Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Router Configuration Verification

Posted on 2008-10-18
4
Medium Priority
?
329 Views
Last Modified: 2012-05-05
I would like to know if someone would please review this configuration and see if there are any issues with it. I want to allow http, https, and ftp to the internet for all lan clients, and specify which other machines can send traffic to the internet (smtp, and a few other protocols.) I have to ethernet ports in my router. F0/0 is the WAN and F0/1 is the LAN. Please be merciful as this is the first router I have ever configured.
description $ETH-WAN$
 ip address 64.128.237.109 255.255.255.0
 ip access-group 100 in
 ip access-group 102 out
 ip nat outside
 ip virtual-reassembly
 no ip route-cache
 speed auto
 full-duplex
 no mop enabled
!
interface FastEthernet0/1
 ip address 10.0.1.254 255.0.0.0
 ip nat inside
 ip virtual-reassembly
 no ip route-cache
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 64.128.237.1
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list 101 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.0.1.11 25 64.128.237.109 25 extendable
ip nat inside source static tcp 10.0.1.11 85 64.128.237.109 85 extendable
ip nat inside source static tcp 10.0.1.11 110 64.128.237.109 110 extendable
ip nat inside source static tcp 10.0.1.11 143 64.128.237.109 143 extendable
ip nat inside source static tcp 10.0.1.2 5222 64.128.237.109 5222 extendable
ip nat inside source static tcp 10.0.1.2 6600 64.128.237.109 6600 extendable
!
access-list 100 permit tcp any host 64.128.237.109 eq smtp
access-list 100 permit tcp any host 64.128.237.109 eq pop3
access-list 100 permit tcp any host 64.128.237.109 eq 143
access-list 100 permit tcp any host 64.128.237.109 eq www
access-list 100 permit tcp any host 64.128.237.109 established
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 102 permit udp host 216.136.95.2 eq domain any
access-list 102 permit tcp 10.0.0.0 0.0.0.255 any eq www
access-list 102 permit tcp 10.0.0.0 0.0.0.255 any eq ftp
access-list 102 permit tcp 10.0.0.0 0.0.0.255 any eq 443
access-list 102 permit tcp host 10.0.1.11 any eq smtp
access-list 102 permit udp host 10.0.1.2 any eq 5060
access-list 102 permit udp host 10.0.1.2 any range 10000 20000
access-list 102 permit udp host 10.0.1.2 any eq 4569
access-list 102 permit tcp host 10.0.1.2 any eq 6600
access-list 102 permit tcp host 10.0.1.2 any eq 5222
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 password 12Qwe
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
end

Open in new window

0
Comment
Question by:wdkunkel
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 

Author Comment

by:wdkunkel
ID: 22749553
Also, do I need to enable ip routing and ip cef if there is only one network here (10.0.1.xx/255.0.0.0)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22750079
Yes, routing has to be enabled. You are routing from internal network to external network.
You don't need CEF with only one path for packets to take.

Do not apply the acl "out"
   ip access-group 102 out

Your acl 102 only allows the private IP addresses, but by the time the get ready to go out that interface, they've already been natted an you will block it all.

Add dns to acl 101
  access-list 101 permit udp any eq domain any
0
 
LVL 3

Accepted Solution

by:
leonjs earned 750 total points
ID: 22752607
If you haven't already

config t
service password-encryption

That will encrypt all service passwords so they are easy to see

Also this might be a good time to check which services are running on the router and disable the ones you wont be using/needing.
Example-
Disable Finger Service
Disable Pad Service
Disable TCP Small server Service
Disable UDP Small service service
Enable TCP Keepalives for inbound telnet sessions
Enable TCP Keepalives for outbound telnet sessions

Show processes will should you what services you are running.
0
 

Author Comment

by:wdkunkel
ID: 22759664
OK I have made some of the reccomended changes, A few more questions

1. Do I also need to use ip inspect?
2. Are the outgoing public IP ACLs required to allow the data to transmit out of the router?
guycorp#sh run
Building configuration...
 
Current configuration : 5031 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname guycorp
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$pMeo$9c27VVG0pMvfG8D6B8pyX/
enable password 7 14434739181D
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2296214588
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2296214588
 revocation-check none
 rsakeypair TP-self-signed-2296214588
!
!
crypto pki certificate chain TP-self-signed-2296214588
 certificate self-signed 01
  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32323936 32313435 3838301E 170D3038 31303230 31333435
  32315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32393632
  31343538 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100BD4C A97CA9B3 21EEF1A9 C436D388 45ECFE1F 8A9B649E 435009B3 66D0CE59
  4911924D F34296DD 1FA6680A CC7C6730 067B75BA 2C13ED1A ADD160FE 61476C39
  9B505455 9CF764A9 5F17109E 82DAF205 7D1260C3 4F0D4944 395DE7AF B9269D11
  24218A72 B2234E53 18EFC2E6 B3E42399 55396A4F C7D5086E 1C04FDFC C00E2F32
  2B430203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
  551D1104 0B300982 07677579 636F7270 301F0603 551D2304 18301680 14E34855
  3B4F3A87 90DFCC2B 4F6600EB 4B462C78 4A301D06 03551D0E 04160414 E348553B
  4F3A8790 DFCC2B4F 6600EB4B 462C784A 300D0609 2A864886 F70D0101 04050003
  81810043 27C8FC92 7B488CD1 7247C390 713B0952 FDE2353B 7A400E63 62C514A1
  4CFFE403 CCA50597 479B3121 19F2B8F4 38D7650E 7F755C38 350029D5 1B6C15D8
  9A221D6D A03DC29F DDBFD3C9 5FCFC001 CAA3E265 C7304756 428FA441 13CB3A07
  26AF7050 E834E352 3994BD57 71A0B980 4E7283C2 A0720A8B C093B4F0 16DA1CDB 64D811
        quit
dot11 syslog
ip source-route
!
!
!
!
ip cef
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
username guysdm privilege 15 password 7 055D1316321C40
!
!
!
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0/0
 description $ETH-WAN$
 ip address 64.128.237.109 255.255.255.0
 ip access-group 100 in
 ip access-group 102 out
 ip nat outside
 ip virtual-reassembly
 speed auto
 full-duplex
 no mop enabled
!
interface FastEthernet0/1
 ip address 10.0.1.254 255.0.0.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 64.128.237.1
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list 101 interface FastEthernet0/0 overload
ip nat inside source static udp 10.0.1.13 500 interface FastEthernet0/0 500
ip nat inside source static tcp 10.0.1.11 25 64.128.237.109 25 extendable
ip nat inside source static tcp 10.0.1.11 85 64.128.237.109 85 extendable
ip nat inside source static tcp 10.0.1.11 110 64.128.237.109 110 extendable
ip nat inside source static tcp 10.0.1.11 143 64.128.237.109 143 extendable
ip nat inside source static tcp 10.0.1.2 5222 64.128.237.109 5222 extendable
ip nat inside source static tcp 10.0.1.2 6600 64.128.237.109 6600 extendable
!
access-list 100 permit tcp any host 64.128.237.109 eq smtp
access-list 100 permit tcp any host 64.128.237.109 eq 1723
access-list 100 permit gre any host 64.128.237.109
access-list 100 permit udp any host 64.128.237.109 eq isakmp
access-list 100 permit tcp any host 64.128.237.109 eq pop3
access-list 100 permit tcp any host 64.128.237.109 eq 143
access-list 100 permit tcp any host 64.128.237.109 eq www
access-list 100 permit tcp any host 64.128.237.109 established
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 102 permit udp host 216.136.95.2 eq domain any
access-list 102 permit tcp 10.0.0.0 0.0.0.255 any eq www
access-list 102 permit tcp 10.0.0.0 0.0.0.255 any eq ftp
access-list 102 permit tcp host 64.128.237.109 any eq www
access-list 102 permit tcp host 64.128.237.109 any eq ftp
access-list 102 permit tcp 10.0.0.0 0.0.0.255 any eq 443
access-list 102 permit tcp host 64.128.237.109 any eq 443
access-list 102 permit tcp host 10.0.1.11 any eq smtp
access-list 102 permit tcp host 64.128.237.109 any eq smtp
access-list 102 permit udp host 10.0.1.2 any eq 5060
access-list 102 permit udp host 64.128.237.109 any eq 5060
access-list 102 permit udp host 10.0.1.2 any range 10000 20000
access-list 102 permit udp host 64.128.237.109 any range 10000 20000
access-list 102 permit udp host 10.0.1.2 any eq 4569
access-list 102 permit udp host 64.128.237.109 any eq 4569
access-list 102 permit tcp host 10.0.1.2 any eq 6600
access-list 102 permit tcp host 64.128.237.109 any eq 6600
access-list 102 permit tcp host 10.0.1.2 any eq 5222
access-list 102 permit tcp host 64.128.237.109 any eq 5222
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 password 7 12485726050E
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
end

Open in new window

0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question