Solved

Help with Router Configuration for a single router network

Posted on 2009-07-12
7
248 Views
Last Modified: 2012-05-07
I am building a small network for a 60-user business in town. They have two Cisco switches connecting to a Cisco 3845 router with Advanced IP services IOS. The intention being to use the built-in IPS feature.

Essentially here is the way its going to be wired.

Switch 1 >> Trunk >> Switch 2 >> Router >> WAN

I have SDM installed on one of the PCs connected to one of the two switches.

The Router has firewall and IPS enabled. The customer is very particular about this network being good at intrusion prevention.

Below is my Config (fake IPs etc.)  ... what else can I do to improve this configuration ?
!----------------------------------------------------------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MyRouter
!DR
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 !@#%@$#%@#$!@!@#!$!@#
!
no aaa new-model
ip cef
!
!
!
!
ip domain name yourdomain.com
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ips sdf location flash://256MB.sdf autosave
ip ips notify SDEE
ip ips name sdm_ips_rule
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1408452671
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1408452671
 revocation-check none
 rsakeypair TP-self-signed-1408452671
!
!
crypto pki certificate chain TP-self-signed-1408452671
 certificate self-signed 01
  <clipped>
  quit
username <myuser> privilege 15 secret 5 <mypassword>
!
!
! 
!
!
!
!
interface GigabitEthernet0/0
 description WAN_OUTSIDE
 ip address 222.22.121.34 255.255.255.0
 ip access-group 101 in
 ip verify unicast reverse-path
 ip nat outside
 ip inspect SDM_LOW out
 ip ips sdm_ips_rule in
 ip virtual-reassembly
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1
 description LAN_INSIDE
 ip address 192.168.10.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 media-type rj45
!
ip forward-protocol nd
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 7 interface GigabitEthernet0/0 overload
!
access-list 7 permit 192.168.10.0 0.0.0.255
access-list 23 permit 192.168.10.203
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 222.22.121.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip 192.168.10.0 0.0.0.255 any
access-list 101 permit icmp any host 222.22.121.34 echo-reply
access-list 101 permit icmp any host 222.22.121.34 time-exceeded
access-list 101 permit icmp any host 222.22.121.34 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner exec ^C
-----------------------------------------------------------------------
 
My Banner
 
-----------------------------------------------------------------------
^C
banner login ^C
My Exec Banner
^C
!
line con 0
 login local
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Open in new window

0
Comment
Question by:vulcanman
  • 3
  • 2
7 Comments
 
LVL 10

Expert Comment

by:atlas_shuddered
ID: 24835171
The first thing that I would ask is:

access-list 101 permit icmp any host 222.22.121.34 echo-reply
access-list 101 permit icmp any host 222.22.121.34 time-exceeded
access-list 101 permit icmp any host 222.22.121.34 unreachabl

Is it necessary for any this host to be reachable from the outside, does it serve a purpose?

Second:

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any

These lines are implied in the statement - deny ip any any log.  If there is no absolute reason to have these in place, why not consider removing them?

Third:

Consider securing the router itself from attack.  All the security in the world doesn't do any good if your bridgehead is not secure:

http://www.infosecwriters.com/text_resources/pdf/8steps_secure_cisco.pdf

Try this and go from there..
0
 
LVL 1

Expert Comment

by:wsenter
ID: 24841492
Will you be defining VLANS and assigining ip access-group's to them ?
0
 

Author Comment

by:vulcanman
ID: 24852554
All users are on one network.
Do you think I should still view it as one large VLAN ... so that if down the road they want to segregate ... it will be easier to add a second VLAN ?

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Accepted Solution

by:
wsenter earned 125 total points
ID: 24856231
So you are using VLAN 1 only (default). Personally, I would do the VLAN planning up front and implement. This is easier and less of a management issue. If you want to route between them, let me know and I can send you some example code.
0
 

Author Comment

by:vulcanman
ID: 24858643
Just a FYI. My switches (two of them) are configured as follows:

- No VLAN 1
- Only Fraction of Ports are Enabled (based on # users + Servers)
- Enabled Ports on VLAN 200
- Two switches daisy chained by GBIC. Ports in trunk mode.
- GBIC cable from one switch over to Router (port is on VLAN 200)

So I am using VLAN 200.

wenter - your pt is if I wanted to segregate users I could have (say) ... a VLAN 300 ... and use the ROAS method to go between the VLANs ? Since I do not have a need for it now - would adding that now to the Route config impact performance unnecessarily ?

0
 
LVL 1

Expert Comment

by:wsenter
ID: 24859242
There is always a bit of overhead involved when you turn on any new feature such as VTP but it is very minimal.  You will not notice a difference, especially on a LAN.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question