Help with Cisco 837 config

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Help with Cisco 837 config

chevrolux

4962 posts

Uber Geek
Inactive user

#87665 3-Aug-2011 18:45

Hi everyone,
First time poster so go easy lol. Im a telecom linesman having a go at setting up a flash network in my place. Cabled it out with cat 6. got a gigabit switch and flash wireless switch. at work we have a whole bunch of 837s from old business connections so thought i might as well have a go and getting one going for my house. Problem is I didnt realise how complicted cisco stuff is! So I got a 'standard' configuration online and went and slapped that in to the router and seems to work fine. Just want to get the opinions of people that actually know what they are looking at. I will put the config below as copied when i type 'show startup-config'.
Thanks in advance for your help!

!
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname TheBoss
!
logging buffered 4096 debugging
enable secret 5 $1$fT8k$wvw5b4h1xFri5mf8U9it..
!
username admin secret 5 $1$m0we$ppHepaq/ffeN00gYRRkDR1
clock timezone NZST 12
clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00
ip subnet-zero
no ip source-route
no ip domain lookup
ip domain name local
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool dhcppool
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   update arp
!
no ip bootp server
no ip bootp server
ip inspect name firewall udp
ip inspect name firewall cuseeme
ip inspect name firewall h323
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall streamworks
ip inspect name firewall vdolive
ip inspect name firewall sqlnet
ip inspect name firewall tftp
ip inspect name firewall ftp
ip inspect name firewall sip
ip inspect name firewall fragment maximum 256 timeout 1
ip inspect name firewall netshow
ip inspect name firewall rtsp
ip inspect name firewall skinny
ip audit notify log
ip audit po max-events 100
ip audit name intrusion info action alarm
ip audit name intrusion attack action alarm drop reset
!
!
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip access-group 102 in
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
dsl power-cutback 0
!
interface ATM0.1 point-to-point
pvc 0/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
bandwidth 640
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
ip nat outside
ip inspect firewall out
ip audit intrusion in
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp pap sent-username <username> password 7 <password>
ppp ipcp dns request
!
ip nat inside source list 1 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
access-list 1 remark The local LAN.
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 remark The local LAN.
access-list 2 remark Where management can be done from.
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 remark Where management can be done from.
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 deny   ip 0.0.0.0 0.255.255.255 any
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 169.254.0.0 0.0.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.0.2.0 0.0.0.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 198.18.0.0 0.1.255.255 any
access-list 101 deny   ip 224.0.0.0 0.15.255.255 any
access-list 101 deny   ip any host 255.255.255.255
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet
access-list 101 deny   icmp any any echo
access-list 101 deny   ip any any log
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 permit ip any host 192.168.1.1
access-list 102 deny   ip any host 192.168.1.255
access-list 102 deny   udp any any eq tftp log
access-list 102 deny   ip any 127.0.0.0 0.255.255.255 log
access-list 102 deny   ip any 169.254.0.0 0.0.255.255 log
access-list 102 deny   ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny   ip any 192.0.2.0 0.0.0.255 log
access-list 102 deny   ip any 192.168.0.0 0.0.255.255 log
access-list 102 deny   ip any 198.18.0.0 0.1.255.255 log
access-list 102 deny   udp any any eq 135 log
access-list 102 deny   tcp any any eq 135 log
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 deny   ip any 0.0.0.0 0.255.255.255 log
access-list 102 deny   ip any 10.0.0.0 0.255.255.255 log
access-list 102 deny   udp any any eq netbios-ns log
access-list 102 deny   udp any any eq netbios-dgm log
access-list 102 deny   tcp any any eq 445 log
access-list 102 permit ip any host 255.255.255.255
access-list 102 deny   ip any any log
dialer-list 1 protocol ip permit
banner motd ^C

<welcome message>

^C
!
line con 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 2 in
login local
transport input telnet ssh
transport output none
!
scheduler max-task-time 5000
end

1 | 2

4962 posts

Uber Geek
Inactive user

#501589 3-Aug-2011 19:45

Sorry, I dont think I asked what I wanted to find out.
Questions:
Is this config going to make the firewall work as it should?
Will it block anything I dont want it to? ie Bit torrent
Just tell me if I need to add/remove stuff.

