cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
869
Views
0
Helpful
6
Replies

Newly CCNA certified: Cisco 887 config advice

Darkglasses
Level 1
Level 1

Hi Folks,

 

I am recently picked up my CCNA certification and now in the progress of deploying Cisco kit to run my home/office network. I wonder if anyone has a few minutes to check my configuration (below) and offer a little advice on securing my network and setups/projects to develop my skills?

 

I have 2 x Cisco 887VA routers connected to each of my FTTC VDSL Broadband connections. The configuration below is for my BT Residential service which runs my home network, including my BT TV box. There was great help on the BT forums getting this working as I was unfamiliar with setting up a Bridge. Always learning!

 

First off, I am concerned about securing my internet interface and using ACLs?

Thus far, all attempts to build my own (WAN_SEC) or apply a recommended (access list 111) have caused no web issues for all devices when applied to Dialer 1 in. So a little bump in the right direction would be appreciated as I figure out the best config?

*I have a Cisco ASA 5510 (no SSM-10 modules) which i plan to implement later. This requires further knowledge and not sure whether to do my Cisco Security next or CCNP. Therefore implementing ACL's initially for some control.

 

Future plans:

- Configure HSRP to provide fail over for my on premises server and VM's

- Purchase Cisco wireless kit to get rid of my current Wireless AP. Still looking and open to advice?

- Configure VPN / VLAN for remote access and management

- Connect my lab for learning to connect with other class mates.

 

Thanks in advance,

John

 

CONFIG

 

version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RouterRes
!
boot-start-marker
boot-end-marker
!
!
enable password 7 13061E0108035C727C362D20
!
no aaa new-model
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp excluded-address 1.1.1.1 1.1.1.2
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 8.8.8.8
!
ip dhcp pool IPTV
network 1.1.1.0 255.255.255.0
default-router 1.1.1.1
dns-server 8.8.8.8
!
!
ip cef
no ipv6 cef
!
!
license udi pid CISCO887VA-K9 sn FGL17362220
!
!
!
!
!
!
!
controller VDSL 0
!
!
!
!
!
!
bridge irb
!
!
!
!
interface Ethernet0
no ip address
ip virtual-reassembly in
no ip route-cache
!
interface Ethernet0.101
description Tagging for PPPoE (VDSL0)
encapsulation dot1Q 101
ip nat outside
ip virtual-reassembly in
no ip route-cache
pppoe enable group global
pppoe-client dial-pool-number 1
bridge-group 100
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
description Dedicated IPTV port for BTTV
switchport access vlan 2
no ip address
!
interface Vlan1
description VLAN
ip address 192.168.1.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip route-cache policy
!
interface Vlan2
no ip address
bridge-group 100
!
interface Dialer0
no ip address
no cdp enable
!
interface Dialer1
description BT Res VDSL
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap ms-chap callin
ppp chap hostname bthomehub@btbroadband.com
ppp chap password 7 15020A1F173D24362C
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
!
interface BVI100
description L3 for fa0 and fa1 bridge group 100
ip address 1.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1350
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.125 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.1.125 32400 interface Dialer1 32400
ip nat inside source static tcp 192.168.1.30 32401 interface Dialer1 32401
ip nat inside source static tcp 192.168.1.30 3389 interface Dialer1 33891
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended WAN_SEC
permit tcp any any established
deny ip any any
!

access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any any eq isakmp
access-list 111 permit esp any any
access-list 111 deny ip any any

!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 1.1.1.0 0.0.0.255
access-list 1 deny any
dialer-list 1 protocol ip permit
no cdp run
!
bridge 100 protocol ieee
bridge 100 route ip
!
line con 0
line aux 0
line vty 0 4
password 7 01100F1758045E57765E4B1A
login
transport input all
!
!
end

 

1 Accepted Solution

Accepted Solutions

VICTORY!

 

This was resolved by only applying the OUTSIDE security zone to e0.101 only. I was added zone-member security OUTSIDE to dialer 0 and e0.101

 

Also, I found I had missed the network command in my DHCP configuration on this router.

 

I have posted my working configuration in case it helpssomeonelater.

 

Thanks for the ZBFW nod. I am off to configuration my other Cisco 887 and enable HSRP. Then FlexVPN!

 

John

 

RouterBus#sh run
Building configuration...

Current configuration : 4059 bytes
!
! Last configuration change at 19:19:57 UTC Sun Aug 11 2019 by RouterBusAdmin
! NVRAM config last updated at 19:20:02 UTC Sun Aug 11 2019 by RouterBusAdmin
! NVRAM config last updated at 19:20:02 UTC Sun Aug 11 2019 by RouterBusAdmin
version 15.1
no service pad
service timestamps debug uptime
service timestamps log datetime msec
service password-encryption
!
hostname RouterBus
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$1J5n$oXXXXXXXXXXXXXeCQ02lTE1a.
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
ip dhcp excluded-address 10.X.X.1 10.X.X.50
!
ip dhcp pool LAN
network 10.X.X.0 255.255.255.0
default-router 10.X.X.1
dns-server 8.8.8.8
!
!
ip cef
ip domain name cisco887bus.lcoal
no ipv6 cef
!
!
license udi pid CISCO887VA-K9 sn FCZ1608C23Q
!
!
username RouterBusAdmin privilege 15 secret 5 $1$1LOxXXXXXXXXXXXXmzVe81
!
!
!
!
controller VDSL 0
!
ip ssh version 2
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
description Allowed_Protocol_From_INSIDE_to_OUTSIDE
match access-group name INSIDE-TO-OUTSIDE
match protocol http
match protocol https
match protocol dns
match protocol udp
match protocol tcp
match protocol icmp
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop log
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
pass
class class-default
drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
!
!
!
!
!
!
interface Ethernet0
no ip address
ip virtual-reassembly in
no ip route-cache
!
interface Ethernet0.101
description Tagging for PPPoE (VDSL0)
encapsulation dot1Q 101
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
no ip route-cache
pppoe-client dial-pool-number 1
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
no ip address
zone-member security INSIDE
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 10.X.X.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip route-cache policy
!
interface Dialer0
description BT Bus VDSL dialer
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap ms-chap callin
ppp chap hostname green-lights@service.btclick.com
ppp chap password 7 06XXXXXXXX60B01
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.X.X.5 3389 interface Dialer0 3389
ip nat inside source static tcp 10.X.X.5 32400 interface Dialer0 32400
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended OUTSIDE-TO-INSIDE
permit icmp any 10.X.X.0 0.0.0.255
permit tcp any eq 3389 host 10.X.X.5 eq 3389
permit tcp any eq 32400 host 10.X.X.5 eq 32400
deny ip any any
!
access-list 1 permit 10.X.X.0 0.0.0.255
access-list 5 remark Remote MGT access
access-list 5 permit 10.X.X.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
access-class 5 in
exec-timeout 15 0
password 7 0307521XXXXXXXXXXXXXXX6
logging synchronous
transport input all
!
end

RouterBus#

View solution in original post

6 Replies 6

Darkglasses
Level 1
Level 1

Ok Folks,

 

I have enabled CBAC out on dialer 1 to examine all outbound traffic and accepts responses . This I think is better than creating an ACL to allow my requires ports and established TCP connections?

 

All devices are working OK but my ports are all showing as closed?

My thinking was that if there is a CBAC match then the ACL is bypassed. If not, the ACL 111 applies and should all my ports or deny any IP traffic.

 

Work continues,

John


ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.125 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.1.125 32400 interface Dialer1 32400
ip nat inside source static tcp 192.168.1.30 32401 interface Dialer1 32401
ip nat inside source static tcp 192.168.1.30 3389 interface Dialer1 33891
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended WAN_SEC
permit tcp any eq 3389 host 192.168.1.125 eq 3389
permit tcp any eq 33891 host 192.168.1.30 eq 3389
permit tcp any eq 32400 host 192.168.1.125 eq 32400
permit tcp any eq 32401 host 192.168.1.30 eq 32401
deny ip any any

 

CBAC config

ip inspect name WAN_CBAC tcp
ip inspect name WAN_CBAC udp
ip inspect name WAN_CBAC icmp

 

Hi,

Congrats on the CCNA. If you were planning on doing the CCNA Security, be aware the certification changes coming Feb 2020, there will only be 1 new CCNA. Reference here.

 

As you are just starting out configuring the router, you should perhaps look at using Zone Based Firewall (ZBF) rather than CBAC, which is considered legacy now. Certainly only ZBF is on the CCIE Security blueprint, so no point learning something most people will no longer deploy.

 

If you are looking for some future projects on the IOS router, I'd suggest looking at FlexVPN for Remote Access VPN, example here.

 

I'd recommend not using Type 7 passwords, they are not secure. Use "enable secret YourPassword" rather than "enable password YourPassword"

 

HTH

 

 

Thanks RJI/MartinLo, the CCNA was not an easy exam!

 

RJI, good call on ZBF vs CBAC. I appreciate the heads up as I not sure I would have spotted this when progressing through the Cisco pathway. The Flex VPN has been added to the list.

 

For the moment I will leave CBAC enabled for stateful packet inspection. Therefore I do not need an ACL inbound on the Dailer 1 interface as the only traffic allow in has been mapped on my NAT statements i.e. RDP on 3389. At this point my external interface is not hanging in the wind with it's pants down!

 

Having an extended ACL inbound on Dialer 1 would make me feel better. So I tried variations of allowing port 3389/all ports to the host only/entire subnet but this closed the port. The only ACL entry that always 3389 inbound on dialer 1 is permit ip any any. This is far from ideal and so some reading has highlighted that RDP works differently with CBAC enabled and I have to setup some mapping. My 887va doesn't have the commands posted so I am still looking to firm up my security.

 

Also a quick NAMP shows port 23 open which I am off to close today as it is something I never encountered in packet tracer. There is no substitute for hands on bare metal.

 

Any security advice is welcome,

Work continues,

John

 

Hi All,

 

I have been working on implementing ZBF to protect my network. It is not working as expected and wondering if anyone can see where I am going wrong?

 

Web traffic is working from my PC at 10.10.1.5 but HTTPS web pages fail to load?

Do I need to put zone-member security OUTSIDE on Ethernet.101?

Should I change my standard access list 1 on the inside source for dialer0 to INSIDE-TO-OUTSIDE?

Have I got my INSIDE-TO-OUTSIDE ACL right? I am going to give using access-groups another bash from INSIDE-TO-OUTSIDE.

 

Thanks,

John

 

 

Current configuration : 4127 bytes
!
! Last configuration change at 20:53:53 UTC Wed Aug 7 2019 by RouterBusAdmin
! NVRAM config last updated at 20:54:02 UTC Wed Aug 7 2019 by RouterBusAdmin
! NVRAM config last updated at 20:54:02 UTC Wed Aug 7 2019 by RouterBusAdmin
version 15.1
no service pad
service timestamps debug uptime
service timestamps log datetime msec
service password-encryption
!
hostname RouterB
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$1J5n$oveHKNHW4EXeCQ02lTE1a.
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
ip dhcp excluded-address 10.10.1.1 10.10.1.50
!
ip dhcp pool LAN
default-router 10.10.1.1
dns-server 8.8.8.8
!
!
ip cef
no ip domain lookup
ip domain name cisco887bus.lcoal
no ipv6 cef
!
!
license udi pid CISCO887VA-K9 sn FCZ1608C23Q
!
!
username RouterB privilege 15 secret 5 $1$1LOx$lqCQIEVvMDdE40FAmzVe81
!
!
!
!
controller VDSL 0
!
ip ssh version 2
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop log
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
pass
class class-default
drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
!
!
!
!
!
!
interface Ethernet0
no ip address
ip virtual-reassembly in
no ip route-cache
!
interface Ethernet0.101
description Tagging for PPPoE (VDSL0)
encapsulation dot1Q 101
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
no ip route-cache
pppoe-client dial-pool-number 1
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
no ip address
zone-member security INSIDE
!
interface FastEthernet1
no ip address
zone-member security INSIDE
!
interface FastEthernet2
no ip address
zone-member security INSIDE
!
interface FastEthernet3
no ip address
zone-member security INSIDE
!
interface Vlan1
ip address 10.10.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip route-cache policy
!
interface Dialer0
description BT Bus VDSL dialer
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap ms-chap callin
ppp chap hostname green-lights@service.btclick.com
ppp chap password 7 06160E325F59060B01
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.10.1.5 3389 interface Dialer0 3389
ip nat inside source static tcp 10.10.1.5 32400 interface Dialer0 32400
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended INSIDE-TO-OUTSIDE
permit tcp 10.10.1.0 0.0.0.255 any established
permit udp 10.10.1.0 0.0.0.255 any
permit icmp 10.10.1.0 0.0.0.255 any
ip access-list extended OUTSIDE-TO-INSIDE
permit icmp any 10.10.1.0 0.0.0.255
permit tcp any eq 3389 host 10.10.1.5 eq 3389
permit tcp any eq 32400 host 10.10.1.5 eq 32400
!
access-list 1 permit 10.10.1.0 0.0.0.255
access-list 5 remark Remote MGT access
access-list 5 permit 10.10.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
access-class 5 in
exec-timeout 15 0
password 7 0307521805007914190B0C16
logging synchronous
transport input all
!
end

