Link to home
Start Free TrialLog in
Avatar of vulcanman
vulcanman

asked on

Help with Router Configuration for a single router network

I am building a small network for a 60-user business in town. They have two Cisco switches connecting to a Cisco 3845 router with Advanced IP services IOS. The intention being to use the built-in IPS feature.

Essentially here is the way its going to be wired.

Switch 1 >> Trunk >> Switch 2 >> Router >> WAN

I have SDM installed on one of the PCs connected to one of the two switches.

The Router has firewall and IPS enabled. The customer is very particular about this network being good at intrusion prevention.

Below is my Config (fake IPs etc.)  ... what else can I do to improve this configuration ?
!----------------------------------------------------------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MyRouter
!DR
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 !@#%@$#%@#$!@!@#!$!@#
!
no aaa new-model
ip cef
!
!
!
!
ip domain name yourdomain.com
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ips sdf location flash://256MB.sdf autosave
ip ips notify SDEE
ip ips name sdm_ips_rule
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1408452671
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1408452671
 revocation-check none
 rsakeypair TP-self-signed-1408452671
!
!
crypto pki certificate chain TP-self-signed-1408452671
 certificate self-signed 01
  <clipped>
  quit
username <myuser> privilege 15 secret 5 <mypassword>
!
!
! 
!
!
!
!
interface GigabitEthernet0/0
 description WAN_OUTSIDE
 ip address 222.22.121.34 255.255.255.0
 ip access-group 101 in
 ip verify unicast reverse-path
 ip nat outside
 ip inspect SDM_LOW out
 ip ips sdm_ips_rule in
 ip virtual-reassembly
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1
 description LAN_INSIDE
 ip address 192.168.10.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 media-type rj45
!
ip forward-protocol nd
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 7 interface GigabitEthernet0/0 overload
!
access-list 7 permit 192.168.10.0 0.0.0.255
access-list 23 permit 192.168.10.203
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 222.22.121.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip 192.168.10.0 0.0.0.255 any
access-list 101 permit icmp any host 222.22.121.34 echo-reply
access-list 101 permit icmp any host 222.22.121.34 time-exceeded
access-list 101 permit icmp any host 222.22.121.34 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner exec ^C
-----------------------------------------------------------------------
 
My Banner
 
-----------------------------------------------------------------------
^C
banner login ^C
My Exec Banner
^C
!
line con 0
 login local
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Open in new window

Avatar of atlas_shuddered
atlas_shuddered
Flag of United States of America image

The first thing that I would ask is:

access-list 101 permit icmp any host 222.22.121.34 echo-reply
access-list 101 permit icmp any host 222.22.121.34 time-exceeded
access-list 101 permit icmp any host 222.22.121.34 unreachabl

Is it necessary for any this host to be reachable from the outside, does it serve a purpose?

Second:

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any

These lines are implied in the statement - deny ip any any log.  If there is no absolute reason to have these in place, why not consider removing them?

Third:

Consider securing the router itself from attack.  All the security in the world doesn't do any good if your bridgehead is not secure:

http://www.infosecwriters.com/text_resources/pdf/8steps_secure_cisco.pdf

Try this and go from there..
Will you be defining VLANS and assigining ip access-group's to them ?
Avatar of vulcanman
vulcanman

ASKER

All users are on one network.
Do you think I should still view it as one large VLAN ... so that if down the road they want to segregate ... it will be easier to add a second VLAN ?

ASKER CERTIFIED SOLUTION
Avatar of wsenter
wsenter
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Just a FYI. My switches (two of them) are configured as follows:

- No VLAN 1
- Only Fraction of Ports are Enabled (based on # users + Servers)
- Enabled Ports on VLAN 200
- Two switches daisy chained by GBIC. Ports in trunk mode.
- GBIC cable from one switch over to Router (port is on VLAN 200)

So I am using VLAN 200.

wenter - your pt is if I wanted to segregate users I could have (say) ... a VLAN 300 ... and use the ROAS method to go between the VLANs ? Since I do not have a need for it now - would adding that now to the Route config impact performance unnecessarily ?

There is always a bit of overhead involved when you turn on any new feature such as VTP but it is very minimal.  You will not notice a difference, especially on a LAN.