Cheers

muppet

2571 posts

Uber Geek

Trusted

#501614 3-Aug-2011 20:25

Ok, bare with me because it's been a while since I've had to deal with Cisco (a small pray to Hamish is relevant here. Thank you, Hamish, for not putting a Cisco on front of me in a long time.)

Ok, that aside, it looks pretty good to me. You're not letting any management happen apart from outside.
You are allowing SSH and Telnet in from outside though, but then dropping it at the VTY level.

access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet

I would also ensure that you're letting in ICMP must-fragment packets, if you don't then you'll get some strange behaviour with some sites because you'll break MTU path discovery.

Otherwise - it looks pretty good to me.

Audiophiles are such twits! They buy such pointless stuff: Gold plated cables, $2000 power cords. Idiots.

OOOHHHH HYPERFIBRE!

chevrolux

4962 posts

Uber Geek
Inactive user

#501625 3-Aug-2011 20:48

Ok. Now next question,
how do i remove those from the access list? When i put the conifg in it did it all at once with copy paste so I really dont have a clue how to edit this.

"I would also ensure that you're letting in ICMP must-fragment packets, if you don't then you'll get some strange behaviour with some sites because you'll break MTU path discovery."

Can you explain this in 'linesman' terms lol. I can do cable pairs but icmp mtu just reads to me as dsvbedbvsk

muppet

2571 posts

Uber Geek

Trusted

#501626 3-Aug-2011 20:50

I know I'm going to be a pain in the arse, but why do you have a Cisco if you don't want to learn it? :)

Seriously, I'll give you the answers if you really want them, but why don't you do a bit of digging and learn? That's the joy of learning IOS (or JunOS, or RouterOS etc) - what you learn/figure out yourself stays with you.

Let me know :)

Audiophiles are such twits! They buy such pointless stuff: Gold plated cables, $2000 power cords. Idiots.

OOOHHHH HYPERFIBRE!

chevrolux

4962 posts

Uber Geek
Inactive user

#501630 3-Aug-2011 20:57

ok fair point. off to father google for me.
Thanks heaps for your help mate and will post up when i figure something out.

chevrolux

4962 posts

Uber Geek
Inactive user

#502153 4-Aug-2011 21:03

right. did a little bit of reading and confused myself some more.

The cisco site says to copy the access list to notepad and then copy back in to the router. Now my config looks like this:

access-list 1 remark The local LAN.
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 remark The local LAN.
access-list 1 remark The local LAN.
access-list 1 remark The local LAN.
access-list 1 remark The local LAN.
access-list 1 remark The local LAN.
access-list 1 remark The local LAN.
access-list 1 remark The local LAN.
access-list 2 remark Where management can be done from.
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 remark Where management can be done from.
access-list 2 remark Where management can be done from.
access-list 2 remark Where management can be done from.
access-list 2 remark Where management can be done from.
access-list 2 remark Where management can be done from.
access-list 2 remark Where management can be done from.
access-list 2 remark Where management can be done from.
access-list 2 remark Where management can be done from.
access-list 2 remark Where management can be done from.
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 198.18.0.0 0.1.255.255 any
access-list 101 deny ip 224.0.0.0 0.15.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet
access-list 101 deny icmp any any echo
access-list 101 deny ip any any log
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 deny tcp any any eq 22
access-list 101 deny tcp any any eq telnet
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 permit ip any host 192.168.1.1
access-list 102 deny ip any host 192.168.1.255
access-list 102 deny udp any any eq tftp log
access-list 102 deny ip any 127.0.0.0 0.255.255.255 log
access-list 102 deny ip any 169.254.0.0 0.0.255.255 log
access-list 102 deny ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny ip any 192.0.2.0 0.0.0.255 log
access-list 102 deny ip any 192.168.0.0 0.0.255.255 log
access-list 102 deny ip any 198.18.0.0 0.1.255.255 log
access-list 102 deny udp any any eq 135 log
access-list 102 deny tcp any any eq 135 log
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 deny ip any 0.0.0.0 0.255.255.255 log
access-list 102 deny ip any 10.0.0.0 0.255.255.255 log
access-list 102 deny udp any any eq netbios-ns log
access-list 102 deny udp any any eq netbios-dgm log
access-list 102 deny tcp any any eq 445 log
access-list 102 permit ip any host 255.255.255.255
access-list 102 deny ip any any log
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 remark Traffic allowed to enter the router from the Ethernet

