Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


3535 posts

Uber Geek
+1 received by user: 1292

Subscriber

Topic # 87665 3-Aug-2011 18:45
Send private message

Hi everyone,
First time poster so go easy lol. Im a telecom linesman having a go at setting up a flash network in my place. Cabled it out with cat 6. got a gigabit switch and flash wireless switch. at work we have a whole bunch of 837s from old business connections so thought i might as well have a go and getting one going for my house. Problem is I didnt realise how complicted cisco stuff is! So I got a 'standard' configuration online and went and slapped that in to the router and seems to work fine. Just want to get the opinions of people that actually know what they are looking at. I will put the config below as copied when i type 'show startup-config'.
Thanks in advance for your help!

!
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname TheBoss
!
logging buffered 4096 debugging
enable secret 5 $1$fT8k$wvw5b4h1xFri5mf8U9it..
!
username admin secret 5 $1$m0we$ppHepaq/ffeN00gYRRkDR1
clock timezone NZST 12
clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00
ip subnet-zero
no ip source-route
no ip domain lookup
ip domain name local
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool dhcppool
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   update arp
!
no ip bootp server
no ip bootp server
ip inspect name firewall udp
ip inspect name firewall cuseeme
ip inspect name firewall h323
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall streamworks
ip inspect name firewall vdolive
ip inspect name firewall sqlnet
ip inspect name firewall tftp
ip inspect name firewall ftp
ip inspect name firewall sip
ip inspect name firewall fragment maximum 256 timeout 1
ip inspect name firewall netshow
ip inspect name firewall rtsp
ip inspect name firewall skinny
ip audit notify log
ip audit po max-events 100
ip audit name intrusion info action alarm
ip audit name intrusion attack action alarm drop reset
!
!
!
!
interface Ethernet0
 ip address 192.168.1.1 255.255.255.0
 ip access-group 102 in
 ip nat inside
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
 dsl power-cutback 0
!
interface ATM0.1 point-to-point
 pvc 0/100
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface Dialer0
 bandwidth 640
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 ip nat outside
 ip inspect firewall out
 ip audit intrusion in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp pap sent-username <username> password 7 <password>
 ppp ipcp dns request
!
ip nat inside source list 1 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
access-list 1 remark The local LAN.
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 remark The local LAN.
access-list 2 remark Where management can be done from.
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 remark Where management can be done from.
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 deny   ip 0.0.0.0 0.255.255.255 any
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 169.254.0.0 0.0.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.0.2.0 0.0.0.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 198.18.0.0 0.1.255.255 any
access-list 101 deny   ip 224.0.0.0 0.15.255.255 any
access-list 101 deny   ip any host 255.255.255.255
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet
access-list 101 deny   icmp any any echo
access-list 101 deny   ip any any log
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 permit ip any host 192.168.1.1
access-list 102 deny   ip any host 192.168.1.255
access-list 102 deny   udp any any eq tftp log
access-list 102 deny   ip any 127.0.0.0 0.255.255.255 log
access-list 102 deny   ip any 169.254.0.0 0.0.255.255 log
access-list 102 deny   ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny   ip any 192.0.2.0 0.0.0.255 log
access-list 102 deny   ip any 192.168.0.0 0.0.255.255 log
access-list 102 deny   ip any 198.18.0.0 0.1.255.255 log
access-list 102 deny   udp any any eq 135 log
access-list 102 deny   tcp any any eq 135 log
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 deny   ip any 0.0.0.0 0.255.255.255 log
access-list 102 deny   ip any 10.0.0.0 0.255.255.255 log
access-list 102 deny   udp any any eq netbios-ns log
access-list 102 deny   udp any any eq netbios-dgm log
access-list 102 deny   tcp any any eq 445 log
access-list 102 permit ip any host 255.255.255.255
access-list 102 deny   ip any any log
dialer-list 1 protocol ip permit
banner motd ^C

<welcome message>

^C
!
line con 0
 no modem enable
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 access-class 2 in
 login local
 transport input telnet ssh
 transport output none
!
scheduler max-task-time 5000
end

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2


3535 posts

Uber Geek
+1 received by user: 1292

Subscriber

  Reply # 501589 3-Aug-2011 19:45
Send private message

Sorry, I dont think I asked what I wanted to find out.
Questions:
Is this config going to make the firewall work as it should?
Will it block anything I dont want it to? ie Bit torrent
Just tell me if I need to add/remove stuff.

