Announcement

Collapse
No announcement yet.

Cisco 857W router configuration

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco 857W router configuration

    Hi all,

    First of all thanks for the great config. I definitely couldn't do it without this website.

    There are few glitches / whinging thrown by my boss regarding my config. Anyway, here is my config:

    Building configuration...

    Current configuration : 5566 bytes
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname TB_BB_Package
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$O/yu$xz2kuWqbIbRtM.FmSx0io.
    !
    no aaa new-model
    !
    resource policy
    !
    !
    !
    ip cef
    ip inspect name DEFAULT100 cuseeme
    ip inspect name DEFAULT100 ftp
    ip inspect name DEFAULT100 h323
    ip inspect name DEFAULT100 icmp
    ip inspect name DEFAULT100 rcmd
    ip inspect name DEFAULT100 realaudio
    ip inspect name DEFAULT100 rtsp
    ip inspect name DEFAULT100 esmtp
    ip inspect name DEFAULT100 sqlnet
    ip inspect name DEFAULT100 streamworks
    ip inspect name DEFAULT100 tftp
    ip inspect name DEFAULT100 tcp
    ip inspect name DEFAULT100 udp
    ip inspect name DEFAULT100 vdolive
    !
    !
    crypto pki trustpoint TP-self-signed-4138217620
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-4138217620
    revocation-check none
    rsakeypair TP-self-signed-4138217620
    !
    !
    crypto pki certificate chain TP-self-signed-4138217620
    certificate self-signed 01
    30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 34313338 32313736 3230301E 170D3032 30333031 30303539
    34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31333832
    31373632 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    81009F43 00E4D6CF 75107BF6 F5EAAE91 BB125F78 B454D68E 719F2883 9A095886
    035610A8 C44E5F05 FCBFE94D C7372C90 9A9B9305 272EC333 72A8163E E19CA192
    E56DEE25 4E867DE8 B42BCCA6 9EAE8C8F F3796D29 44BF90C4 24D456B4 E291B04B
    5C1A0F7B 17FDE61F 7F1A85D4 C8D19324 8E46B6F6 A34E138B 7C2C900D 35A51E00
    48ED0203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF 30180603
    551D1104 11300F82 0D54425F 42425F50 61636B61 6765301F 0603551D 23041830
    1680147C 4BB1B41A FE3FBACD F5293724 0407434F ABD80330 1D060355 1D0E0416
    04147C4B B1B41AFE 3FBACDF5 29372404 07434FAB D803300D 06092A86 4886F70D
    01010405 00038181 001AF5E9 5DA32A8E 39E406F5 0A5D5E54 A67521EF 5275F386
    3C05A91E F1BD630E B9D4E49D D94E1640 1EA5187C 6A628222 E2347C22 4635F755
    A2EDC53F BB3D3820 5783CD95 06FDF807 8A792665 30445DB9 8ABAC74D 36672598
    FFA57F42 EFCD62CE 0DE90CC9 87E1D3D2 8CFCD7A1 A73476B3 206C0CDB 6314E65B
    A659C011 02082AE3 E2
    quit
    !
    !
    bridge irb
    !
    !
    interface ATM0
    description $ES_WAN$
    no ip address
    load-interval 30
    no atm ilmi-keepalive
    pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    dsl operating-mode auto
    !
    interface FastEthernet0
    spanning-tree portfast
    !
    interface FastEthernet1
    spanning-tree portfast
    !
    interface FastEthernet2
    spanning-tree portfast
    !
    interface FastEthernet3
    spanning-tree portfast
    !
    interface Dot11Radio0
    no ip address
    !
    encryption mode ciphers tkip
    !
    ssid my_comp_name
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 0 my_pass
    !
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
    54.0
    station-role root
    no cdp enable
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    !
    interface Vlan1
    description Chassis serial number FHK101521CL
    no ip address
    ip virtual-reassembly
    bridge-group 1
    bridge-group 1 spanning-disabled
    !
    interface Dialer0
    description $FW_OUTSIDE$
    ip address negotiated
    ip access-group 101 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip inspect DEFAULT100 out
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    ip route-cache flow
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap callin
    ppp chap hostname myISP
    ppp chap password 0 myISPpassword
    !
    interface BVI1
    description $FW_INSIDE$
    ip address 192.168.1.1 255.255.255.0
    ip access-group 100 in
    ip nat inside
    ip virtual-reassembly
    !
    ip route 0.0.0.0 0.0.0.0 Dialer0
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip nat inside source list NAT interface Dialer0 overload
    ip nat inside source static tcp myServer 5900 interface Dialer0 5900
    !
    ip access-list extended NAT
    remark SDM_ACL Category=18
    permit ip 192.168.1.0 0.0.0.255 any
    !
    access-list 100 remark auto generated by Cisco SDM Express firewall configuratio
    n
    access-list 100 remark SDM_ACL Category=1
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    access-list 101 remark auto generated by Cisco SDM Express firewall configuratio
    n
    access-list 101 remark SDM_ACL Category=1
    access-list 101 permit tcp any any eq 5900
    access-list 101 deny ip 192.168.1.0 0.0.0.255 any
    access-list 101 permit icmp any any echo-reply
    access-list 101 permit icmp any any time-exceeded
    access-list 101 permit icmp any any unreachable
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any
    dialer-list 1 protocol ip permit
    !
    control-plane
    !
    bridge 1 route ip
    !
    line con 0
    no modem enable
    line aux 0
    line vty 0 4
    login
    !
    scheduler max-task-time 5000
    end

    TB_BB_Package#


    Then here goes the complaints:

    -we have problem going into certain website, like google, yahoo and ebay, so I turn off the firewall. After that we could go in to google but very slow to ebay and sometimes times out.

    -look like we cannot use the search engine in the site like ninemsn

    -we cannot send mail that has pictures of more than 15 MB, hence we need to break into two email.

    Btw, they have no mail server or whatsoever, evertyhing is handled by ISP and they are in an domain environment with 1 Server 2003 SP1 unpatched because they believe that if everything works fine, don't touch anything.

    So, were the complaints valid? Was it because the router config or something else???

    Any help would be greatly appreciated.

    Desperate selece

  • #2
    Re: Cisco 857W router configuration

    If i'm right, you're inside network had a address of 192.168.1.x /24 right?

    look at this:
    Code:
    access-list 101 permit tcp any any eq 5900 
    access-list 101 deny ip 192.168.1.0 0.0.0.255 any
    access-list 101 permit icmp any any echo-reply
    access-list 101 permit icmp any any time-exceeded 
    access-list 101 permit icmp any any unreachable
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any
    You problaby need something like this:

    Code:
    access-list 101 permit tcp any any eq 5900 
    access-list 101 permit tcp 192.168.1.0 0.0.0.255 any 80
    access-list 101 permit tcp 192.168.1.0 0.0.0.255 any 443
    access-list 101 permit tcp 192.168.1.0 0.0.0.255 any 25
    access-list 101 permit tcp 192.168.1.0 0.0.0.255 any 110
    access-list 101 permit icmp any any echo-reply
    access-list 101 permit icmp any any time-exceeded 
    access-list 101 permit icmp any any unreachable
    access-list 101 deny ip any any
    You need a to read an access-list like this:

    Action (permit/deny) Protocol (tcp/ip/icmp) source (eg host or network) destination(eg host or network) port (portnumber like 80 or www)
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment

    Working...
    X