Why did it go all stupid? Shall I just clear the conifg and reload how it was to fix all the duplication?
In regards to stopping telnet and ssh from the outisde i took a stab in the dark and typed in:
access-list 101 deny tcp any any eq 22
access-list 101 deny tcp any any eq telnet

And now I have this:

access-list 101 permit tcp any any eq 22 <-----------
access-list 101 permit tcp any any eq telnet <-----------
access-list 101 deny icmp any any echo
access-list 101 deny ip any any log
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 deny tcp any any eq 22 <------------
access-list 101 deny tcp any any eq telnet <------------

how on earth does it let this happen?!?!

regretting trying to use a cisco router now lol

muppet

2571 posts

Uber Geek

Trusted

#502165 4-Aug-2011 21:21

Hang in there! A few small mistakes happen and it's all part of the learning curve.

You have to do a "no access-list 101" first of all. Then paste in all of access-list 101 again. Same for 1, 2 and 102

access-lists in Cisco are very simple and keep just accepting more commands. So you have to delete them first of all.

Audiophiles are such twits! They buy such pointless stuff: Gold plated cables, $2000 power cords. Idiots.

OOOHHHH HYPERFIBRE!

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

gjm

808 posts

Ultimate Geek

#502168 4-Aug-2011 21:23

if you get stuck try using the sdm to make changes and then see what changes in the config file. This helped me to learn a bit.

Do surveys for Beer money (referral link) - Octopus Group

Link for buying beer (not affiliated, just like beer) - Good George

chevrolux

4962 posts

Uber Geek
Inactive user

#502183 4-Aug-2011 22:10

iv been trying 'clear access-list' and kept telling me to bugger off. no access-list makes sense too lol.

as for using ANY of the cisco software available i cant download them as I dont have a license. Tryed looking for torrents but not a alot out there.

Thanks again for the help!

shadybrothers

236 posts

Master Geek

#502363 5-Aug-2011 11:57

in configuration terminal

no access-list 1
no access-list 2
no access-list 101
no access-list 102

should clear all your ACL and you can re-paste your new ACL.

this is a slap in the face!

chevrolux

4962 posts

Uber Geek
Inactive user

#502404 5-Aug-2011 12:48

have plucked this off ciscopress and i assume this will allow the must fragment messages through:

access-list 101 permit icmp any any packet-too-big

am i correct?

looking through my acl's i found:
deny icmp any any echo

does that need to be there?

bloody interesting reading actually. Never really gave much thought to how stuff gets sent around. All i knew was if i got some blue cable and plugged it in to something it worked lol

muppet

2571 posts

Uber Geek

Trusted

#502436 5-Aug-2011 13:55

See? I told you this stuff was interesting (but meh, I'm a network nerd myself)

Blocking ICMP ping is a personal thing. Personally, I think it's totally pointless. But a lot of "security people" will tell you it's a good idea, for reasons they can never clearly explain to me. So it's up to you, do you want people to be able to ping your router?

access-list 101 permit icmp any any packet-too-big is perfect, yup!

Audiophiles are such twits! They buy such pointless stuff: Gold plated cables, $2000 power cords. Idiots.

OOOHHHH HYPERFIBRE!

LennonNZ

2459 posts

Uber Geek

ID Verified

Trusted

#502460 5-Aug-2011 15:46

muppet: See? I told you this stuff was interesting (but meh, I'm a network nerd myself)

Blocking ICMP ping is a personal thing. Personally, I think it's totally pointless. But a lot of "security people" will tell you it's a good idea, for reasons they can never clearly explain to me. So it's up to you, do you want people to be able to ping your router?

access-list 101 permit icmp any any packet-too-big is perfect, yup!

Blocking all ICMP is bad... bad.. bad.. bad.. Don't do it . If you want to block icmp echo-request.. feel free to.. but all icmp can cause alots of problems.

muppet

2571 posts

Uber Geek

Trusted

#502491 5-Aug-2011 17:03

@LennonNZ: Woo! Thanks for a) Not reading what I posted and then b) repeating it!

Audiophiles are such twits! They buy such pointless stuff: Gold plated cables, $2000 power cords. Idiots.

OOOHHHH HYPERFIBRE!

chevrolux

4962 posts

Uber Geek
Inactive user

#502508 5-Aug-2011 18:18

awesome! Thanks heaps for your help muppet!! I will be back on here in September when this downloading law comes in to action and I need to set up a vpn lol

1 | 2