Cheers

1985 posts

Uber Geek
+1 received by user: 746

Trusted

  Reply # 501614 3-Aug-2011 20:25
Send private message

Ok, bare with me because it's been a while since I've had to deal with Cisco (a small pray to Hamish is relevant here. Thank you, Hamish, for not putting a Cisco on front of me in a long time.)

Ok, that aside, it looks pretty good to me. You're not letting any management happen apart from outside.
You are allowing SSH and Telnet in from outside though, but then dropping it at the VTY level.

access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet

I would also ensure that you're letting in ICMP must-fragment packets, if you don't then you'll get some strange behaviour with some sites because you'll break MTU path discovery.

Otherwise - it looks pretty good to me.




It looks like I'm using an adblocker. I should consider whitelisting Geekzone in my adblocker or a subscription. The Quick Reply box will appear for me when Geekzone is whitelisted. Hooray for me! If I want to reply to this topic I should click on Compose Reply.




3535 posts

Uber Geek
+1 received by user: 1292

Subscriber

  Reply # 501625 3-Aug-2011 20:48
Send private message

Ok. Now next question,
how do i remove those from the access list? When i put the conifg in it did it all at once with copy paste so I really dont have a clue how to edit this.

"I would also ensure that you're letting in ICMP must-fragment packets, if you don't then you'll get some strange behaviour with some sites because you'll break MTU path discovery."

Can you explain this in 'linesman' terms lol. I can do cable pairs but icmp mtu just reads to me as dsvbedbvsk

1985 posts

Uber Geek
+1 received by user: 746

Trusted

  Reply # 501626 3-Aug-2011 20:50
Send private message

I know I'm going to be a pain in the arse, but why do you have a Cisco if you don't want to learn it? :)

Seriously, I'll give you the answers if you really want them, but why don't you do a bit of digging and learn? That's the joy of learning IOS (or JunOS, or RouterOS etc) - what you learn/figure out yourself stays with you.

Let me know :)




It looks like I'm using an adblocker. I should consider whitelisting Geekzone in my adblocker or a subscription. The Quick Reply box will appear for me when Geekzone is whitelisted. Hooray for me! If I want to reply to this topic I should click on Compose Reply.




3535 posts

Uber Geek
+1 received by user: 1292

Subscriber

  Reply # 501630 3-Aug-2011 20:57
Send private message

ok fair point. off to father google for me.
Thanks heaps for your help mate and will post up when i figure something out.



3535 posts

Uber Geek
+1 received by user: 1292

Subscriber

  Reply # 502153 4-Aug-2011 21:03
Send private message

right. did a little bit of reading and confused myself some more.

The cisco site says to copy the access list to notepad and then copy back in to the router. Now my config looks like this:

access-list 1 remark The local LAN.
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 remark The local LAN.
access-list 1 remark The local LAN.
access-list 1 remark The local LAN.
access-list 1 remark The local LAN.
access-list 1 remark The local LAN.
access-list 1 remark The local LAN.
access-list 1 remark The local LAN.
access-list 2 remark Where management can be done from.
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 remark Where management can be done from.
access-list 2 remark Where management can be done from.
access-list 2 remark Where management can be done from.
access-list 2 remark Where management can be done from.
access-list 2 remark Where management can be done from.
access-list 2 remark Where management can be done from.
access-list 2 remark Where management can be done from.
access-list 2 remark Where management can be done from.
access-list 2 remark Where management can be done from.
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 198.18.0.0 0.1.255.255 any
access-list 101 deny ip 224.0.0.0 0.15.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet
access-list 101 deny icmp any any echo
access-list 101 deny ip any any log
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 deny tcp any any eq 22
access-list 101 deny tcp any any eq telnet
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 permit ip any host 192.168.1.1
access-list 102 deny ip any host 192.168.1.255
access-list 102 deny udp any any eq tftp log
access-list 102 deny ip any 127.0.0.0 0.255.255.255 log
access-list 102 deny ip any 169.254.0.0 0.0.255.255 log
access-list 102 deny ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny ip any 192.0.2.0 0.0.0.255 log
access-list 102 deny ip any 192.168.0.0 0.0.255.255 log
access-list 102 deny ip any 198.18.0.0 0.1.255.255 log
access-list 102 deny udp any any eq 135 log
access-list 102 deny tcp any any eq 135 log
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 deny ip any 0.0.0.0 0.255.255.255 log
access-list 102 deny ip any 10.0.0.0 0.255.255.255 log
access-list 102 deny udp any any eq netbios-ns log
access-list 102 deny udp any any eq netbios-dgm log
access-list 102 deny tcp any any eq 445 log
access-list 102 permit ip any host 255.255.255.255
access-list 102 deny ip any any log
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 remark Traffic allowed to enter the router from the Ethernet

Why did it go all stupid? Shall I just clear the conifg and reload how it was to fix all the duplication?
In regards to stopping telnet and ssh from the outisde i took a stab in the dark and typed in:
access-list 101 deny tcp any any eq 22
access-list 101 deny tcp any any eq telnet

And now I have this:

access-list 101 permit tcp any any eq 22 <-----------
access-list 101 permit tcp any any eq telnet <-----------
access-list 101 deny icmp any any echo
access-list 101 deny ip any any log
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 deny tcp any any eq 22 <------------
access-list 101 deny tcp any any eq telnet <------------

how on earth does it let this happen?!?!

regretting trying to use a cisco router now lol

1985 posts

Uber Geek
+1 received by user: 746

Trusted

  Reply # 502165 4-Aug-2011 21:21
Send private message

Hang in there! A few small mistakes happen and it's all part of the learning curve.

You have to do a "no access-list 101" first of all. Then paste in all of access-list 101 again. Same for 1, 2 and 102

access-lists in Cisco are very simple and keep just accepting more commands. So you have to delete them first of all.




It looks like I'm using an adblocker. I should consider whitelisting Geekzone in my adblocker or a subscription. The Quick Reply box will appear for me when Geekzone is whitelisted. Hooray for me! If I want to reply to this topic I should click on Compose Reply.


gjm

746 posts

Ultimate Geek
+1 received by user: 91


  Reply # 502168 4-Aug-2011 21:23
Send private message

if you get stuck try using the sdm to make changes and then see what changes in the config file. This helped me to learn a bit.




[Amstrad CPC 6128: 128k Memory: 3 inch floppy drive: Colour Screen]



3535 posts

Uber Geek
+1 received by user: 1292

Subscriber

  Reply # 502183 4-Aug-2011 22:10
Send private message

iv been trying 'clear access-list' and kept telling me to bugger off. no access-list makes sense too lol.

as for using ANY of the cisco software available i cant download them as I dont have a license. Tryed looking for torrents but not a alot out there.

Thanks again for the help!

235 posts

Master Geek


  Reply # 502363 5-Aug-2011 11:57
Send private message

in configuration terminal

no access-list 1
no access-list 2
no access-list 101
no access-list 102

should clear all your ACL and you can re-paste your new ACL.




this is a slap in the face!



