Solved

Help with Router Configuration for a single router network

Posted on 2009-07-12
7
245 Views
Last Modified: 2012-05-07
I am building a small network for a 60-user business in town. They have two Cisco switches connecting to a Cisco 3845 router with Advanced IP services IOS. The intention being to use the built-in IPS feature.

Essentially here is the way its going to be wired.

Switch 1 >> Trunk >> Switch 2 >> Router >> WAN

I have SDM installed on one of the PCs connected to one of the two switches.

The Router has firewall and IPS enabled. The customer is very particular about this network being good at intrusion prevention.

Below is my Config (fake IPs etc.)  ... what else can I do to improve this configuration ?
!----------------------------------------------------------------------------

!version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname MyRouter

!DR

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 !@#%@$#%@#$!@!@#!$!@#

!

no aaa new-model

ip cef

!

!

!

!

ip domain name yourdomain.com

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

ip ips sdf location flash://256MB.sdf autosave

ip ips notify SDEE

ip ips name sdm_ips_rule

!

voice-card 0

 no dspfarm

!

!

!

!

!

!

!

!

!

!

!

!

!

!

crypto pki trustpoint TP-self-signed-1408452671

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1408452671

 revocation-check none

 rsakeypair TP-self-signed-1408452671

!

!

crypto pki certificate chain TP-self-signed-1408452671

 certificate self-signed 01

  <clipped>

  quit

username <myuser> privilege 15 secret 5 <mypassword>

!

!

! 

!

!

!

!

interface GigabitEthernet0/0

 description WAN_OUTSIDE

 ip address 222.22.121.34 255.255.255.0

 ip access-group 101 in

 ip verify unicast reverse-path

 ip nat outside

 ip inspect SDM_LOW out

 ip ips sdm_ips_rule in

 ip virtual-reassembly

 duplex auto

 speed auto

 media-type rj45

!

interface GigabitEthernet0/1

 description LAN_INSIDE

 ip address 192.168.10.1 255.255.255.0

 ip access-group 100 in

 ip nat inside

 ip virtual-reassembly

 duplex auto

 speed auto

 media-type rj45

!

ip forward-protocol nd

!

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 7 interface GigabitEthernet0/0 overload

!

access-list 7 permit 192.168.10.0 0.0.0.255

access-list 23 permit 192.168.10.203

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny   ip 222.22.121.0 0.0.0.255 any

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 deny   ip 192.168.10.0 0.0.0.255 any

access-list 101 permit icmp any host 222.22.121.34 echo-reply

access-list 101 permit icmp any host 222.22.121.34 time-exceeded

access-list 101 permit icmp any host 222.22.121.34 unreachable

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip host 0.0.0.0 any

access-list 101 deny   ip any any log

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

banner exec ^C

-----------------------------------------------------------------------

 

My Banner

 

-----------------------------------------------------------------------

^C

banner login ^C

My Exec Banner

^C

!

line con 0

 login local

line aux 0

line vty 0 4

 access-class 23 in

 privilege level 15

 login local

 transport input telnet ssh

line vty 5 15

 access-class 23 in

 privilege level 15

 login local

 transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

Open in new window

0
Comment
Question by:vulcanman
  • 3
  • 2
7 Comments
 
LVL 10

Expert Comment

by:atlas_shuddered
Comment Utility
The first thing that I would ask is:

access-list 101 permit icmp any host 222.22.121.34 echo-reply
access-list 101 permit icmp any host 222.22.121.34 time-exceeded
access-list 101 permit icmp any host 222.22.121.34 unreachabl

Is it necessary for any this host to be reachable from the outside, does it serve a purpose?

Second:

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any

These lines are implied in the statement - deny ip any any log.  If there is no absolute reason to have these in place, why not consider removing them?

Third:

Consider securing the router itself from attack.  All the security in the world doesn't do any good if your bridgehead is not secure:

http://www.infosecwriters.com/text_resources/pdf/8steps_secure_cisco.pdf

Try this and go from there..
0
 
LVL 1

Expert Comment

by:wsenter
Comment Utility
Will you be defining VLANS and assigining ip access-group's to them ?
0
 

Author Comment

by:vulcanman
Comment Utility
All users are on one network.
Do you think I should still view it as one large VLAN ... so that if down the road they want to segregate ... it will be easier to add a second VLAN ?

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Accepted Solution

by:
wsenter earned 125 total points
Comment Utility
So you are using VLAN 1 only (default). Personally, I would do the VLAN planning up front and implement. This is easier and less of a management issue. If you want to route between them, let me know and I can send you some example code.
0
 

Author Comment

by:vulcanman
Comment Utility
Just a FYI. My switches (two of them) are configured as follows:

- No VLAN 1
- Only Fraction of Ports are Enabled (based on # users + Servers)
- Enabled Ports on VLAN 200
- Two switches daisy chained by GBIC. Ports in trunk mode.
- GBIC cable from one switch over to Router (port is on VLAN 200)

So I am using VLAN 200.

wenter - your pt is if I wanted to segregate users I could have (say) ... a VLAN 300 ... and use the ROAS method to go between the VLANs ? Since I do not have a need for it now - would adding that now to the Route config impact performance unnecessarily ?

0
 
LVL 1

Expert Comment

by:wsenter
Comment Utility
There is always a bit of overhead involved when you turn on any new feature such as VTP but it is very minimal.  You will not notice a difference, especially on a LAN.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now