Re: need to check my configuration

amralrazzaz · ‎01-16-2020

dear all

i need to share my configuration for my router isr 2911 .... im doing new configuration for the new office relocation and need your advice if any thing need to be change or deleted or unnecessary commands

if you have any idea or if its fine with no issue ?

please check nw diagram

Router#show run
Building configuration...

Current configuration : 4318 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname EGCAI01
!
!
username ++++ privilege 15 secret 5 +++++
enable secret ++++

no aaa new-model
clock timezone EET 2 0

no ip domain-lookup
ip domain-name ++++++

ip ssh time-out 90
ip ssh version 2
ip ssh auth 3
crypto key generate rsa usage-keys modulus 2048
!
!
ip dhcp excluded-address 192.168.2.207
ip dhcp excluded-address 192.168.3.207
ip dhcp excluded-address 192.168.4.207
ip dhcp excluded-address 192.168.5.207
ip dhcp excluded-address 192.168.6.207
ip dhcp excluded-address 192.168.7.207
ip dhcp excluded-address 192.168.8.207
ip dhcp excluded-address 192.168.9.207
ip dhcp excluded-address 192.168.7.1
ip dhcp excluded-address 192.168.7.20
ip dhcp excluded-address 192.168.7.10
ip dhcp excluded-address 192.168.7.2
ip dhcp excluded-address 192.168.3.2
ip dhcp excluded-address 192.168.2.20
ip dhcp excluded-address 192.168.2.10
ip dhcp excluded-address 192.168.2.100
ip dhcp excluded-address 192.168.10.207
ip dhcp excluded-address 192.168.11.207
ip dhcp excluded-address 192.168.3.1
ip dhcp excluded-address 192.168.1.253
ip dhcp excluded-address 192.168.1.207

ip dhcp pool LAN
network 192.168.2.0 255.255.255.0
default-router 192.168.2.207
domain-name GDS.LOCAL
dns-server 8.8.8.8 8.8.4.4

ip dhcp pool WIFI-OFFICE
network 192.168.4.0 255.255.255.0
default-router 192.168.4.207
domain-name GDS.LOCAL
dns-server 8.8.8.8 8.8.4.4

ip dhcp pool Voice
network 192.168.6.0 255.255.255.0
default-router 192.168.6.207
option 150 ip 192.168.6.207
dns-server 8.8.8.8 8.8.4.4

ip dhcp pool WIFI-GUEST
network 192.168.8.0 255.255.255.0
default-router 192.168.8.207
dns-server 8.8.8.8 8.8.4.4

ip dhcp global-options
dns-server 163.121.128.134 163.121.128.135
dns-server 213.131.65.20 213.131.66.246 ---- orange
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
interface GigabitEthernet0/0
description connected to local NW-INTERVLAN
no ip address
ip nat inside
ip flow ingress
ip flow egress
duplex auto
speed auto
!
!
interface GigabitEthernet0/0.2
description FACE-client-LAN
encapsulation dot1Q 2
ip address 192.168.2.207 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.9
description printers
encapsulation dot1Q 9
ip address 192.168.3.207 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.20
description WIFI-OFFICE
encapsulation dot1Q 20
ip address 192.168.4.207 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.55
description native
encapsulation dot1Q 55 native
ip address 192.168.5.207 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.200
description voice
encapsulation dot1Q 200
ip address 192.168.6.207 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.230
description CCTV
encapsulation dot1Q 230
ip address 192.168.9.207 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.250
description MGMT
encapsulation dot1Q 250
ip address 192.168.7.207 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.912
description WIFI-Guest
encapsulation dot1Q 912
ip address 192.168.8.207 255.255.255.0
ip access-group in_guest_traffic in
ip nat inside
!
interface GigabitEthernet0/0.201
description WAN TRANSIT
encapsulation dot1Q 201
ip address 192.168.10.207 255.255.255.0
ip nat inside

interface GigabitEthernet0/0.240
description NarrowCasting
encapsulation dot1Q 201
ip address 192.168.11.207 255.255.255.0
ip nat inside

interface GigabitEthernet0/1
description connected to ISP
ip address 192.168.1.207 255.255.255.0
ip nat outside
ip flow ingress
ip flow egress
duplex auto
speed auto

interface GigabitEthernet0/2
no ip address
duplex auto
speed auto

banner motd ^C
**************************************************************************
* Unauthorized access is prohibited *
**************************************************************************
* *
* This system is to be used only by specifically authorized personnel. *
* Any unauthorized use of the system is unlawful, and may be subject *
* to civil and/or criminal penalties. *
* *
* Any use of the system may be logged or monitored without further *
* notice and resulting logs may be used as evidence in court. *
**************************************************************************

ip dns view default
dns forwarder 8.8.8.8
ip dns server

ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source list 2 interface GigabitEthernet0/1 overload
ip nat inside source list 3 interface GigabitEthernet0/1 overload
ip nat inside source list 4 interface GigabitEthernet0/1 overload
ip nat inside source list 5 interface GigabitEthernet0/1 overload
ip nat inside source list 6 interface GigabitEthernet0/1 overload
ip nat inside source list 7 interface GigabitEthernet0/1 overload
ip nat inside source list 8 interface GigabitEthernet0/1 overload
ip nat inside source list 9 interface GigabitEthernet0/1 overload
ip nat inside source list 10 interface GigabitEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 192.168.1.1
!
ip http server
ip http authentication local
ip http secure-server
ip flow-top-talkers
ip flow-export version 9
top 60
sort-by packets
!
ip forward-protocol nd

access-list 1 permit 192.168.2.0 0.0.0.255
access-list 2 permit 192.168.3.0 0.0.0.255
access-list 3 permit 192.168.4.0 0.0.0.255
access-list 4 permit 192.168.5.0 0.0.0.255
access-list 5 permit 192.168.6.0 0.0.0.255
access-list 6 permit 192.168.7.0 0.0.0.255
access-list 7 permit 192.168.8.0 0.0.0.255
access-list 8 permit 192.168.9.0 0.0.0.255
access-list 9 permit 192.168.10.0 0.0.0.255
access-list 10 permit 192.168.11.0 0.0.0.255

ip access-list extended in_guest_traffic

permit ip host 192.168.3.2 any PRINTER
permit ip any host 192.168.3.2
permit ip host 192.168.3.1 any PRINTER
permit ip any host 192.168.3.1

deny ip any 192.168.1.0 0.0.0.255
deny ip any 192.168.2.0 0.0.0.255
deny ip any 192.168.3.0 0.0.0.255
deny ip any 192.168.4.0 0.0.0.255
deny ip any 192.168.5.0 0.0.0.255
deny ip any 192.168.6.0 0.0.0.255
deny ip any 192.168.7.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255
deny ip any 192.168.10.0 0.0.0.255
deny ip any 192.168.11.0 0.0.0.255
permit ip any any

!
no cdp run

!
!
line con 0
password cisco
login

line vty 0 4
access-class management in
exec-timeout 15 0
transport input all
logging synchronous
line vty 5 15
access-class management in
exec-timeout 15 0
transport input all
logging synchronous

!
scheduler allocate 20000 1000
ntp master
!
end

amr alrazzaz

Francesco Molino · ‎01-16-2020

Hi

Sorry for any typo (specially on the acl as I copy/paste/modify), I'm answering using my phone.

Interface G0/2 isn't configured which I suppose it's not used. I would recommend to force a shutdown on this interface.

For nat, you don't need to have multiple acls with multiple nat statements, you can remove them all and just have 1 global acl and 1 global nat statement:

access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 permit 192.168.6.0 0.0.0.255
access-list 1 permit 192.168.7.0 0.0.0.255
access-list 1 permit 192.168.8.0 0.0.0.255
access-list 1 permit 192.168.9.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.11.0 0.0.0.255
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload

You're using the acl named management to protect vty access but it doesn't exists on your config.

On the vty lines, I would allow only SSH.

I would keep the service timestamp to show logging using UTC or at least your local router time.

I would configure a NTP to sync with to make sure time is always up to date.

In general, the security part of the device can be configured according to best practices of IOS Hardening. Here is the link in case you're interested:

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

Rest seems to be good.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

amralrazzaz · ‎01-17-2020

Dear any thanks for your great information

if u dont mind just to modify it on the configuration that i paste here because im afraid to forget or make sometjing wron so i need the configuration to be ready for copy and paste please

please if u dont mind to modify it on the command line and delete what u see its not necessary so i can get it ready for paste

amr alrazzaz

amralrazzaz · ‎01-17-2020

can you please modify these below points on the configurations and thanks for the nat and acl

You're using the acl named management to protect vty access but it doesn't exists on your config.

On the vty lines, I would allow only SSH.

I would keep the service timestamp to show logging using UTC or at least your local router time.

I would configure a NTP to sync with to make sure time is always up to date.

amr alrazzaz

amralrazzaz · ‎01-20-2020

Dear sir how r u ?

if u dont mind to put your changes on my configuration to be ready for copy and paste on my router

amr alrazzaz

amralrazzaz · ‎01-20-2020

can you please put your modifications on configuration so ill copy paste to router directly

thanks for ur precious time for sure

amr alrazzaz

amralrazzaz · ‎01-22-2020

HOW TO APPLY THIS

I would keep the service timestamp to show logging using UTC or at least your local router time.

I would configure a NTP to sync with to make sure time is always up to date.

amr alrazzaz

Francesco Molino · ‎01-23-2020

For timestamp:
service timestamps debug datetime msec
service timestamps log datetime msec

for ntp:
let's assume your public ntp server is ntp.aaa.com
the command would be: ntp server ntp.aaa.com
If you want to specify the source interface to reach the ntp, command will be: ntp source Loopback0 (replace Loopback0 by your real interface).

Don't know in which country you're from, but you should search for a public NTP within your country to sync the time.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

amralrazzaz · ‎01-24-2020

thanks a lot

i need to know whats the difference if i specify the ntp to port or keep it like this ? is it will effect or the devices will take the correct updating time from it ?

if i need to specific the source interface so should i make it g0/0 ( this is the interface which connected to my local intervlans) so is it correct ?

If you want to specify the source interface to reach the ntp, command will be: ntp source Loopback0 (replace Loopback0 by your real interface).

regarding the ntp country im from egypt

amr alrazzaz

Francesco Molino · ‎01-24-2020

I don't understand what you meant by ntp to port or keep it?

The source interface would be g0/1 which seems to be the one facing internet.

On this link, you can 3 servers which can be used as your ntp server:
https://www.ntppool.org/zh/zone/eg

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

amralrazzaz · ‎01-25-2020

sorry i meant should be assign to g0/0 which connected to my local network or the g0/1 which directly connected to internet and u already answered me , many thanks for your always support :) appreciated

whats the main purpose of below :

service timestamps debug datetime msec
service timestamps log datetime msec

amr alrazzaz

Francesco Molino · ‎01-26-2020

The goal of these 2 commands is to apply a timestamp on logs and debug messages.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

curdubanbogdan · ‎01-17-2020

Hello,

I will make the acl for nat as extended, for future uses like:

-ipsec vpn nat exemption
-deny nating for certain destination for traffic manipulation

-deny nat for certain hosts to certain destinations

-permit/deny nat on certain ports

in the guest acl i will deny traffic to rfc private subnets (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) if you will have other private lans in the futher from different subnets).

I will add also ip ssh logging to have a record of connections to the device.

amralrazzaz · ‎01-17-2020

dear my friend many super thanks really for ur great support

i would ask you if u have free time to update my configuration with your inputs to and delete what ever u see its not necessary so i have ready configuration to paste on my router

i would be appreciate if u can modify it on the main config , im afraid to do it and miss any thing

amr alrazzaz

amralrazzaz · ‎01-17-2020

can you please show it to me on , or you can put ur modifications on the configuration directly as per your recommendations on below so i can take it as it is

-ipsec vpn nat exemption
-deny nating for certain destination for traffic manipulation

-deny nat for certain hosts to certain destinations

-permit/deny nat on certain ports

in the guest acl i will deny traffic to rfc private subnets (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) if you will have other private lans in the futher from different subnets).

I will add also ip ssh logging to have a record of connections to the device.

amr alrazzaz