3535 posts

Uber Geek
+1 received by user: 1292

Subscriber

  Reply # 502404 5-Aug-2011 12:48
Send private message

have plucked this off ciscopress and i assume this will allow the must fragment messages through:

access-list 101 permit icmp any any packet-too-big

am i correct?

looking through my acl's i found:
deny icmp any any echo

does that need to be there?

bloody interesting reading actually. Never really gave much thought to how stuff gets sent around. All i knew was if i got some blue cable and plugged it in to something it worked lol

1985 posts

Uber Geek
+1 received by user: 746

Trusted

  Reply # 502436 5-Aug-2011 13:55
Send private message

See? I told you this stuff was interesting (but meh, I'm a network nerd myself)

Blocking ICMP ping is a personal thing. Personally, I think it's totally pointless. But a lot of "security people" will tell you it's a good idea, for reasons they can never clearly explain to me. So it's up to you, do you want people to be able to ping your router?

access-list 101 permit icmp any any packet-too-big is perfect, yup!




It looks like I'm using an adblocker. I should consider whitelisting Geekzone in my adblocker or a subscription. The Quick Reply box will appear for me when Geekzone is whitelisted. Hooray for me! If I want to reply to this topic I should click on Compose Reply.


2355 posts

Uber Geek
+1 received by user: 374

Trusted

  Reply # 502460 5-Aug-2011 15:46
Send private message

muppet: See? I told you this stuff was interesting (but meh, I'm a network nerd myself)

Blocking ICMP ping is a personal thing. Personally, I think it's totally pointless. But a lot of "security people" will tell you it's a good idea, for reasons they can never clearly explain to me. So it's up to you, do you want people to be able to ping your router?

access-list 101 permit icmp any any packet-too-big is perfect, yup!


Blocking all ICMP is bad... bad.. bad.. bad.. Don't do it . If you want to block icmp echo-request.. feel free to.. but all icmp can cause alots of problems.

 

1985 posts

Uber Geek
+1 received by user: 746

Trusted

  Reply # 502491 5-Aug-2011 17:03
Send private message

@LennonNZ: Woo! Thanks for a) Not reading what I posted and then b) repeating it!




It looks like I'm using an adblocker. I should consider whitelisting Geekzone in my adblocker or a subscription. The Quick Reply box will appear for me when Geekzone is whitelisted. Hooray for me! If I want to reply to this topic I should click on Compose Reply.




3535 posts

Uber Geek
+1 received by user: 1292

Subscriber

  Reply # 502508 5-Aug-2011 18:18
Send private message

awesome! Thanks heaps for your help muppet!! I will be back on here in September when this downloading law comes in to action and I need to set up a vpn lol

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Intel introduces new NUC kits and NUC mini PCs
Posted 16-Aug-2018 11:03


The Warehouse leaps into the AI future with Google
Posted 15-Aug-2018 17:56


Targus set sights on enterprise and consumer growth in New Zealand
Posted 13-Aug-2018 13:47


Huawei to distribute nova 3i in New Zealand
Posted 9-Aug-2018 16:23


Home robot Vector to be available in New Zealand stores
Posted 9-Aug-2018 14:47


Panasonic announces new 2018 OLED TV line up
Posted 7-Aug-2018 16:38


Kordia completes first live 4K TV broadcast
Posted 1-Aug-2018 13:00


Schools get safer and smarter internet with Managed Network Upgrade
Posted 30-Jul-2018 20:01


DNC wants a safer .nz in the coming year
Posted 26-Jul-2018 16:08


Auldhouse becomes an AWS Authorised Training Delivery Partner in New Zealand
Posted 26-Jul-2018 15:55


Rakuten Kobo launches Kobo Clara HD entry level reader
Posted 26-Jul-2018 15:44


Kiwi team reaches semi-finals at the Microsoft Imagine Cup
Posted 26-Jul-2018 15:38


KidsCan App to Help Kiwi Children in Need
Posted 26-Jul-2018 15:32


FUJIFILM announces new high-performance lenses
Posted 24-Jul-2018 14:57


New FUJIFILM XF10 introduces square mode for Instagram sharing
Posted 24-Jul-2018 14:44



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.