cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
736
Views
5
Helpful
9
Replies

New Router Setup Beginner

JLVB83
Level 1
Level 1

Hey folks I've spent a little time setting my first router up behind my home router in a test bench setup,  my plan is to put it directly on the internet and be my main router, basically took a defaulted router and added a few things to it and adjusted the config, some things may not be needed that come defaulted ,and some stuff may still be needed, as far as functionality goes seems to be good at the moment, but could use some professional critique, here is my current config please let me know if this looks OK and safe to be on the web.

 

thks

 

CISCO 1921

 

Using 2797 out of 262136 bytes
!
! Last configuration change at 04:43:57 UTC Tue Jan 26 2021 by jlvb83
! NVRAM config last updated at 04:43:58 UTC Tue Jan 26 2021 by jlvb83
! NVRAM config last updated at 04:43:58 UTC Tue Jan 26 2021 by jlvb83
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
!
hostname CISCO1921
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$rn7O$5kouMbw3c3zjSd64bALKa0
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.20
!
ip dhcp pool CAMSNET
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1
!
ip dhcp pool CLIENT_1
host 10.10.10.5 255.255.255.0
client-identifier 0100.1018.6f77.df
!
ip dhcp pool MAIN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1
!
ip dhcp pool CLIENT_2
host 192.168.1.10 255.255.255.0
client-identifier 0164.9ef3.4de4.f6
!
!
ip domain name JLVB.CA
ip inspect WAAS flush-timeout 10
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1921/K9 sn FGL160720QS
!
!
vtp domain NULL
vtp mode transparent
username jlvb83 password 7 1321051B1818052425253B32392F1A14025151060A19
!
redundancy
!
!
!
!
vlan 2
name CAMS
!
vlan 3
name MAIN
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.0.19 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 3
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 99
ip address 10.10.20.1 255.255.255.0
!
interface FastEthernet0/0/0
no ip address
no mop enabled
!
interface FastEthernet0/0/1
no ip address
!
interface FastEthernet0/0/2
no ip address
!
interface FastEthernet0/0/3
no ip address
shutdown
!
interface Vlan1
no ip address
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 192.168.0.1
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 106D0817041313595C547E
login local
transport input ssh
!
scheduler allocate 20000 1000
end

 

 

 

1 Accepted Solution

Accepted Solutions

Hello,

 

if you add the lines marked in bold, this will set up the zone based firewall. All traffci from the inside to the outside is allowed, all traffic from the outside to the inside, including traffic directed at the router itself, is dropped:

 

Using 2797 out of 262136 bytes
!
! Last configuration change at 04:43:57 UTC Tue Jan 26 2021 by jlvb83
! NVRAM config last updated at 04:43:58 UTC Tue Jan 26 2021 by jlvb83
! NVRAM config last updated at 04:43:58 UTC Tue Jan 26 2021 by jlvb83
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
!
hostname CISCO1921
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$rn7O$5kouMbw3c3zjSd64bALKa0
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
ip dhcp excluded-address 10.10.10.1 10.10.10.20
!
ip dhcp pool CAMSNET
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1
!
ip dhcp pool CLIENT_1
host 10.10.10.5 255.255.255.0
client-identifier 0100.1018.6f77.df
!
ip dhcp pool MAIN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1
!
ip dhcp pool CLIENT_2
host 192.168.1.10 255.255.255.0
client-identifier 0164.9ef3.4de4.f6
!
ip domain name JLVB.CA
ip inspect WAAS flush-timeout 10
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
license udi pid CISCO1921/K9 sn FGL160720QS
!
vtp domain NULL
vtp mode transparent
username jlvb83 password 7 1321051B1818052425253B32392F1A14025151060A19
!
redundancy
!
--> class-map type inspect match-any IN_OUT_CM
--> match access-group name IN_OUT_ACL
!
--> policy-map type inspect IN_OUT_PM
--> class type inspect IN_OUT_CM
--> inspect
--> class class-default
--> drop log
!
--> policy-map type inspect OUT_IN_PM
--> class class-default
--> drop log
!
--> policy-map type inspect OUT_SELF_PM
--> class class-default
--> drop log
!
--> zone security outside
--> zone security inside
--> zone-pair security IN_OUT_ZP source inside destination outside
--> service-policy type inspect IN_OUT_PM
--> zone-pair security OUT_IN_ZP source outside destination inside
--> service-policy type inspect OUT_IN_PM
--> zone-pair security OUT_SELF_ZP source outside destination self
--> service-policy type inspect OUT_SELF_PM
!
vlan 2
name CAMS
!
vlan 3
name MAIN
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.0.19 255.255.255.0
ip nat outside
--> zone-member security outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
ip nat inside
--> zone-member security inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 3
ip address 192.168.1.1 255.255.255.0
ip nat inside
--> zone-member security inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 10.10.10.1 255.255.255.0
--> zone-member security inside
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 99
ip address 10.10.20.1 255.255.255.0
--> zone-member security inside
!
interface FastEthernet0/0/0
no ip address
no mop enabled
!
interface FastEthernet0/0/1
no ip address
!
interface FastEthernet0/0/2
no ip address
!
interface FastEthernet0/0/3
no ip address
shutdown
!
interface Vlan1
no ip address
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 192.168.0.1
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
--> ip access-list standard IN_OUT_ACL
--> permit 192.168.1.0 0.0.0.255
--> permit 10.10.10.0 0.0.0.255
--> permit 10.10.20.0 0.0.0.255
!
control-plane
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 106D0817041313595C547E
login local
transport input ssh
!
scheduler allocate 20000 1000
end

View solution in original post

9 Replies 9

Hello,

 

the config looks by the book. If you want Vlan 2 and Vlan 99 to be able to reach the Internet as well, you need to add 'ip nat inside' to the respective subinterfaces, and add the respective networks to be allowed in access list 1.

 

Other than that, the config looks perfect...

Thks for the reply Vlan 2 is my video cam network doesn't need internet access and 99 is my management vlan so same thing no need for internet access.  I appreciate the feedback.  I actually have one more question I believe this router has a vpn unit that I haven't touched yet is there security concerns with it being defaulted and not configure?

 

Edit : Just ran show version and did confirm a VPN module same question is there any security concerns, would all the vpn configs have been deleted when the router was defaulted?

 

It is normal that in default config the vpn config is defaulted to not configured. I am not sure how to answer your question about whether there is a security concern about vpn not configured. If you intend to utilize vpn (either site to site or remote access) and it is not configured then obviously there is a security concern. But if the intention is just that the router provide Internet access for inside networks then no vpn configuration is not an issue. So what is your intention about vpn?

HTH

Rick

Hey Rick the reason I asked was because I wasn't sure how "modules" where configured, but after a little research seems like the VPN is configured in the config file.  Eventually I do want to utilize it to allow remote access to my network, but I'm not there yet I just want to make sure I'm safe and secure first, then can get to VPN stuff.

 

thks

Hello,

 

in addition to Richard's remarks, I am thinking, if you security features in your IOS, you might as well use them and configure e.g. a zone based firewall...

Georg makes a very good point. The default config does not implement anything to provide protection for the inside network. That is in part because the router vendor does not know whether there will be an external firewall or whether protection will be configured on the router. If you are connecting to the Internet you certainly want something to provide protection for your inside network. As it stands now I would not say that this config was safe to use for connection to the Internet.

 

In reading the discussion again I realize that the original poster asked a question that has not been addressed: "would all the vpn configs have been deleted when the router was defaulted?" When the router was defaulted there was not any vpn config. Any configuration of vpn is done by the router administrator.

 

HTH

Rick

JLVB83
Level 1
Level 1

OK I will look into utilizing the built in features of this router for firewall security, I will look into zone based firewalls, any other pointers would be helpful as to how Cisco firewalls work?

you need not concern about the VPN module other than security for the router itself.
the VPN module refers to a hardware acceleration module for encryption of VPN traffic
you will also find the router was shipped with a corresponding image and burnt-in license to use this features

Hello,

 

if you add the lines marked in bold, this will set up the zone based firewall. All traffci from the inside to the outside is allowed, all traffic from the outside to the inside, including traffic directed at the router itself, is dropped:

 

Using 2797 out of 262136 bytes
!
! Last configuration change at 04:43:57 UTC Tue Jan 26 2021 by jlvb83
! NVRAM config last updated at 04:43:58 UTC Tue Jan 26 2021 by jlvb83
! NVRAM config last updated at 04:43:58 UTC Tue Jan 26 2021 by jlvb83
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
!
hostname CISCO1921
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$rn7O$5kouMbw3c3zjSd64bALKa0
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
ip dhcp excluded-address 10.10.10.1 10.10.10.20
!
ip dhcp pool CAMSNET
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1
!
ip dhcp pool CLIENT_1
host 10.10.10.5 255.255.255.0
client-identifier 0100.1018.6f77.df
!
ip dhcp pool MAIN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1
!
ip dhcp pool CLIENT_2
host 192.168.1.10 255.255.255.0
client-identifier 0164.9ef3.4de4.f6
!
ip domain name JLVB.CA
ip inspect WAAS flush-timeout 10
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
license udi pid CISCO1921/K9 sn FGL160720QS
!
vtp domain NULL
vtp mode transparent
username jlvb83 password 7 1321051B1818052425253B32392F1A14025151060A19
!
redundancy
!
--> class-map type inspect match-any IN_OUT_CM
--> match access-group name IN_OUT_ACL
!
--> policy-map type inspect IN_OUT_PM
--> class type inspect IN_OUT_CM
--> inspect
--> class class-default
--> drop log
!
--> policy-map type inspect OUT_IN_PM
--> class class-default
--> drop log
!
--> policy-map type inspect OUT_SELF_PM
--> class class-default
--> drop log
!
--> zone security outside
--> zone security inside
--> zone-pair security IN_OUT_ZP source inside destination outside
--> service-policy type inspect IN_OUT_PM
--> zone-pair security OUT_IN_ZP source outside destination inside
--> service-policy type inspect OUT_IN_PM
--> zone-pair security OUT_SELF_ZP source outside destination self
--> service-policy type inspect OUT_SELF_PM
!
vlan 2
name CAMS
!
vlan 3
name MAIN
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.0.19 255.255.255.0
ip nat outside
--> zone-member security outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
ip nat inside
--> zone-member security inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 3
ip address 192.168.1.1 255.255.255.0
ip nat inside
--> zone-member security inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 10.10.10.1 255.255.255.0
--> zone-member security inside
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 99
ip address 10.10.20.1 255.255.255.0
--> zone-member security inside
!
interface FastEthernet0/0/0
no ip address
no mop enabled
!
interface FastEthernet0/0/1
no ip address
!
interface FastEthernet0/0/2
no ip address
!
interface FastEthernet0/0/3
no ip address
shutdown
!
interface Vlan1
no ip address
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 192.168.0.1
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
--> ip access-list standard IN_OUT_ACL
--> permit 192.168.1.0 0.0.0.255
--> permit 10.10.10.0 0.0.0.255
--> permit 10.10.20.0 0.0.0.255
!
control-plane
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 106D0817041313595C547E
login local
transport input ssh
!
scheduler allocate 20000 1000
end

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: