cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
847
Views
0
Helpful
7
Replies

Configure 1921/k9 properly

Noob_PNA
Level 1
Level 1
Building configuration...

Current configuration : 2974 bytes
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$/hAl$Ss9kl2uQJDdLqLaiOMcW0/
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.1.0 192.168.1.99
!
ip dhcp pool My_LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1 192.168.1.126 8.8.4.4 8.8.8.8
!
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3717087716
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3717087716
revocation-check none
!
!
crypto pki certificate chain TP-self-signed-3717087716
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373137 30383737 3136301E 170D3139 30313038 30333130
33335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313730
38373731 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E3D5 5810CB05 BF672910 AE996732 46FC1975 9038FBD6 DF06EB36 0908C676
50B91EDD 79A92883 E2B8D94E 1301616E 28922E1F 598F6E12 C06E7063 C8751AF5
EF3583AA 6B3AA41B 010F680C A2DE2368 D8678380 D66AB62A 15B4A439 6D3FBCF0
AF97018E 12911CE4 A3DBB4C7 06CEACF7 2DD62171 1ED21000 9A007576 11F2E1E2
844B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1477EE54 03D1A4E8 0B8887A5 C90F3ABB FD9DA944 60301D06
03551D0E 04160414 77EE5403 D1A4E80B 8887A5C9 0F3ABBFD 9DA94460 300D0609
2A864886 F70D0101 04050003 81810063 B8217894 BC166613 7F143A06 3B1E3F38
BDDE424D BEF20015 F248666B 15B8B5A9 2A37E753 3A8202D0 F40BEB06 4C34F325
89F81660 02FD2CCE 63C5FE76 B8965DFE E7235FD1 D7AEC8BD 87295B0F 1D06B12A
324540ED 0EC01011 15F1AC96 B8AF65E3 4002896A 0B67ECD6 086CB431 1681F2B8
2EA0E3AE 81CD005D CFB48F6B 0DA3F6
quit
license udi pid CISCO1921/K9 sn FTX1520037Y
!
!
username stefon secret 5 $1$Rdrn$lJ4RSvvKiTQmEXnBUU8uQ/
!
!
!
!
!
!
interface GigabitEthernet0/0
description INTERNET
ip address dhcp
ip access-group MY_WAN in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description My LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
!
interface GigabitEthernet0/0/1
!
interface GigabitEthernet0/0/2
!
interface GigabitEthernet0/0/3
!
interface Vlan1
no ip address
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end

 

This is my current configuration I can connect to the internet with this setup but i can't run speed tests

Building configuration...

Current configuration : 2974 bytes
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$/hAl$Ss9kl2uQJDdLqLaiOMcW0/
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.1.0 192.168.1.99
!
ip dhcp pool My_LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1 192.168.1.126 8.8.4.4 8.8.8.8
!
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3717087716
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3717087716
revocation-check none
!
!
crypto pki certificate chain TP-self-signed-3717087716
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373137 30383737 3136301E 170D3139 30313038 30333130
33335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313730
38373731 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E3D5 5810CB05 BF672910 AE996732 46FC1975 9038FBD6 DF06EB36 0908C676
50B91EDD 79A92883 E2B8D94E 1301616E 28922E1F 598F6E12 C06E7063 C8751AF5
EF3583AA 6B3AA41B 010F680C A2DE2368 D8678380 D66AB62A 15B4A439 6D3FBCF0
AF97018E 12911CE4 A3DBB4C7 06CEACF7 2DD62171 1ED21000 9A007576 11F2E1E2
844B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1477EE54 03D1A4E8 0B8887A5 C90F3ABB FD9DA944 60301D06
03551D0E 04160414 77EE5403 D1A4E80B 8887A5C9 0F3ABBFD 9DA94460 300D0609
2A864886 F70D0101 04050003 81810063 B8217894 BC166613 7F143A06 3B1E3F38
BDDE424D BEF20015 F248666B 15B8B5A9 2A37E753 3A8202D0 F40BEB06 4C34F325
89F81660 02FD2CCE 63C5FE76 B8965DFE E7235FD1 D7AEC8BD 87295B0F 1D06B12A
324540ED 0EC01011 15F1AC96 B8AF65E3 4002896A 0B67ECD6 086CB431 1681F2B8
2EA0E3AE 81CD005D CFB48F6B 0DA3F6
quit
license udi pid CISCO1921/K9 sn FTX1520037Y
!
!
username stefon secret 5 $1$Rdrn$lJ4RSvvKiTQmEXnBUU8uQ/
!
!
!
!
!
!
interface GigabitEthernet0/0
description INTERNET
ip address dhcp
ip access-group MY_WAN in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description My LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
!
interface GigabitEthernet0/0/1
!
interface GigabitEthernet0/0/2
!
interface GigabitEthernet0/0/3
!
interface Vlan1
no ip address
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end

 

This is my current configuration I can connect to the internet with this setup but i can't run speed tests, nor do i see internet connection on the computer it just shows connection.

How do i fix this????

 

How do I properly secure / lock down my network so outside traffic doesn't come in but allow inside traffic out also.

 

I also have a a EWHIC Card in this router and i would like to setup 2 ports to connect to the switch in like a port aggregation.  How do i do that... Step by step would be most helpful thank you.

1 Accepted Solution

Accepted Solutions

Hello


@Noob_PNA wrote:

How do I properly secure / lock down my network so outside traffic doesn't come in but allow inside traffic out also.


