the ACL's are small enough that it's not going to cause any performance problems and "if it ain't broke"...
But it uses DNS to resolve domain names when it sends and receives mail.
>We have an ACL on our PIX that routes SMTP traffic to a.241, so I don't see the point of this rule. Is it common for routers >to have ACL's such as this? Surely this line is redundant too?
If you have a PIX that's filtering traffic then yes, it's redudnant.
>Why does S0 not have an IP address?
Because you're using "IP unnumbered". The idea is that the serial interfaces are not a destination so why waste an IP address on them. So for purposes where an ip address is needed (routing protocols, for example), the router will "borrow" the IP address from the ethernet 0 interface.
>From your experience of routers held at local offices that connecto to the internet. Is this pretty standard or too >complicated/simplistic?
Aw geeze! "Standard"? :-) I've seen routers with nothing more than an IP address and routers with ACL's so long they almost run out of NVRAM. Some of the lines you've got seem, for lack of a better word, redundant. But the ACL's are small enough that it's not going to cause any performance problems and "if it ain't broke"...
ASKER
Thanks.
Final question -
>I'm confused by this. a.241 is our SMTP Gateway, and does not provide any DNS services.
But it uses DNS to resolve domain names when it sends and receives mail
Our Gateway is for incoming mail only, so DNS is not needed (unless DNS is needed for inbound Gateways too). Is this line redundant too? I'm still unsure about the need for these lines below;
>access-list 102 permit tcp b.0 0.0.128.255 host a.241 eq domain
>access-list 102 permit tcp host e.228 host a.241 eq domain
>access-list 102 permit udp any any eq domain
If our Exchange is handling sending mail (as it does) then where is the line that allows DNS to either our PAT address (our Exchange is not NAT'd to an external address, but we have a Port Address Translation address of y.243) or any? And where is the line that allows DNS to our DNS server? Surely there are no hosts connecting from the outside to our DNS ports (if 'eq domain' refers to the DNS ports)?
BTW, good Cisco document on ip unnumbered below for anyone that reads this and is interested
http://www.cisco.com/warp/public/701/20.html
Final question -
>I'm confused by this. a.241 is our SMTP Gateway, and does not provide any DNS services.
But it uses DNS to resolve domain names when it sends and receives mail
Our Gateway is for incoming mail only, so DNS is not needed (unless DNS is needed for inbound Gateways too). Is this line redundant too? I'm still unsure about the need for these lines below;
>access-list 102 permit tcp b.0 0.0.128.255 host a.241 eq domain
>access-list 102 permit tcp host e.228 host a.241 eq domain
>access-list 102 permit udp any any eq domain
If our Exchange is handling sending mail (as it does) then where is the line that allows DNS to either our PAT address (our Exchange is not NAT'd to an external address, but we have a Port Address Translation address of y.243) or any? And where is the line that allows DNS to our DNS server? Surely there are no hosts connecting from the outside to our DNS ports (if 'eq domain' refers to the DNS ports)?
BTW, good Cisco document on ip unnumbered below for anyone that reads this and is interested
http://www.cisco.com/warp/public/701/20.html
On second thought, that line is unneccessary for email. It's to allow DNS traffic from the outside.
ASKER
Cool, thanks...
ASKER
>access-list 102 permit tcp b.0 0.0.128.255 host a.241 eq domain
>access-list 102 permit tcp host e.228 host a.241 eq domain
>access-list 102 permit udp any any eq domain
>Are these lines allowing DNS services through?
>Yes
I'm confused by this. a.241 is our SMTP Gateway, and does not provide any DNS services. In addition, access-list 102 is in outbound ACL on E0, i.e. to our network, so this is for machines connecting *to* our DNS ports. Why would anyone from the outside want to use our DNS services for a start, and in particular, our Gateway?
Our external DNS is handled by our ISP, who hold our A, MX, www records etc. So are these lines redundant?
>Does this mean if we change our SMTP Gateway to another external address, mail won't be delivered?
>Yes
We have an ACL on our PIX that routes SMTP traffic to a.241, so I don't see the point of this rule. Is it common for routers to have ACL's such as this? Surely this line is redundant too?
>interface Ethernet0
>ip address a.254 255.255.255.240
> ip access-group 102 out
> no ip directed-broadcast
> no ip proxy-arp
> traffic-shape rate 1024000 1024000 2048000 1000 !
>interface Serial0
> bandwidth 2048
> ip unnumbered Ethernet0
> ip access-group 151 in
> ip access-group 101 out
> no ip directed-broadcast
> no ip mroute-cache
> no fair-queue
> traffic-shape rate 1024000 1024000 2048000 1000 !
Why does S0 not have an IP address?
From your experience of routers held at local offices that connecto to the internet. Is this pretty standard or too complicated/simplistic?
Thanks.