Help with Router Configuration for a single router network

I am building a small network for a 60-user business in town. They have two Cisco switches connecting to a Cisco 3845 router with Advanced IP services IOS. The intention being to use the built-in IPS feature.

Essentially here is the way its going to be wired.

Switch 1 >> Trunk >> Switch 2 >> Router >> WAN

I have SDM installed on one of the PCs connected to one of the two switches.

The Router has firewall and IPS enabled. The customer is very particular about this network being good at intrusion prevention.

Below is my Config (fake IPs etc.)  ... what else can I do to improve this configuration ?
!----------------------------------------------------------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MyRouter
!DR
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 !@#%@$#%@#$!@!@#!$!@#
!
no aaa new-model
ip cef
!
!
!
!
ip domain name yourdomain.com
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ips sdf location flash://256MB.sdf autosave
ip ips notify SDEE
ip ips name sdm_ips_rule
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1408452671
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1408452671
 revocation-check none
 rsakeypair TP-self-signed-1408452671
!
!
crypto pki certificate chain TP-self-signed-1408452671
 certificate self-signed 01
  <clipped>
  quit
username <myuser> privilege 15 secret 5 <mypassword>
!
!
! 
!
!
!
!
interface GigabitEthernet0/0
 description WAN_OUTSIDE
 ip address 222.22.121.34 255.255.255.0
 ip access-group 101 in
 ip verify unicast reverse-path
 ip nat outside
 ip inspect SDM_LOW out
 ip ips sdm_ips_rule in
 ip virtual-reassembly
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1
 description LAN_INSIDE
 ip address 192.168.10.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 media-type rj45
!
ip forward-protocol nd
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 7 interface GigabitEthernet0/0 overload
!
access-list 7 permit 192.168.10.0 0.0.0.255
access-list 23 permit 192.168.10.203
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 222.22.121.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip 192.168.10.0 0.0.0.255 any
access-list 101 permit icmp any host 222.22.121.34 echo-reply
access-list 101 permit icmp any host 222.22.121.34 time-exceeded
access-list 101 permit icmp any host 222.22.121.34 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner exec ^C
-----------------------------------------------------------------------
 
My Banner
 
-----------------------------------------------------------------------
^C
banner login ^C
My Exec Banner
^C
!
line con 0
 login local
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Open in new window

vulcanmanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

atlas_shudderedSr. Network EngineerCommented:
The first thing that I would ask is:

access-list 101 permit icmp any host 222.22.121.34 echo-reply
access-list 101 permit icmp any host 222.22.121.34 time-exceeded
access-list 101 permit icmp any host 222.22.121.34 unreachabl

Is it necessary for any this host to be reachable from the outside, does it serve a purpose?

Second:

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any

These lines are implied in the statement - deny ip any any log.  If there is no absolute reason to have these in place, why not consider removing them?

Third:

Consider securing the router itself from attack.  All the security in the world doesn't do any good if your bridgehead is not secure:

http://www.infosecwriters.com/text_resources/pdf/8steps_secure_cisco.pdf

Try this and go from there..
0
wsenterCommented:
Will you be defining VLANS and assigining ip access-group's to them ?
0
vulcanmanAuthor Commented:
All users are on one network.
Do you think I should still view it as one large VLAN ... so that if down the road they want to segregate ... it will be easier to add a second VLAN ?

0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

wsenterCommented:
So you are using VLAN 1 only (default). Personally, I would do the VLAN planning up front and implement. This is easier and less of a management issue. If you want to route between them, let me know and I can send you some example code.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
vulcanmanAuthor Commented:
Just a FYI. My switches (two of them) are configured as follows:

- No VLAN 1
- Only Fraction of Ports are Enabled (based on # users + Servers)
- Enabled Ports on VLAN 200
- Two switches daisy chained by GBIC. Ports in trunk mode.
- GBIC cable from one switch over to Router (port is on VLAN 200)

So I am using VLAN 200.

wenter - your pt is if I wanted to segregate users I could have (say) ... a VLAN 300 ... and use the ROAS method to go between the VLANs ? Since I do not have a need for it now - would adding that now to the Route config impact performance unnecessarily ?

0
wsenterCommented:
There is always a bit of overhead involved when you turn on any new feature such as VTP but it is very minimal.  You will not notice a difference, especially on a LAN.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.