We help IT Professionals succeed at work.

how to secure cisco 837 adsl router

OptiMisTic
OptiMisTic asked
on
Hi ihave cisco 837 ADSL Router which i am using for intet access from 2 ISPs. Bellow is its configuratiuons. I have removed Auto Secure Firewall entries from its both Dialer1 & Ethernet 2 Interfaces due to following problems.

1. I was using it as DNS Server (to aviod giving isp dns servers to each computer) with "IP DNS Server" Command and when i did auto secure, it stop working.

2. I want to use DDNS with HTTP Updates and i have DynDNS service for this but after auto secure it stop updateing the IP ADdress at dyndns.com

3. I also want to configure equal load sharing for both wan links and want to use ip sla / route tracking for this.

Please tell me detailed configuration commands for above tasks.

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 837-K9
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$SyLG$z9DGnes/A4xYdqL.dEGpO/
!
no aaa new-model
!
!
!
!
ip cef
ip name-server 10.255.240.51
ip name-server 8.8.8.8
ip name-server 208.67.222.222
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
vpdn enable
!
!
!
!
archive
 log config
  logging enable
!
!
!
!
!
!
interface Ethernet0
 description LAN
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no cdp enable
 hold-queue 100 out
!
interface Ethernet2
 description PTCL-NET
 ip address 10.189.76.253 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 hold-queue 100 out
!
interface ATM0
 description ADSL
 mtu 1452
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 0/103
  pppoe-client dial-pool-number 1 dial-on-demand
 !
!
interface FastEthernet1
 duplex auto
 speed auto
!
interface FastEthernet2
 duplex auto
 speed auto
!
interface FastEthernet3
 duplex auto
 speed auto
!
interface FastEthernet4
 duplex auto
 speed auto
!
interface Dialer1
 description PTCL-DSL
 ip address negotiated
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1452
 no ip mroute-cache
 dialer pool 1
 dialer idle-timeout 900 either
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp pap sent-username tobishima password 0 ptcl
 ppp ipcp dns request accept
 ppp ipcp mask request
 ppp ipcp address accept
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.189.76.254 10
ip route 0.0.0.0 0.0.0.0 Dialer1 20
ip route 192.168.1.64 255.255.255.192 192.168.1.35
ip route 192.168.1.128 255.255.255.192 192.168.1.35
ip route 192.168.1.192 255.255.255.192 192.168.1.35
!
ip http server
no ip http secure-server
ip dns server
!
ip nat inside source route-map PTCL-DSL interface Dialer1 overload
ip nat inside source route-map PTCL-NET interface Ethernet2 overload
!
!
ip access-list extended autosec_firewall_acl
 permit udp any any eq bootpc
 deny   ip any any
 permit tcp any any eq telnet
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
dialer-list 1 protocol ip permit
!
route-map PTCL-NET permit 10
 match ip address 110
 match interface Ethernet2
!
route-map PTCL-DSL permit 10
 match ip address 110
 match interface Dialer1
!
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 password ciscocisco
 login
!
scheduler max-task-time 5000
end


Best Regards
Alik
Comment
Watch Question

Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
Hi,

I advise to use opendns for all clients:

https://store.opendns.com/setup/operatingsystem/windows-xp

Author

Commented:
they often down. and i have many computers in lan and every one is password protected. not an easy job to assign manual dns on each pc.
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
As I knowm your router not support ip sla

Author

Commented:
hummm and what about load sharing. its currntly doing failover only
Commented:
To achieve some level of load balancing you can assign the static routes with the same administrative distance.

change ;

ip route 0.0.0.0 0.0.0.0 10.189.76.254 10
ip route 0.0.0.0 0.0.0.0 Dialer1 20

to

ip route 0.0.0.0 0.0.0.0 10.189.76.254 10
ip route 0.0.0.0 0.0.0.0 Dialer1 10

you could of course drop the admin distance on both and accept the default admin distance.  That should do the trick.  

Author

Commented:
in this case when one route not working (not only as interface down,) will the all trafic goes to other link?

Commented:
If the next hop is not resolvable via L2 (exit interface is down) the traffic should flow only across the interface that is up...

This is in fact the premise of the floating static route.  When the base route is removed as the interface goes down, the static route with a lower admin "floats" to the top and is inserted into the routing table.

In this case they are both already in the routing table.  When the next hop interface fails, the static associated with that interface drops out only leaving the other route.