Solved

Router Configuration Verification

Posted on 2008-10-18
4
316 Views
Last Modified: 2012-05-05
I would like to know if someone would please review this configuration and see if there are any issues with it. I want to allow http, https, and ftp to the internet for all lan clients, and specify which other machines can send traffic to the internet (smtp, and a few other protocols.) I have to ethernet ports in my router. F0/0 is the WAN and F0/1 is the LAN. Please be merciful as this is the first router I have ever configured.
description $ETH-WAN$

 ip address 64.128.237.109 255.255.255.0

 ip access-group 100 in

 ip access-group 102 out

 ip nat outside

 ip virtual-reassembly

 no ip route-cache

 speed auto

 full-duplex

 no mop enabled

!

interface FastEthernet0/1

 ip address 10.0.1.254 255.0.0.0

 ip nat inside

 ip virtual-reassembly

 no ip route-cache

 duplex auto

 speed auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 64.128.237.1

ip http server

ip http authentication local

ip http secure-server

!

!

ip nat inside source list 101 interface FastEthernet0/0 overload

ip nat inside source static tcp 10.0.1.11 25 64.128.237.109 25 extendable

ip nat inside source static tcp 10.0.1.11 85 64.128.237.109 85 extendable

ip nat inside source static tcp 10.0.1.11 110 64.128.237.109 110 extendable

ip nat inside source static tcp 10.0.1.11 143 64.128.237.109 143 extendable

ip nat inside source static tcp 10.0.1.2 5222 64.128.237.109 5222 extendable

ip nat inside source static tcp 10.0.1.2 6600 64.128.237.109 6600 extendable

!

access-list 100 permit tcp any host 64.128.237.109 eq smtp

access-list 100 permit tcp any host 64.128.237.109 eq pop3

access-list 100 permit tcp any host 64.128.237.109 eq 143

access-list 100 permit tcp any host 64.128.237.109 eq www

access-list 100 permit tcp any host 64.128.237.109 established

access-list 101 permit ip 10.0.0.0 0.255.255.255 any

access-list 102 permit udp host 216.136.95.2 eq domain any

access-list 102 permit tcp 10.0.0.0 0.0.0.255 any eq www

access-list 102 permit tcp 10.0.0.0 0.0.0.255 any eq ftp

access-list 102 permit tcp 10.0.0.0 0.0.0.255 any eq 443

access-list 102 permit tcp host 10.0.1.11 any eq smtp

access-list 102 permit udp host 10.0.1.2 any eq 5060

access-list 102 permit udp host 10.0.1.2 any range 10000 20000

access-list 102 permit udp host 10.0.1.2 any eq 4569

access-list 102 permit tcp host 10.0.1.2 any eq 6600

access-list 102 permit tcp host 10.0.1.2 any eq 5222

!

!

!

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

 privilege level 15

 password 12Qwe

 login local

 transport input telnet ssh

!

scheduler allocate 20000 1000

end

Open in new window

0
Comment
Question by:wdkunkel
  • 2
4 Comments
 

Author Comment

by:wdkunkel
ID: 22749553
Also, do I need to enable ip routing and ip cef if there is only one network here (10.0.1.xx/255.0.0.0)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22750079
Yes, routing has to be enabled. You are routing from internal network to external network.
You don't need CEF with only one path for packets to take.

Do not apply the acl "out"
   ip access-group 102 out

Your acl 102 only allows the private IP addresses, but by the time the get ready to go out that interface, they've already been natted an you will block it all.

Add dns to acl 101
  access-list 101 permit udp any eq domain any
0
 
LVL 3

Accepted Solution

by:
leonjs earned 250 total points
ID: 22752607
If you haven't already

config t
service password-encryption

That will encrypt all service passwords so they are easy to see

Also this might be a good time to check which services are running on the router and disable the ones you wont be using/needing.
Example-
Disable Finger Service
Disable Pad Service
Disable TCP Small server Service
Disable UDP Small service service
Enable TCP Keepalives for inbound telnet sessions
Enable TCP Keepalives for outbound telnet sessions

Show processes will should you what services you are running.
0
 

Author Comment

by:wdkunkel
ID: 22759664
OK I have made some of the reccomended changes, A few more questions

1. Do I also need to use ip inspect?
2. Are the outgoing public IP ACLs required to allow the data to transmit out of the router?
guycorp#sh run

Building configuration...
 

Current configuration : 5031 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname guycorp

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

enable secret 5 $1$pMeo$9c27VVG0pMvfG8D6B8pyX/

enable password 7 14434739181D

!

no aaa new-model

!

crypto pki trustpoint TP-self-signed-2296214588

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-2296214588

 revocation-check none

 rsakeypair TP-self-signed-2296214588

!

