troubleshooting Question

Cisco 2811 with 4port FE card -- config review

Avatar of fiderus
fiderus asked on
Routers
9 Comments1 Solution3322 ViewsLast Modified:
two sites -- operations and disaster recovery site
connection currently through a ip380 and checkpoint
a backup application using too much bandwidth between the sites, had recommended a cisco 3800 but got a cisco 2800 with a 4port FE card

so i have 3 networks at each site with a connection to the firewall for external access and connection to the other site for backup/biz continuity for a total of 5 networks at each location

attached a config for review but issue is this is going to installed and they won't give me any hosts to test configuration with prior to change window

info about networks:
site-to-site connection (g0/0)
local lan (g0/1)
local san (fe0/0/0)  -- vlan2
local backup_net (fe0/0/1) -- vlan3
firewall connection (fe0/0/2) -- vlan4

will need access from all local nets to each other and access to the other sites counterpart, all other traffic routed to the firewall for further routing

would also require if the link to the local firewall drops -- send traffic to the other site for external access. haven't gotten that far with the config, figure one thing at a time.

please let me know what you think
thanks in advance

!This is the running config of the router: 10.226.16.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname site1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 *****
enable password ******
!
no aaa new-model
!
resource policy
!
clock timezone Indiana -5
ip subnet-zero
no ip source-route
no ip routing
ip tcp synwait-time 10
!
!
ip nbar port-map custom-01 tcp 3260
no ip cef
!
!
no ip bootp server
ip domain name yourdomain.com
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1495386215
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1495386215
 revocation-check none
 rsakeypair TP-self-signed-1495386215
!
!
crypto pki certificate chain TP-self-signed-1495386215
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31343935 33383632 3135301E 170D3037 30383238 32333533
  34355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34393533
  38363231 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100CF30 E86A23D5 42651FA8 6DA1D835 3C84F69D 4DE39396 6EB65B01 1F2B4326
  93EDED6D 46CE27CC 3154774E 98A1D85E 221C58DC 8A5619F3 C2F601EE 5BE664E4
  FD28E9A1 A3ECB01A DBFEE163 9F05C193 76239715 3B1C4AD9 FD8A2E3C CC400EFF
  1719D95E 42D04A38 17B36251 528D4F84 CBE3C1DF 7F80A6AF AA2FBA4E B4BB3932
  B8810203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 14BC33A2 77B65267 FF5F6E70 F6F7AFEA 744C49CA
  63301D06 03551D0E 04160414 BC33A277 B65267FF 5F6E70F6 F7AFEA74 4C49CA63
  300D0609 2A864886 F70D0101 04050003 81810044 86E2C9A2 79B14D6C 4353A30C
  1BAF3EA4 45A60406 4C4F98EB 89706588 E56D7464 05AD5ED9 826E4BED 0105E7AE
  F929C833 E327B3D9 7B57E3A6 5EF3CBA9 CEC65F42 58886ED2 798EB617 FE27CA73
  050BD976 94E839F4 992EFBFC 05035C15 E425A484 78935490 CD8C75B4 0C031CA1
  6D6B8F6F 25B6B79D 716218E9 E500C7D7 5DD171
  quit
username admin privilege 15 secret 5 *******
username user1 privilege 15 secret 5 *******
username user2 privilege 15 view root password 0 *****
!
!
class-map match-any EqualLogic
 match protocol custom-01
class-map match-any SDM-Scavenger-1
 match protocol napster
 match protocol fasttrack
 match protocol gnutella
class-map match-any SDM-Routing-1
 match protocol bgp
 match protocol egp
 match protocol eigrp
 match protocol ospf
 match protocol rip
 match protocol rsvp
class-map match-any SDM-Voice-1
 match protocol rtp audio
class-map match-any SDM-Streaming-Video-1
 match protocol cuseeme
 match protocol netshow
 match protocol rtsp
 match protocol streamwork
 match protocol vdolive
class-map match-any NFG
 match protocol gnutella
class-map match-any SDM-Interactive-Video-1
 match protocol rtp video
!
!
policy-map SDM-QoS-Policy-1
 class EqualLogic
  bandwidth percent 40
 class NFG
  bandwidth percent 20
 class class-default
  fair-queue
  random-detect
!
!
!
!
interface Null0
 no ip unreachables
!
interface GigabitEthernet0/0
 description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ETH-LAN$
 ip address 172.16.2.1 255.255.255.252
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 no ip route-cache
 duplex auto
 speed auto
 no mop enabled
 service-policy output SDM-QoS-Policy-1
!
interface GigabitEthernet0/1
 description $ETH-LAN$$FW_INSIDE$
 ip address 10.226.16.1 255.255.254.0
 ip access-group 103 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip route-cache
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/0/0
 description SAN
 switchport access vlan 2
!
interface FastEthernet0/0/1
 description NFG
 switchport access vlan 3
 no keepalive
!
interface FastEthernet0/0/2
 description FW LINK
 switchport access vlan 4
!
interface FastEthernet0/0/3
!
interface Vlan2
 description $FW_INSIDE$
 ip address 10.5.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
interface Vlan3
 description $FW_INSIDE$
 ip address 10.11.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
interface Vlan4
 ip address 172.16.0.1 255.255.255.252
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.0.2 permanent
ip route 10.11.5.0 255.255.255.0 GigabitEthernet0/0 permanent
ip route 10.226.193.0 255.255.255.0 GigabitEthernet0/0 permanent
ip route 10.226.194.0 255.255.255.0 GigabitEthernet0/0 permanent
ip route 172.16.3.0 255.255.255.252 GigabitEthernet0/0
!
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 10.226.16.0 0.0.1.255
access-list 1 permit 10.10.10.0 0.0.0.7
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark SDM_ACL Category=1
access-list 100 remark DR Connectivity
access-list 100 permit tcp any any
access-list 100 remark UDP
access-list 100 permit udp any any
access-list 100 remark ICMP
access-list 100 permit icmp any any
access-list 100 permit tcp 10.10.10.0 0.0.0.7 host 172.16.2.1 eq telnet
access-list 100 permit tcp 10.10.10.0 0.0.0.7 host 172.16.2.1 eq 22
access-list 100 permit tcp 10.10.10.0 0.0.0.7 host 172.16.2.1 eq www
access-list 100 permit tcp 10.10.10.0 0.0.0.7 host 172.16.2.1 eq 443
access-list 100 permit tcp 10.10.10.0 0.0.0.7 host 172.16.2.1 eq cmd
access-list 100 deny   tcp any host 172.16.2.1 eq telnet
access-list 100 deny   tcp any host 172.16.2.1 eq 22
access-list 100 deny   tcp any host 172.16.2.1 eq www
access-list 100 deny   tcp any host 172.16.2.1 eq 443
access-list 100 deny   tcp any host 172.16.2.1 eq cmd
access-list 100 deny   udp any host 172.16.2.1 eq snmp
access-list 100 deny   tcp any any
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip 10.226.16.0 0.0.1.255 any
access-list 101 permit ip 10.10.10.0 0.0.0.7 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 10.226.16.0 0.0.1.255 any
access-list 102 permit ip 10.10.10.0 0.0.0.7 any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp any any
access-list 103 permit icmp any any
access-list 103 permit udp any any
access-list 103 permit tcp 10.226.16.0 0.0.1.255 host 10.226.16.1 eq telnet
access-list 103 permit tcp 10.226.16.0 0.0.1.255 host 10.226.16.1 eq 22
access-list 103 permit tcp 10.226.16.0 0.0.1.255 host 10.226.16.1 eq www
access-list 103 permit tcp 10.226.16.0 0.0.1.255 host 10.226.16.1 eq 443
access-list 103 permit tcp 10.226.16.0 0.0.1.255 host 10.226.16.1 eq cmd
access-list 103 deny   tcp any host 10.226.16.1 eq telnet
access-list 103 deny   tcp any host 10.226.16.1 eq 22
access-list 103 deny   tcp any host 10.226.16.1 eq www
access-list 103 deny   tcp any host 10.226.16.1 eq 443
access-list 103 deny   tcp any host 10.226.16.1 eq cmd
access-list 103 deny   udp any host 10.226.16.1 eq snmp
access-list 103 permit ip any any
no cdp run
!
!
!
control-plane
!
!
!
!
!
!
!
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm 
-----------------------------------------------------------------------
^C
banner motd This is ***** property, authorized access only!
^C
!
line con 0
 login local
line aux 0
line vty 0 4
 access-class 101 in
 privilege level 15
 password ****
 login local
 transport input telnet ssh
line vty 5 15
 access-class 102 in
 privilege level 15
 password *****
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

ASKER CERTIFIED SOLUTION
Les Moore
Systems Architect
Join our community to see this answer!
Unlock 1 Answer and 9 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 9 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros