Announcement

Collapse
No announcement yet.

Newbie. Help setting up my routing/NAT/DHCP

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Newbie. Help setting up my routing/NAT/DHCP

    Hello one and all,

    My name is Chris and I am new to this forum, which by the way, looks outstanding. Nice to meet you all!

    I apoglozie for my first post being so long, but I figured I'd get everything out in the open instead of posting a million different threads. I recently completed the CCNA Intro and Interconnecting courses and am studying for the 640-801 exam. In addition to that, I bought two 2924 switches and a 2611 router to play with at my house. The switches are up and running, but the router is not as of yet. The reason for that is because I currently have a linux server that is also routing for me via NAT. It is also my DHCP server. I can kill that off myself no problem, but not until the 2611 works right.

    On that note, I have some questions about setting up my house, ie replacing my linux server/router with the 2611. Basically, what follows is what I think I'll need to do on my 2611. Could you please read it over and reply with any necessary changes? Basically see if I'm wrong somewhere? I'd really like your input before I start because if I do something wrong, I don't have a lot of time to diagnose problems, and if routing and what-not doesn't work, I won't have internet access easily, either. So I really want to be as sure as possible about what I'm going to do before I do it. LOL!

    1. My 2611 has two interfaces: e0/0 and e0/1. My first question is really, really stupid because I think I know the answer. Being that these are ethernet, and not fast ethernet (well, to the best of my knowledge anyway), does this mean they're only 10Mb, not 100Mb? And assuming they are only 10Mb interfaces, should I assume that if I VLAN my house (and therefore route between those VLAN's), that my entire network would then slow down to 10Mb?

    2. Configure routing

    Router(config)# router rip
    Router(config-router)# network 192.168.5.0

    Missing anything?


    3. Now, since I have Comcast and they send out DHCP addresses, I obviously need to set e0 to recieve a DHCP address. I've found documents on the web and from what I can determine, it boils down to me doing:

    int e0/0
    ip address dhcp

    Anything else I need to do on this interface for DHCP reception purposes?


    4. Setting up int e0/1 to hand out addresses internally.

    Router(config)# ip dhcp pool bartlett
    Router(dhcp-config)# network 192.168.5.0/24
    Router(dhcp-config)#domain-name bartlett-family.net - Do I really need this?
    Router(dhcp-config)#dns-server 192.168.5.1 - Do I really need this?
    Router(dhcp-config)#default-router 192.168.5.73 - This is the IP address of e0/1 on this very router.
    Router(dhcp-config)#lease 7
    Router(dhcp-config)#ip dhcp exclude 192.168.5.73 - Router's e0/1 interface
    Router(dhcp-config)#ip dhcp exclude 192.168.5.3
    Router(dhcp-config)#ip dhcp exclude 192.168.5.7
    Router(dhcp-config)#ip dhcp exclude 192.168.5.27
    Router(dhcp-config)#ip dhcp exclude 192.168.5.33
    Router(dhcp-config)#ip dhcp exclude 192.168.5.1

    Does that all look right for setting up basic DHCP? Am I missing anything?


    5. Configure NAT.

    Router(config)# access-list 77 192.168.5.0 0.0.0.255
    Router(config)# int e0/0
    Router(config-if)# ip access-group 77 out
    Router(config)# access-list 77 deny all
    Router(config)# access-list 77 permit 192.168.5.0 0.0.0.255
    Router(config)# ip nat inside source list 77 int e0/0 overload
    Router(config)# int e0/0
    Router(config-if)# ip nat outside
    Router(config)# int e0/1
    Router(config-if)# ip nat inside

    Router(config)# ip route 0.0.0.0 0.0.0.0 e0/0

    Missing anything?


    Ok, whew! I think that's it! So what do the experts think? I have never actually done any of this before and would very much like to get it right. I don't want anyone doing this for me (I'm not a leech like that), but rather if someone could help me verify what I am doing, that would be wonderful.

    I greatly appreciate any assistance you folks can give me.

    Regards,

    Chris
    Last edited by WorldBuilder; 8th November 2006, 18:00.

  • #2
    Re: Newbie. Help setting up my routing/NAT/DHCP

    Hi Chris!

    1. My 2611 has two interfaces: e0/0 and e0/1. My first question is really, really stupid because I think I know the answer. Being that these are ethernet, and not fast ethernet (well, to the best of my knowledge anyway), does this mean they're only 10Mb, not 100Mb? And assuming they are only 10Mb interfaces, should I assume that if I VLAN my house (and therefore route between those VLAN's), that my entire network would then slow down to 10Mb?

    A:
    Yes, they are only 10Mb. (Actually a bit slower in the real world.)

    "my entire network would then slow down to 10Mb?"
    Not necessarily. Any packets that need to be routed would be at 10Mb or less. But: any packets (frames, actually) that just need sent to and from machines on the same logical network would be sent/received at the speed of the slowest network port the machines use to talk to each other.



    2. Configure routing

    Router(config)# router rip
    Router(config-router)# network 192.168.5.0

    Missing anything?

    Actually...RIP is a routing protocol used to let routers tell each other about networks they know about. As you only have one router, you dont need RIP. You just need to assign addresses to the interfaces on your router; these will then appear as connected networks within the router's routing table.
    Try this:

    -Console to the router (have you sussed this bit out yet?)
    -enable
    -configure terminal
    -interface ethernet0 (or 0/0, possibly)
    -ip address 10.10.10.1 255.255.255.0
    -no shut
    -interface ethernet1 (or 0/1, possibly)
    -ip address 10.10.20.1 255.255.255.0
    -no shut

    Power up your 2 switches. Connect one switch to one port (e0), one to the other (e1). Set up a PC on each side with an appropriate IP, mask and gateway (ie, IP 10.10.10.10, mask 255.255.255.0, gateway 10.10.10.1 on your e0 side) and cable it to the switch. You *should* now be able to 'ping' from one PC to another!!!!


    3. Now, since I have Comcast and they send out DHCP addresses, I obviously need to set e0 to recieve a DHCP address. I've found documents on the web and from what I can determine, it boils down to me doing:

    int e0/0
    ip address dhcp

    Probably...you might also have to issue a 'no shut' command while in the interface subconfiguration command mode:

    -enable
    -configure terminal
    -interface ethernet0 (or 0/0, possibly)
    -ip address dhcp
    -no shut

    When the interface 'lights up' (literally), issue this command:
    -show ip interface brief

    Is there an IP assigned to e0???


    More later!

    regards,

    theterranaut

    Comment


    • #3
      Re: Newbie. Help setting up my routing/NAT/DHCP

      theterranaut,

      Thanks for the reply! Hold on for a sec, though with the rest. I think I might have figured all this out and will post more soon. Don't waste your precious time just yet!

      Thanks!

      Chris

      Comment


      • #4
        Re: Newbie. Help setting up my routing/NAT/DHCP

        theterranaut,

        Thanks for checking in, I greatly appreciate it. I've been getting some assistance in another forum. From that conversation, I've been able to "improve" on what I plan on doing. Check this out if you don't mind, and let me know what you think. Also, I am lost on ACL's at this point, so anything you could contribute would be greatly appreciated.

        Here goes...

        IP Scheme = 192.168.5.0
        Subnet Mask = 255.255.255.0
        Domain Name = bartlett-family.net

        1. Various admin stuff.

        Passwords are set, including encryption.

        Router(config)# service timestamps debug datetime msec localtime show-timezone - What does this do?
        Router(config)# service timestamps log datetime msec localtime show-timezone - What does this do?
        Router(config)# clock timezone EST -5 - I think this is obvious, eh?
        Router(config)# clock summer-time EST recurring last Sat Mar 2:00 last Sat Oct 2:00 - I think this is obvious, eh?
        Router(config)# ntp clock-period 17208286 - What does this do?
        Router(config)# ntp server 192.5.41.41 source e0/0 prefer - Doesn't seem like it could be right with a 192.x.x.x address. Should I use Router(config)# ntp server ntp2.usno.navy.mil source e0/0 prefer instead?
        Router(config)#banner motd #
        ************************************ *
        *This is MY router, not yours. Go away! If you *
        *decide to stick around anyway, I'm warning you *
        *now that I am logging this stuff and will *
        *know what you do. I will use that knowledge *
        *to hunt you down and gouge your eyeballs out. *
        * *
        * Thanks for the visit *
        * But it's time to go! *
        **************************************


        2. Configure routing


        Router(config)# ip route 0.0.0.0 0.0.0.0 e0/0
        Router(config)# no ip source-route - What does this do?


        Missing anything?


        3. Configure e0/0 to get DHCP from ISP.

        Router(config)# int e0/0
        Router(config-if)# ip address dhcp

        Anything else I need to do on this interface for DHCP reception purposes?


        4. Setting up int e0/1 to hand out addresses internally.

        Router(config)# ip domain name bartlett-family.net
        Router(config)# ip name-server 192.168.5.1
        Router(config)# ip dhcp pool bartlett - "bartlett" will be the name of the pool
        Router(dhcp-config)# network 192.168.5.0/24
        Router(dhcp-config)#domain-name bartlett-family.net
        Router(dhcp-config)#dns-server 192.168.5.1 - This is the IP address of my current linux server on which I run DNS (named). Will I have to do anything to this box to let DNS queries out through the 2611 or will the above default routing be good?
        Router(dhcp-config)#default-router 192.168.5.73
        Router(dhcp-config)#lease 7
        Router(dhcp-config)#ip dhcp exclude 192.168.5.73 - Router's e0/1 interface (default gateway)
        Router(dhcp-config)#ip dhcp exclude 192.168.5.3
        Router(dhcp-config)#ip dhcp exclude 192.168.5.7
        Router(dhcp-config)#ip dhcp exclude 192.168.5.27
        Router(dhcp-config)#ip dhcp exclude 192.168.5.33
        Router(dhcp-config)#ip dhcp exclude 192.168.5.1
        Router(dhcp-config)#no ip bootp server

        Am I missing anything?


        5. Configure NAT/ACL's - I am struggling with this.

        ... I had a whole mess of commands written up, but I got lost. Between my other conversation and my documentation, I'm quite confused. So I won't bother. On my linux server (192.168.5.1), I run web service (port 80, http) and mail (port 25, smtp). Would you possibly be so kind as to write up ACL's that would allow my LAN traffic out, and allow very little in (except for web and mail)? I also don't mind pings (ICMP, right?) coming in because that allows me to test my home connection from anywhere.



        Chris

        Comment


        • #5
          Re: Newbie. Help setting up my routing/NAT/DHCP

          No worries Chris, you've obviously been very busy! Apologies, I did mean to have a go earlier, but you had a lot of questions...
          --------------------------------------------------------------------------------

          IP Scheme = 192.168.5.0
          Subnet Mask = 255.255.255.0
          Domain Name = bartlett-family.net
          [tt]Looks okay. A 'private' RFC1918 set of addresses on the inside. Google for that. Good going!
          --------------------------------------------------------------------------------
          1. Various admin stuff.
          Passwords are set, including encryption.
          [tt]Excellent. Make them as strong as poss!

          Router(config)# service timestamps debug datetime msec localtime show-timezone - What does this do?

          [tt]this controls a 'service' (basically a daemon) that the router uses. You canset some incredibly detailed real-time logging on the router called 'debug' that can give you a wealth of information when you want to see exactly whats going on and when. This command controls the 'timestamping' of these debug logs. So, when you run a debug, you'll get each entry timed and dated.

          Router(config)# service timestamps log datetime msec localtime show-timezone - What does this do?

          [tt]As for the above, but this time, for plain logging functions.

          Router(config)# clock timezone EST -5 - I think this is obvious, eh?

          [tt]Absolutely. We know where you live!

          Router(config)# clock summer-time EST recurring last Sat Mar 2:00 last Sat Oct 2:00 - I think this is obvious, eh?

          [tt]Indeed!


          Router(config)# ntp clock-period 17208286 - What does this do


          [tt]You can set a fair range of network devices to get their time from external, generally reliable sources, instead of using
          their own internal clock. I *believe* that after its set, the router uses its internal crystal-based timer to continue the
          timing. Basically- you dont need to mess with this! The number controls the number of oscillations, IIRC.

          Router(config)# ntp server 192.5.41.41 source e0/0 prefer - Doesn't seem like it could be right with a 192.x.x.x address.

          Should I use Router(config)# ntp server ntp2.usno.navy.mil source e0/0 prefer instead?

          [tt]Not quite Chris, bone up on public/private IP address ranges- I'll find a resource somewhere and post the link.
          I think what you mean is that you think this is a 'private' RFC1918 address, yes? Actually, for the addresses you are
          thinking about, these start at 192.168.0.0 and run through to 192.168.255.255.
          (Here's a link here: http://www.duxcw.com/faq/network/privip.htm)
          192.5.41.41 is a perfectly valid, 'routable', public address.



          Router(config)#banner motd #
          ************************************ *
          *This is MY router, not yours. Go away! If you *
          *decide to stick around anyway, I'm warning you *
          *now that I am logging this stuff and will *
          *know what you do. I will use that knowledge *
          *to hunt you down and gouge your eyeballs out. *
          * *
          * Thanks for the visit *
          * But it's time to go! *
          **************************************


          [tt]If this was just a test lab, Chris, I'd say fair enough. But- for any kind of production system (which this may be eventually?)you should really put something a bit more serious! Why? Well, if you ever need to prosecute (and who knows? it might happen) there's usually a requirement, depending on where you are in the world, that you've actually warned an intruder that the system is private, and that, if they proceed, they will be prosecuted. Just imagine how it would read in court.

          2. Configure routing


          Router(config)# ip route 0.0.0.0 0.0.0.0 e0/0
          Router(config)# no ip source-route - What does this do?


          [tt]There's a way that other routers can tell your router what specific paths their packets should take. (I forgot the actual details at present, will research.) This is generally regarded as being a bad idea these days- there's a risk from a security standpoint that a rogue router could misuse this feature maliciously. This command turns this off, and is generally considered to be A Good Thing.


          Missing anything?

          [tt]Looks okay. Your 'default' route (ip route 0.0.0.0 0.0.0.0 e0/0) says: "if I dont know specifically where thispacket should go, just send it out e0" (this is connected to your internet service, yes?)
          An alternative to this is to set the 'next hop' address instead of e0.


          3. Configure e0/0 to get DHCP from ISP.

          Router(config)# int e0/0
          Router(config-if)# ip address dhcp

          Anything else I need to do on this interface for DHCP reception purposes?

          [tt]I think this should be okay. It really depends on your provider. Maybe another poster in your part of the world using the same provider could help here?


          4. Setting up int e0/1 to hand out addresses internally.

          Router(config)# ip domain name bartlett-family.net
          Router(config)# ip name-server 192.168.5.1
          Router(config)# ip dhcp pool bartlett - "bartlett" will be the name of the pool
          Router(dhcp-config)# network 192.168.5.0/24
          Router(dhcp-config)#domain-name bartlett-family.net
          Router(dhcp-config)#dns-server 192.168.5.1 - This is the IP address of my current linux server on which I run DNS (named).

          Will I have to do anything to this box to let DNS queries out through the 2611 or will the above default routing be good?

          [tt]This should be okay. It will really depend on how/if you've got NAT set up.


          Router(dhcp-config)#default-router 192.168.5.73


          [tt]I'm not sure...if you could draw a quick sketch of your network layout I can give you a definitive, but this looks okay.


          Router(dhcp-config)#lease 7
          Router(dhcp-config)#ip dhcp exclude 192.168.5.73 - Router's e0/1 interface (default gateway)
          Router(dhcp-config)#ip dhcp exclude 192.168.5.3
          Router(dhcp-config)#ip dhcp exclude 192.168.5.7
          Router(dhcp-config)#ip dhcp exclude 192.168.5.27
          Router(dhcp-config)#ip dhcp exclude 192.168.5.33
          Router(dhcp-config)#ip dhcp exclude 192.168.5.1
          Router(dhcp-config)#no ip bootp server

          Am I missing anything?

          5. Configure NAT/ACL's - I am struggling with this.

          ... I had a whole mess of commands written up, but I got lost. Between my other conversation and my documentation, I'm quite
          confused. So I won't bother. On my linux server (192.168.5.1), I run web service (port 80, http) and mail (port 25, smtp).
          Would you possibly be so kind as to write up ACL's that would allow my LAN traffic out, and allow very little in (except for
          web and mail)? I also don't mind pings (ICMP, right?) coming in because that allows me to test my home connection from
          anywhere.


          [tt]Cheeky monkey!
          This is a wee bit trickier- try this:

          Step 1: General NAT
          First, you want to set up a general NAT rule to allow everything on your internal LAN out, and as we dont know what/if you've any static IP addressing on the 'outside' interface of your router, we'll just have to use the interface's own address and use PAT (port address translation) to allow you enough connections to get everyone on the inside outside when necessary. So, no pool of addresses will be created on the outside to allow connections outbound (google PAT if none of that made any sense.)

          #access-list 120 permit ip any any log
          [tt]Set up an access-list that defines the following:
          Allow ANY IP traffic FROM any TO any

          #ip nat inside source list 120 interface e0 overload
          [tt]nat from the 'inside' (we'll define that in a moment) using anything caught by access-list 120 (defined above- your internal LAN) using the address provided on interface e0- and 'overload' this address- use tcp ports instead of IP addresses to give us enough connections:

          Step 2: Define what, from a NAT standpoint, is 'inside' and whats 'outside' (which determines what way round the translations occur, effectively)

          #interface e0
          #ip nat outside
          interface e1
          #ip nat inside

          Step 3: Specific/Static NAT: 'forwarding' ports in to IP addresses.
          The following is just an example, which 'forwards' tcp port 80 from the 'outside' (interface e0) to an IP
          address on the inside. Here's your homework- work out the rest!

          #ip nat inside source static tcp 192.168.5.1 80 interface e0 80

          Have fun-

          theterranaut

          BTW- anyone else want to contribute to this to help Chris out?
          Last edited by theterranaut; 10th November 2006, 22:57.

          Comment


          • #6
            Re: Newbie. Help setting up my routing/NAT/DHCP

            I'll play around with the ACL's. Thanks!

            Oh, and I realized that the 192.x.x.x address for the NTP serer is classless... LOL!

            Also, I will change the banner MOTD, that was intended as humorous while I scratch my head in frustration at all this!

            Thanks, my friend. I'll post back with more questions, I'm sure!

            Chris

            Comment


            • #7
              Re: Newbie. Help setting up my routing/NAT/DHCP

              Hey, no worries. Glad to help.

              Watch that statement, btw: "classless". Not meaning to be pedantic (ok, maybe I am) but I always find that if you get your semantics correct when you're talking about this stuff then others catch on faster. Apologies if that sounds a bit lecturing, Chris.

              tt

              Comment


              • #8
                Re: Newbie. Help setting up my routing/NAT/DHCP

                Originally posted by theterranaut View Post
                Hey, no worries. Glad to help.

                Watch that statement, btw: "classless". Not meaning to be pedantic (ok, maybe I am) but I always find that if you get your semantics correct when you're talking about this stuff then others catch on faster. Apologies if that sounds a bit lecturing, Chris.

                tt
                Doesn't sound that way at all, but what, semantically, would that address be?

                Chris

                Comment


                • #9
                  Re: Newbie. Help setting up my routing/NAT/DHCP

                  Hi Chris (WormBuilder),
                  Thanks for your post!
                  Did you get your questions answered!
                  Its good to have you in the forum,

                  David Davis
                  Forum Moderator
                  David Davis - Petri Forums Moderator & Video Training Author
                  Train Signal - The Global Leader in IT Video Training
                  TrainSignalTraining.com - Free IT Training Products
                  Personal Websites: HappyRouter.com & VMwareVideos.com

                  Comment


                  • #10
                    Re: Newbie. Help setting up my routing/NAT/DHCP

                    Hello again Chris,

                    There's a whole bunch of stuff out there, and its homework time! (again)

                    'Private' IP addressing:

                    http://en.wikipedia.org/wiki/Private_network

                    All you ever wanted to know about IP addressing (famous one, this)

                    http://www.3com.com/other/pdfs/infra..._US/501302.pdf

                    From this, the distinction between 'classful', 'classless', 'public' and 'private' addressing will (hopefully) be clear.

                    have fun-

                    theterranaut

                    Comment


                    • #11
                      Re: Newbie. Help setting up my routing/NAT/DHCP

                      Originally posted by daviddavis View Post
                      Hi Chris (WormBuilder),
                      Thanks for your post!
                      Did you get your questions answered!
                      Its good to have you in the forum,

                      David Davis
                      Forum Moderator
                      Well, sort of. TT has been quite helpful, but I do have a lot of questions about getting my own personal setup running before I continue on my CCNA path.

                      Thank you all.

                      Chris

                      Comment


                      • #12
                        Re: Newbie. Help setting up my routing/NAT/DHCP

                        Hello again,

                        Ok, I've been reading and reading and reading until I feel like my eyeballs are about to fall out. The good news is that my eyeballs are still, in fact inside my head. The bad news is I only have a vague idea of what I want to do. I consoled into my router (it's not ON the network yet) and did the following:

                        1. I created ACL 101. From what I barely understand, it seems as though the following will allow traffic inside my LAN (192.168.5.0) out through e0/0 (the interface that connects to the ISP, but will deny any other traffic. Am I right? Am I close? Am I wrong?

                        Hercules(config)#access-list 101 deny ip 0.0.0.0 255.255.255.255 any
                        Hercules(config)#access-list 101 permit ip 192.168.5.0 0.0.0.255 any
                        Hercules(config)#int e0/0
                        Hercules(config-if)#ip access-group 101 out



                        2. I then created ACL 102 based on some extra help. This one I'm definitely fuzzy on. What are all these individual denies doing? Am I using the right interface? And what's the point of denying private addresses? I mean, private addressed machines aren't routed through the internet so these address would never see my router, right?! I must be missing something...

                        Hercules(config)#access-list 102 deny ip 10.0.0.0 0.255.255.255 any
                        Hercules(config)#access-list 102 deny ip 127.0.0.0 0.255.255.255 any
                        Hercules(config)#access-list 102 deny ip 172.16.0.0 0.0.255.255 any
                        Hercules(config)#access-list 102 deny ip 192.168.0.0 0.0.255.255 any
                        Hercules(config)#access-list 102 deny ip 224.0.0.0 31.0.255.255 any
                        Hercules(config)#access-list 102 permit ip any any
                        Hercules(config)#int e0/1
                        Hercules(config-if)#ip access-group 102 in


                        3. I also tried, for fun only to turn on DHCP on e0/0. I tried several variations of "ip address dhcp" on int e0/0 and nothing worked. The port is up, but NOT plugged in. Does that matter, because if it doesn't, I can't seem to setup DHCP and that's a major concern.

                        4. Reminders: People connect to my mail server from outside the LAN. And I have a web server. So to make sure they work through the 2611, I did:

                        Hercules(config)#ip nat inside source static tcp 192.168.5.1 80 int e0/1 80
                        Hercules(config)#ip nat inside source static tcp 192.168.5.1 25 int e0/1 25

                        Look OK?


                        On a side note, here's the IOS info:

                        Hercules#show ver
                        Cisco Internetwork Operating System Software
                        IOS (tm) C2600 Software (C2600-I-M), Version 12.1(27b), RELEASE SOFTWARE (fc1)
                        Copyright (c) 1986-2005 by cisco Systems, Inc.
                        Compiled Tue 16-Aug-05 17:55 by pwade
                        Image text-base: 0x80008088, data-base: 0x80833630

                        ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)

                        My continued thanks!

                        Chris
                        Last edited by WorldBuilder; 11th November 2006, 14:47.

                        Comment


                        • #13
                          Re: Newbie. Help setting up my routing/NAT/DHCP

                          Hi Chris,

                          Okay, let me see if I can help with your config...

                          #1
                          Since your internal addresses (the 192.168.5.0 network) are being NAT'ted, when they go out your e0/0 interface, they won't be using that IP address anymore, they will have already been NAT'ted to your public IP addresses. Anyhow, I don't think you need to spend your time to control your outbound traffic anyway. I say this because I suspect your internal network is pretty secure. So, I would just do away with the config listed in point #1.

                          #2
                          The point of denying the private IP address range from your ISP to your network is to prevent IP spoofed IP addresses from being accepted at your router. To answer your question, yes, you are right that your ISP shouldn't be using these IP addresses nor should it send you this traffic, in theory but, still this is a standard security practice at businesses although I am sure that 99% of home users aren't doing this so if you don't do it, I don't think that it is that big of deal.
                          Now, at the end of this ACL 102, you say "permit ip any any". This isn't good. You are essentially opening up your entire network here to anyone who wants to get in.
                          I would recommend just doing away with this ACL and looking into Cisco IOS Firewall (called CBAC). Here is a link:
                          http://www.cisco.com/univercd/cc/td/...2/iosfw2_2.htm
                          In other words, you only want traffic to come into your router if it was originally requested by YOU, not unsolicited traffic (with the exception of your mail and web server).

                          #3
                          As for point #3, to enable a router port to get its IP address from a DHCP server, you type ip address dhcp. Before it will do that, it must be connected to a switch and it must come up before making a DHCP request.

                          #4
                          Umm, I don't know, I would have to try on a real router and I can't right now because I am at the airport.

                          Do you have SDM on your router? It can help you config the firewall feature set. CBAC (the firewall feature) was released in 12.0 so I believe you should have it. I would recommend upgrading your router if you have the access to the IOS just to get the latest and greatest. If you don't have access to the IOS, don't worry about it because it isn't that big of deal. You should be able to do everything you want to do with the IOS you have.

                          Let's keep up the dialog and we will help you get the right config.

                          Thanks for your post!

                          -David
                          David Davis - Petri Forums Moderator & Video Training Author
                          Train Signal - The Global Leader in IT Video Training
                          TrainSignalTraining.com - Free IT Training Products
                          Personal Websites: HappyRouter.com & VMwareVideos.com

                          Comment


                          • #14
                            Re: Newbie. Help setting up my routing/NAT/DHCP

                            Originally posted by daviddavis View Post
                            Hi Chris,

                            Okay, let me see if I can help with your config...

                            #1
                            Since your internal addresses (the 192.168.5.0 network) are being NAT'ted, when they go out your e0/0 interface, they won't be using that IP address anymore, they will have already been NAT'ted to your public IP addresses. Anyhow, I don't think you need to spend your time to control your outbound traffic anyway. I say this because I suspect your internal network is pretty secure. So, I would just do away with the config listed in point #1.
                            I can understand your point, but if it doesn't hurt, I might as well leave it.

                            Originally posted by daviddavis View Post
                            #2
                            The point of denying the private IP address range from your ISP to your network is to prevent IP spoofed IP addresses from being accepted at your router. To answer your question, yes, you are right that your ISP shouldn't be using these IP addresses nor should it send you this traffic, in theory but, still this is a standard security practice at businesses although I am sure that 99% of home users aren't doing this so if you don't do it, I don't think that it is that big of deal.
                            Now, at the end of this ACL 102, you say "permit ip any any". This isn't good. You are essentially opening up your entire network here to anyone who wants to get in.
                            I would recommend just doing away with this ACL and looking into Cisco IOS Firewall (called CBAC). Here is a link:
                            http://www.cisco.com/univercd/cc/td/...2/iosfw2_2.htm
                            In other words, you only want traffic to come into your router if it was originally requested by YOU, not unsolicited traffic (with the exception of your mail and web server).
                            I will remove the permit ip any any for sure then. But everything else seems ok? I bought the router from eBay, and as far as IOS knowledge goes, I know very little regarding version, etc. I know I don't have the firewall version, and to the best of my knowledge I cannot ever upgrade this IOS legally unless I pay for it (which I simply can't do because of cashflow problems, LOL). It was hard enough talking the wife into letting me just get this! But does the rest of this ACL look good to you? Did I bind both my ACL's to the correct interfaces?

                            Originally posted by daviddavis View Post
                            #3
                            As for point #3, to enable a router port to get its IP address from a DHCP server, you type ip address dhcp. Before it will do that, it must be connected to a switch and it must come up before making a DHCP request.
                            Ok, so the reason it's not working for me IS because it's not actually connected then, not because my IOS doesn't support it... Right? That makes me feel better.

                            Originally posted by daviddavis View Post
                            #4
                            Umm, I don't know, I would have to try on a real router and I can't right now because I am at the airport.
                            I'm pretty sure this is right because a guy from Cisco's own forums pointed it out to me. We'll see.

                            Originally posted by daviddavis View Post
                            Do you have SDM on your router? It can help you config the firewall feature set. CBAC (the firewall feature) was released in 12.0 so I believe you should have it. I would recommend upgrading your router if you have the access to the IOS just to get the latest and greatest. If you don't have access to the IOS, don't worry about it because it isn't that big of deal. You should be able to do everything you want to do with the IOS you have.
                            See above about upgrading. And what is SDM?

                            Originally posted by daviddavis View Post
                            Let's keep up the dialog and we will help you get the right config.
                            Right on, I'm thrilled to be getting this kind of quality help!

                            Chris

                            PS. BTW, check my username again. I don't build "Worms". LOL!
                            Last edited by WorldBuilder; 11th November 2006, 22:15.

                            Comment


                            • #15
                              Re: Newbie. Help setting up my routing/NAT/DHCP

                              Hi Chris,

                              Good to see that David is on the case! Just a thought: why not post your latest config here and we'll take a look and see how its progressing? In between our
                              suggestions, other forum member's suggestions and your own work its kinda hard
                              to track whats been done/what needs to be done.
                              If you do- of course, please edit out any passwords (even if the IOS automatically encrypts them) and any external IP addresses (if applicable.)

                              HTH-

                              theterranaut

                              Comment

                              Working...
                              X