!

crypto pki certificate chain TP-self-signed-2296214588

 certificate self-signed 01

  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32323936 32313435 3838301E 170D3038 31303230 31333435

  32315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32393632

  31343538 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100BD4C A97CA9B3 21EEF1A9 C436D388 45ECFE1F 8A9B649E 435009B3 66D0CE59

  4911924D F34296DD 1FA6680A CC7C6730 067B75BA 2C13ED1A ADD160FE 61476C39

  9B505455 9CF764A9 5F17109E 82DAF205 7D1260C3 4F0D4944 395DE7AF B9269D11

  24218A72 B2234E53 18EFC2E6 B3E42399 55396A4F C7D5086E 1C04FDFC C00E2F32

  2B430203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603

  551D1104 0B300982 07677579 636F7270 301F0603 551D2304 18301680 14E34855

  3B4F3A87 90DFCC2B 4F6600EB 4B462C78 4A301D06 03551D0E 04160414 E348553B

  4F3A8790 DFCC2B4F 6600EB4B 462C784A 300D0609 2A864886 F70D0101 04050003

  81810043 27C8FC92 7B488CD1 7247C390 713B0952 FDE2353B 7A400E63 62C514A1

  4CFFE403 CCA50597 479B3121 19F2B8F4 38D7650E 7F755C38 350029D5 1B6C15D8

  9A221D6D A03DC29F DDBFD3C9 5FCFC001 CAA3E265 C7304756 428FA441 13CB3A07

  26AF7050 E834E352 3994BD57 71A0B980 4E7283C2 A0720A8B C093B4F0 16DA1CDB 64D811

        quit

dot11 syslog

ip source-route

!

!

!

!

ip cef

!

no ipv6 cef

multilink bundle-name authenticated

!

!

!

username guysdm privilege 15 password 7 055D1316321C40

!

!

!

archive

 log config

  hidekeys

!

!

!

!

!

interface FastEthernet0/0

 description $ETH-WAN$

 ip address 64.128.237.109 255.255.255.0

 ip access-group 100 in

 ip access-group 102 out

 ip nat outside

 ip virtual-reassembly

 speed auto

 full-duplex

 no mop enabled

!

interface FastEthernet0/1

 ip address 10.0.1.254 255.0.0.0

 ip nat inside

 ip virtual-reassembly

 duplex auto

 speed auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 64.128.237.1

ip http server

ip http authentication local

ip http secure-server

!

!

ip nat inside source list 101 interface FastEthernet0/0 overload

ip nat inside source static udp 10.0.1.13 500 interface FastEthernet0/0 500

ip nat inside source static tcp 10.0.1.11 25 64.128.237.109 25 extendable

ip nat inside source static tcp 10.0.1.11 85 64.128.237.109 85 extendable

ip nat inside source static tcp 10.0.1.11 110 64.128.237.109 110 extendable

ip nat inside source static tcp 10.0.1.11 143 64.128.237.109 143 extendable

ip nat inside source static tcp 10.0.1.2 5222 64.128.237.109 5222 extendable

ip nat inside source static tcp 10.0.1.2 6600 64.128.237.109 6600 extendable

!

access-list 100 permit tcp any host 64.128.237.109 eq smtp

access-list 100 permit tcp any host 64.128.237.109 eq 1723

access-list 100 permit gre any host 64.128.237.109

access-list 100 permit udp any host 64.128.237.109 eq isakmp

access-list 100 permit tcp any host 64.128.237.109 eq pop3

access-list 100 permit tcp any host 64.128.237.109 eq 143

access-list 100 permit tcp any host 64.128.237.109 eq www

access-list 100 permit tcp any host 64.128.237.109 established

access-list 101 permit ip 10.0.0.0 0.255.255.255 any

access-list 102 permit udp host 216.136.95.2 eq domain any

access-list 102 permit tcp 10.0.0.0 0.0.0.255 any eq www

access-list 102 permit tcp 10.0.0.0 0.0.0.255 any eq ftp

access-list 102 permit tcp host 64.128.237.109 any eq www

access-list 102 permit tcp host 64.128.237.109 any eq ftp

access-list 102 permit tcp 10.0.0.0 0.0.0.255 any eq 443

access-list 102 permit tcp host 64.128.237.109 any eq 443

access-list 102 permit tcp host 10.0.1.11 any eq smtp

access-list 102 permit tcp host 64.128.237.109 any eq smtp

access-list 102 permit udp host 10.0.1.2 any eq 5060

access-list 102 permit udp host 64.128.237.109 any eq 5060

access-list 102 permit udp host 10.0.1.2 any range 10000 20000

access-list 102 permit udp host 64.128.237.109 any range 10000 20000

access-list 102 permit udp host 10.0.1.2 any eq 4569

access-list 102 permit udp host 64.128.237.109 any eq 4569

access-list 102 permit tcp host 10.0.1.2 any eq 6600

access-list 102 permit tcp host 64.128.237.109 any eq 6600

access-list 102 permit tcp host 10.0.1.2 any eq 5222

access-list 102 permit tcp host 64.128.237.109 any eq 5222

!

!

!

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

 privilege level 15

 password 7 12485726050E

 login local

 transport input telnet ssh

!

scheduler allocate 20000 1000

end

Open in new window

0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now