IF ZBFW isn’t applicable you could possibly try basic context based access (cbac)

cbac
no ip access-list extended MY_WAN

ip access-list extended MY_WAN
permit udp any any eq bootp

ip inspect name cbac inspect tcp
ip inspect name cbac inspect udp
ip inspect name cbac inspect icmp

interface GigabitEthernet0/0
ip verify unicast source reachable-via rx allow-default MY_WAN
ip inspect cbac out
ip access-group MY_WAN in




Nat- internet access
access-list 100 permit 192.168.1.0 0.0.0.255 any

ip nat inside source-list 100 interface GigabitEthernet0/0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp

Can you post:
sh ip interface brief
sh ip route

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

7 Replies 7

Hi,
You don't have nat configured correctly. The example below will nat your internal network 192.168.1.0/24 behind the WAN interface Gi0/0

ip access-list standard INTERNAL_LAN
permit 192.168.1.0 0.255.255.255



ip nat inside source list INTERNAL_LAN interface GigabitEthernet0/0 overload



You should probably investigate using Zone Based Firewall, which is a stateful firewall and will work on this router. This would be better than an ACL.

HTH

I am not sure what you are referring to My internal network is on gi0/1 my WAN / internet is gi 0/0. Zone firewall... does that require more equipment or is it a setting that is in the system?

Hello,

 

the Zone Based Firewall RIJ is referring to is exactly what I put in the configuration I posted. It is a software feature...

Hello,

 

for the security part, you can configure a Zone Based Firewall. I also added some NAT statements to your config, as these appeared to be missing, as well as a static default route (additions in bold):

 

Current configuration : 2974 bytes
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$/hAl$Ss9kl2uQJDdLqLaiOMcW0/
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
ip dhcp excluded-address 192.168.1.0 192.168.1.99
!
ip dhcp pool My_LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1 192.168.1.126 8.8.4.4 8.8.8.8
!
zone security INSIDE
zone security OUTSIDE
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3717087716
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3717087716
revocation-check none
!
crypto pki certificate chain TP-self-signed-3717087716
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373137 30383737 3136301E 170D3139 30313038 30333130
33335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313730
38373731 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E3D5 5810CB05 BF672910 AE996732 46FC1975 9038FBD6 DF06EB36 0908C676
50B91EDD 79A92883 E2B8D94E 1301616E 28922E1F 598F6E12 C06E7063 C8751AF5
EF3583AA 6B3AA41B 010F680C A2DE2368 D8678380 D66AB62A 15B4A439 6D3FBCF0
AF97018E 12911CE4 A3DBB4C7 06CEACF7 2DD62171 1ED21000 9A007576 11F2E1E2
844B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1477EE54 03D1A4E8 0B8887A5 C90F3ABB FD9DA944 60301D06
03551D0E 04160414 77EE5403 D1A4E80B 8887A5C9 0F3ABBFD 9DA94460 300D0609
2A864886 F70D0101 04050003 81810063 B8217894 BC166613 7F143A06 3B1E3F38
BDDE424D BEF20015 F248666B 15B8B5A9 2A37E753 3A8202D0 F40BEB06 4C34F325
89F81660 02FD2CCE 63C5FE76 B8965DFE E7235FD1 D7AEC8BD 87295B0F 1D06B12A
324540ED 0EC01011 15F1AC96 B8AF65E3 4002896A 0B67ECD6 086CB431 1681F2B8
2EA0E3AE 81CD005D CFB48F6B 0DA3F6
quit
license udi pid CISCO1921/K9 sn FTX1520037Y
!
username stefon secret 5 $1$Rdrn$lJ4RSvvKiTQmEXnBUU8uQ/
!
interface GigabitEthernet0/0
description INTERNET
ip address dhcp
ip access-group MY_WAN in
ip nat outside
zone-member security OUTSIDE
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description My LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
zone-member security INSIDE
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
!
interface GigabitEthernet0/0/1
!
interface GigabitEthernet0/0/2
!
interface GigabitEthernet0/0/3
!
interface Vlan1
no ip address
!
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
 match protocol https
 match protocol dns
 match protocol udp
 match protocol tcp
 match protocol pop3
 match protocol smtp
 match protocol icmp
!
ip access-list extended OUTSIDE-TO-INSIDE
 permit icmp any 192.168.1.0 0.0.0.255
!
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
 match access-group name OUTSIDE-TO-INSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
 class type inspect INSIDE-TO-OUTSIDE-CLASS
  inspect
 class class-default
  drop log
!
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
 class type inspect OUTSIDE-TO-INSIDE-CLASS
  pass
 class class-default
  drop log
!
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
 service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
!
ip nat inside source ist 1 interface GigabitEthernet0/0 overload
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end

Zoning doesn't work on my router do you have another suggestion?

Hello,

 

regarding the port channel, the config is quite simple:

 

interface Port-channel1
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0/0
no ip address
duplex auto
speed auto
channel-group 1 mode on
!
interface FastEthernet0/0/1
no ip address
duplex auto
speed auto
channel-group 1 mode on

Hello


@Noob_PNA wrote:

How do I properly secure / lock down my network so outside traffic doesn't come in but allow inside traffic out also.


IF ZBFW isn’t applicable you could possibly try basic context based access (cbac)

cbac
no ip access-list extended MY_WAN

ip access-list extended MY_WAN
permit udp any any eq bootp

ip inspect name cbac inspect tcp
ip inspect name cbac inspect udp
ip inspect name cbac inspect icmp

interface GigabitEthernet0/0
ip verify unicast source reachable-via rx allow-default MY_WAN
ip inspect cbac out
ip access-group MY_WAN in




Nat- internet access
access-list 100 permit 192.168.1.0 0.0.0.255 any

ip nat inside source-list 100 interface GigabitEthernet0/0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp

Can you post:
sh ip interface brief
sh ip route

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: