cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

918
Views
45
Helpful
23
Replies
Highlighted
Beginner

Re: need to check my configuration

Router#show run
Building configuration...

Current configuration : 4318 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname EGCAI01
!
!
username ++++ privilege 15 secret 5 +++++
enable secret ++++


no aaa new-model
clock timezone EET 2 0

 

no ip domain-lookup
ip domain-name ++++++

 

logging userinfo
logging buffered 128000
logging console informational
crypto logging session
crypto logging ikev2
ip ssh logging events
ntp logging

 

ntp update-calendar
ntp server x.x.x.x prefer (take a public ntp server for example)


ip ssh time-out 90
ip ssh version 2
ip ssh auth 3
ip ssh logging events
crypto key generate rsa usage-keys modulus 2048
!
!
ip dhcp excluded-address 192.168.2.207
ip dhcp excluded-address 192.168.3.207
ip dhcp excluded-address 192.168.4.207
ip dhcp excluded-address 192.168.5.207
ip dhcp excluded-address 192.168.6.207
ip dhcp excluded-address 192.168.7.207
ip dhcp excluded-address 192.168.8.207
ip dhcp excluded-address 192.168.9.207
ip dhcp excluded-address 192.168.7.1
ip dhcp excluded-address 192.168.7.20
ip dhcp excluded-address 192.168.7.10
ip dhcp excluded-address 192.168.7.2
ip dhcp excluded-address 192.168.3.2
ip dhcp excluded-address 192.168.2.20
ip dhcp excluded-address 192.168.2.10
ip dhcp excluded-address 192.168.2.100
ip dhcp excluded-address 192.168.10.207
ip dhcp excluded-address 192.168.11.207
ip dhcp excluded-address 192.168.3.1
ip dhcp excluded-address 192.168.1.253
ip dhcp excluded-address 192.168.1.207

ip dhcp pool LAN
network 192.168.2.0 255.255.255.0
default-router 192.168.2.207
domain-name GDS.LOCAL
dns-server 8.8.8.8 8.8.4.4


ip dhcp pool WIFI-OFFICE
network 192.168.4.0 255.255.255.0
default-router 192.168.4.207
domain-name GDS.LOCAL
dns-server 8.8.8.8 8.8.4.4


ip dhcp pool Voice
network 192.168.6.0 255.255.255.0
default-router 192.168.6.207
option 150 ip 192.168.6.207
dns-server 8.8.8.8 8.8.4.4


ip dhcp pool WIFI-GUEST
network 192.168.8.0 255.255.255.0
default-router 192.168.8.207
dns-server 8.8.8.8 8.8.4.4

ip dhcp global-options
dns-server 163.121.128.134 163.121.128.135
dns-server 213.131.65.20 213.131.66.246 ---- orange
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
interface GigabitEthernet0/0 - 
description connected to local NW-INTERVLAN
no ip address
ip nat inside
ip flow ingress
ip flow egress
duplex auto
speed auto
!
!
interface GigabitEthernet0/0.2
description FACE-client-LAN
encapsulation dot1Q 2
ip address 192.168.2.207 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.9
description printers
encapsulation dot1Q 9
ip address 192.168.3.207 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.20
description WIFI-OFFICE
encapsulation dot1Q 20
ip address 192.168.4.207 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.55
description native
encapsulation dot1Q 55 native
ip address 192.168.5.207 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.200
description voice
encapsulation dot1Q 200
ip address 192.168.6.207 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.230
description CCTV
encapsulation dot1Q 230
ip address 192.168.9.207 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.250
description MGMT
encapsulation dot1Q 250
ip address 192.168.7.207 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.912
description WIFI-Guest
encapsulation dot1Q 912
ip address 192.168.8.207 255.255.255.0
ip access-group in_guest_traffic in
ip nat inside
!
interface GigabitEthernet0/0.201
description WAN TRANSIT

ip access-group WAN-in in (i will make an acl on the wan interface for security in the input direction)
encapsulation dot1Q 201
ip address 192.168.10.207 255.255.255.0
ip nat inside

interface GigabitEthernet0/0.240
description NarrowCasting
encapsulation dot1Q 201
ip address 192.168.11.207 255.255.255.0
ip nat inside

>>>>> ip access-list extended WAN-in
deny ip host 255.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
permit icmp any any
permit tcp any any established (permits only replies for traffic initiated by the inside network)
permit udp any any eq isakmp (for future use if you will use ipsec)
permit udp any any eq non500-isakmp (also ipsec)
permit esp any any (also ipsec)
permit udp any any gt 1024 (permits udp to the inside network that will regularly initiate udp traffic from a random port > 1024)
deny ip any any

 

interface GigabitEthernet0/1
description connected to ISP
ip address 192.168.1.207 255.255.255.0
ip nat outside
ip flow ingress
ip flow egress
duplex auto
speed auto

interface GigabitEthernet0/2
no ip address
duplex auto
speed auto

 

banner motd ^C
**************************************************************************
* Unauthorized access is prohibited *
**************************************************************************
* *
* This system is to be used only by specifically authorized personnel. *
* Any unauthorized use of the system is unlawful, and may be subject *
* to civil and/or criminal penalties. *
* *
* Any use of the system may be logged or monitored without further *
* notice and resulting logs may be used as evidence in court. *
**************************************************************************


ip dns view default
dns forwarder 8.8.8.8
ip dns server

 

DELETE THIS:
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source list 2 interface GigabitEthernet0/1 overload
ip nat inside source list 3 interface GigabitEthernet0/1 overload
ip nat inside source list 4 interface GigabitEthernet0/1 overload
ip nat inside source list 5 interface GigabitEthernet0/1 overload
ip nat inside source list 6 interface GigabitEthernet0/1 overload
ip nat inside source list 7 interface GigabitEthernet0/1 overload
ip nat inside source list 8 interface GigabitEthernet0/1 overload
ip nat inside source list 9 interface GigabitEthernet0/1 overload
ip nat inside source list 10 interface GigabitEthernet0/1 overload

 

REPLACE WITH: 

ip nat inside source list NAT interface GigabitEthernet0/1 overload


ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 192.168.1.1
!
ip http server
ip http authentication local
ip http secure-server
ip flow-top-talkers
ip flow-export version 9
top 60
sort-by packets
!
ip forward-protocol nd

DELETE:

access-list 1 permit 192.168.2.0 0.0.0.255
access-list 2 permit 192.168.3.0 0.0.0.255
access-list 3 permit 192.168.4.0 0.0.0.255
access-list 4 permit 192.168.5.0 0.0.0.255
access-list 5 permit 192.168.6.0 0.0.0.255
access-list 6 permit 192.168.7.0 0.0.0.255
access-list 7 permit 192.168.8.0 0.0.0.255
access-list 8 permit 192.168.9.0 0.0.0.255
access-list 9 permit 192.168.10.0 0.0.0.255
access-list 10 permit 192.168.11.0 0.0.0.255

CONFIGURE:

ip access-list extended NAT
    permit ip 192.168.0.0 0.0.255.255 any 

 

DO ALSO THIS:

object-group network RFC-PRIVATE
10.0.0.0 255.0.0.0
172.16.0.0 255.240.0.0
192.168.0.0 255.255.0.0  

 

ip access-list extended in_guest_traffic
deny ip any object-group RFC-PRIVATE
permit ip any any
...I DELETED ALL THE ACL ENTRIES FOR GUEST BECAUSE THEY WERE POINTLES..


!
no cdp run


!
!
line con 0
password cisco
login

line vty 0 4
access-class management in
exec-timeout 15 0
transport input ssh
logging synchronous
line vty 5 15
access-class management in
exec-timeout 15 0
transport input ssh
logging synchronous

!
scheduler allocate 20000 1000
ntp master
!
end

 

Highlighted
Contributor

Re: need to check my configuration

Dear many super thanks for your great support 

 

really appreciated

 

im just have one question regarding the guest acl , my point is to block traffic from guest to all private vlan except the printer ( 192.168.3.0/24) so the guest can only access printers vlan only 

 

so ur changes will do that ?

amr alrazzaz
Highlighted
Beginner

Re: need to check my configuration

No, i thought you wanted only access to internet. (this is usualy the choice for guest networks)

For that you only need to put above de deny rule a permit:

permit ip any 192.168.3.0 0.0.0.255

Highlighted
Beginner

Re: need to check my configuration

 

ip access-list extended in_guest_traffic

permit ip any 192.168.3.0 0.0.0.255
deny ip any object-group RFC-PRIVATE
permit ip any any
...I DELETED ALL THE ACL ENTRIES FOR GUEST BECAUSE THEY WERE POINTLES..



Highlighted
Contributor

Re: need to check my configuration

dear thanks a lot 

 

ntp update-calendar
ntp server x.x.x.x prefer (take a public ntp server for example)

 

from where i have public ntp server

 

i need egypt zone ?

 

amr alrazzaz
Highlighted
Beginner

Re: need to check my configuration

You can find on the internet one, or maybe your service provider has one. 

 

You can use this 

0.eg.pool.ntp.org
Highlighted
VIP Mentor

Re: need to check my configuration

Hello,

 

in addition to the other posts, you could also shorten the access list by summarizing it as below:

 

access-list 1 permit 192.168.2.0 0.0.1.255
access-list 1 permit 192.168.4.0 0.0.3.255
access-list 1 permit 192.168.8.0 0.0.3.255

Highlighted
Contributor

Re: need to check my configuration

dear my friend im very grateful for ur always help and support 

 

i would ask you if u have free time to update my configuration with your inputs to and delete what ever u see its not necessary  so i have ready configuration to paste on my router

 

i would be appreciate if u can modify it on the main config , im afraid to do it and miss any thing 

 

i need the configurations to be ready please for copy and paste 

 

also do u suggest another network id or this is fine what im using 

 

iP Address:192.168.0.0
Network Address:192.168.0.0
Usable Host IP Range:192.168.0.1 - 192.168.15.254
Broadcast Address:192.168.15.255
Total Number of Hosts:4,096
Number of Usable Hosts:4,094
amr alrazzaz
Highlighted
Contributor

Re: need to check my configuration

can you please put your all modifications on the configuration please so ill copy paste  directly to router

amr alrazzaz