how to secure cisco 837 adsl router
Hi ihave cisco 837 ADSL Router which i am using for intet access from 2 ISPs. Bellow is its configuratiuons. I have removed Auto Secure Firewall entries from its both Dialer1 & Ethernet 2 Interfaces due to following problems.
1. I was using it as DNS Server (to aviod giving isp dns servers to each computer) with "IP DNS Server" Command and when i did auto secure, it stop working.
2. I want to use DDNS with HTTP Updates and i have DynDNS service for this but after auto secure it stop updateing the IP ADdress at dyndns.com
3. I also want to configure equal load sharing for both wan links and want to use ip sla / route tracking for this.
Please tell me detailed configuration commands for above tasks.
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 837-K9
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$SyLG$z9DGnes/A4xYdqL.dE
!
no aaa new-model
!
!
!
!
ip cef
ip name-server 10.255.240.51
ip name-server 8.8.8.8
ip name-server 208.67.222.222
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
vpdn enable
!
!
!
!
archive
log config
logging enable
!
!
!
!
!
!
interface Ethernet0
description LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
hold-queue 100 out
!
interface Ethernet2
description PTCL-NET
ip address 10.189.76.253 255.255.255.252
ip nat outside
ip virtual-reassembly
hold-queue 100 out
!
interface ATM0
description ADSL
mtu 1452
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/103
pppoe-client dial-pool-number 1 dial-on-demand
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer1
description PTCL-DSL
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer idle-timeout 900 either
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp pap sent-username tobishima password 0 ptcl
ppp ipcp dns request accept
ppp ipcp mask request
ppp ipcp address accept
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.189.76.254 10
ip route 0.0.0.0 0.0.0.0 Dialer1 20
ip route 192.168.1.64 255.255.255.192 192.168.1.35
ip route 192.168.1.128 255.255.255.192 192.168.1.35
ip route 192.168.1.192 255.255.255.192 192.168.1.35
!
ip http server
no ip http secure-server
ip dns server
!
ip nat inside source route-map PTCL-DSL interface Dialer1 overload
ip nat inside source route-map PTCL-NET interface Ethernet2 overload
!
!
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
deny ip any any
permit tcp any any eq telnet
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
dialer-list 1 protocol ip permit
!
route-map PTCL-NET permit 10
match ip address 110
match interface Ethernet2
!
route-map PTCL-DSL permit 10
match ip address 110
match interface Dialer1
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password ciscocisco
login
!
scheduler max-task-time 5000
end
Best Regards
Alik
1. I was using it as DNS Server (to aviod giving isp dns servers to each computer) with "IP DNS Server" Command and when i did auto secure, it stop working.
2. I want to use DDNS with HTTP Updates and i have DynDNS service for this but after auto secure it stop updateing the IP ADdress at dyndns.com
3. I also want to configure equal load sharing for both wan links and want to use ip sla / route tracking for this.
Please tell me detailed configuration commands for above tasks.
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 837-K9
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$SyLG$z9DGnes/A4xYdqL.dE
!
no aaa new-model
!
!
!
!
ip cef
ip name-server 10.255.240.51
ip name-server 8.8.8.8
ip name-server 208.67.222.222
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
vpdn enable
!
!
!
!
archive
log config
logging enable
!
!
!
!
!
!
interface Ethernet0
description LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
hold-queue 100 out
!
interface Ethernet2
description PTCL-NET
ip address 10.189.76.253 255.255.255.252
ip nat outside
ip virtual-reassembly
hold-queue 100 out
!
interface ATM0
description ADSL
mtu 1452
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/103
pppoe-client dial-pool-number 1 dial-on-demand
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer1
description PTCL-DSL
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer idle-timeout 900 either
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp pap sent-username tobishima password 0 ptcl
ppp ipcp dns request accept
ppp ipcp mask request
ppp ipcp address accept
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.189.76.254 10
ip route 0.0.0.0 0.0.0.0 Dialer1 20
ip route 192.168.1.64 255.255.255.192 192.168.1.35
ip route 192.168.1.128 255.255.255.192 192.168.1.35
ip route 192.168.1.192 255.255.255.192 192.168.1.35
!
ip http server
no ip http secure-server
ip dns server
!
ip nat inside source route-map PTCL-DSL interface Dialer1 overload
ip nat inside source route-map PTCL-NET interface Ethernet2 overload
!
!
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
deny ip any any
permit tcp any any eq telnet
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
dialer-list 1 protocol ip permit
!
route-map PTCL-NET permit 10
match ip address 110
match interface Ethernet2
!
route-map PTCL-DSL permit 10
match ip address 110
match interface Dialer1
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password ciscocisco
login
!
scheduler max-task-time 5000
end
Best Regards
Alik
ASKER
they often down. and i have many computers in lan and every one is password protected. not an easy job to assign manual dns on each pc.
As I knowm your router not support ip sla
ASKER
hummm and what about load sharing. its currntly doing failover only
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
in this case when one route not working (not only as interface down,) will the all trafic goes to other link?
If the next hop is not resolvable via L2 (exit interface is down) the traffic should flow only across the interface that is up...
This is in fact the premise of the floating static route. When the base route is removed as the interface goes down, the static route with a lower admin "floats" to the top and is inserted into the routing table.
In this case they are both already in the routing table. When the next hop interface fails, the static associated with that interface drops out only leaving the other route.
This is in fact the premise of the floating static route. When the base route is removed as the interface goes down, the static route with a lower admin "floats" to the top and is inserted into the routing table.
In this case they are both already in the routing table. When the next hop interface fails, the static associated with that interface drops out only leaving the other route.
I advise to use opendns for all clients:
https://store.opendns.com/setup/operatingsystem/windows-xp