VICTORY!

 

This was resolved by only applying the OUTSIDE security zone to e0.101 only. I was added zone-member security OUTSIDE to dialer 0 and e0.101

 

Also, I found I had missed the network command in my DHCP configuration on this router.

 

I have posted my working configuration in case it helpssomeonelater.

 

Thanks for the ZBFW nod. I am off to configuration my other Cisco 887 and enable HSRP. Then FlexVPN!

 

John

 

RouterBus#sh run
Building configuration...

Current configuration : 4059 bytes
!
! Last configuration change at 19:19:57 UTC Sun Aug 11 2019 by RouterBusAdmin
! NVRAM config last updated at 19:20:02 UTC Sun Aug 11 2019 by RouterBusAdmin
! NVRAM config last updated at 19:20:02 UTC Sun Aug 11 2019 by RouterBusAdmin
version 15.1
no service pad
service timestamps debug uptime
service timestamps log datetime msec
service password-encryption
!
hostname RouterBus
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$1J5n$oXXXXXXXXXXXXXeCQ02lTE1a.
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
ip dhcp excluded-address 10.X.X.1 10.X.X.50
!
ip dhcp pool LAN
network 10.X.X.0 255.255.255.0
default-router 10.X.X.1
dns-server 8.8.8.8
!
!
ip cef
ip domain name cisco887bus.lcoal
no ipv6 cef
!
!
license udi pid CISCO887VA-K9 sn FCZ1608C23Q
!
!
username RouterBusAdmin privilege 15 secret 5 $1$1LOxXXXXXXXXXXXXmzVe81
!
!
!
!
controller VDSL 0
!
ip ssh version 2
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
description Allowed_Protocol_From_INSIDE_to_OUTSIDE
match access-group name INSIDE-TO-OUTSIDE
match protocol http
match protocol https
match protocol dns
match protocol udp
match protocol tcp
match protocol icmp
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop log
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
pass
class class-default
drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
!
!
!
!
!
!
interface Ethernet0
no ip address
ip virtual-reassembly in
no ip route-cache
!
interface Ethernet0.101
description Tagging for PPPoE (VDSL0)
encapsulation dot1Q 101
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
no ip route-cache
pppoe-client dial-pool-number 1
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
no ip address
zone-member security INSIDE
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 10.X.X.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip route-cache policy
!
interface Dialer0
description BT Bus VDSL dialer
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap ms-chap callin
ppp chap hostname green-lights@service.btclick.com
ppp chap password 7 06XXXXXXXX60B01
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.X.X.5 3389 interface Dialer0 3389
ip nat inside source static tcp 10.X.X.5 32400 interface Dialer0 32400
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended OUTSIDE-TO-INSIDE
permit icmp any 10.X.X.0 0.0.0.255
permit tcp any eq 3389 host 10.X.X.5 eq 3389
permit tcp any eq 32400 host 10.X.X.5 eq 32400
deny ip any any
!
access-list 1 permit 10.X.X.0 0.0.0.255
access-list 5 remark Remote MGT access
access-list 5 permit 10.X.X.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
access-class 5 in
exec-timeout 15 0
password 7 0307521XXXXXXXXXXXXXXX6
logging synchronous
transport input all
!
end

RouterBus#

Martin L
VIP
VIP

Congrats on passing CCNA!
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco