cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2071
Views
4
Helpful
11
Replies

1811 router configuration? How did I do?

JarlAlgo1
Level 1
Level 1

I had a Cisco 1811 router fall into my lap. My experience in configuring routers for production use is nil, I have gone through the first two levels of a CCNA class at the local college, but this sort of router configuration simply hasn't been covered yet...

My network is a simple one. I have an ADSL service coming in to the house to a DSL filter then goes to a Thompson DSL modem. This is in turn connected to FastEthernet 0 on the Cisco 1811 router. ISP provides a pool of IP addresses that rotate on a regular basis they also provide the hosted e-mail accounts. My network needs are also simple A single internal LAN. All of the traffic is being generated from inside. The router provides DHCP to these devices on the built in switch ports.

So I got busy with google and cooked up the following configuration. It works, I can access the internet from a laptop but there are a couple things that just don't seem right.

I chose to configure zone based firewall because of it's default no through traffic unless otherwise specified. Just seemed more secure. Does the configuration appear correct? did I miss opening a protocol I will need?

Since my ISP provides me an IP address through their DHCP service, that is how I configured FastEthernet 0. It is not very fast at all in establishing a connection and obtaining it's IP address. I have to start "manipulating" things to get it to go (shutdown the port, power cycle the modem)

Looking for suggestions as to good/better/best configuration settings. Other than the obvious DHCP and interface settings, there is no real purpose behind the rest of the configuration other than thinking it was necessary to meet the objective....

edit:

Yes, I am aware I need to password protect the router. I simply haven't configured that part yet...

               

Router#show run
Building configuration...

Current configuration : 2189 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
warm-reboot
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.250.1 192.168.250.99
ip dhcp excluded-address 192.168.250.200 192.168.250.254
!
ip dhcp pool PukiPool
   import all
   network 192.168.250.0 255.255.255.0
   default-router 192.168.250.1
   domain-name XXXXXXX.ca
   dns-server 8.8.8.8 8.8.4.4
!
!
ip cef
no ip domain lookup
ip domain name XXXXXXXX.ca
ip name-server 192.168.250.1
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
vtp domain wigwam

vtp mode transparent
!
!
!
archive
log config
  hidekeys
!
!
!
class-map type inspect match-any priv-pub-traffic
match protocol ftp
match protocol tcp
match protocol udp
match protocol icmp
!
!
policy-map type inspect priv-pub-policy
class type inspect priv-pub-traffic
  inspect
class class-default
  drop
!
zone security public
zone security private
zone-pair security priv-pub source private destination public
service-policy type inspect priv-pub-policy
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0
ip address dhcp
ip nat outside
ip virtual-reassembly
zone-member security public
duplex auto
speed auto
no cdp enable
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
ip address 192.168.250.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security private
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 7 interface FastEthernet0 overload
!
access-list 7 permit 192.168.250.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
line con 0
logging synchronous
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
login
!
end

1 Accepted Solution

Accepted Solutions

Hi,

there is something I don't understand: how can the DHCP requests or replies can be blocked by a Zone Based Firewall config by default.They shouldn't as by default everything is permitted from self to any and from any to self and when the router is a DHCP client it originates the requests and receives the replies.

Furthermore what's the use of a ZBF config and putting another ACL on a zone member interface, if it is ZBF fault then he should  edit his ZBF config instead.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

11 Replies 11

JarlAlgo1
Level 1
Level 1

Ugh......

I have figured out my configuration does not permit the ISP's (or my cheezy Dlink home router) to provide DHCP to the cisco 1811 on fa0.

Gotta cook up some sort of access-list that will allow the isp dhcp server to provide me with an address...

Any suggestions?

Hello, you can do this to permit DHCP

Conf t
!
Ip access-list extended ISP
10 permit udp any any eq bootpc
20 permit udp any any eq bootps

Or if you know the IP address of the dhcp server you can lock it down further:

10 permit udp host 192.168.1.100 any eq bootpc
20 permit udp host 192.168.1.100 any eq bootps

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Thank You!

Configured like you had shown and then added to the interface fa0

Router(config-if)#ip access-group ISP in

I won't know what the ISP is planning on giving me for IP addresses so had to go the any any route...

Hi,

I don't see the need for such an access-list. your f0 interface is getting an IP from the modem/router and nothing is filtered by default on the 1841.This IP will be a private one not  one provided by your ISP.

What is not working exactly? the 1841 can't get an IP from the modem/router?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hi Alain,

I had implemented the zone based firewall. My understanding (and seeming experience) has all traffic shut down by default and I need to indicate traffic that is allowed to pass.

The fa0 interface was not getting it's DHCP supplied ip address from the ISP (or my cheezy dlink router when I had it plugged in behind that) Bilal Nawaz's suggestion has worked in that fa0 is now able to obtain a dhcp ip address from the provider (or my cheezy d-link router) but it still takes a painfully long time for it to aquire that address.

As I indicated earlier, I am a complete N00B when it comes to configuring this. If you have an alternate suggestion I am all ears, err.... eyes.....

edit:

Well, this router configuration business certainly is entertaining. Has been keeping me occupied for hours (days)...

Conf t

!

Ip access-list extended ISP

10 permit udp any any eq bootpc

20 permit udp any any eq bootps

Router(config-if)#ip access-group ISP in

This configuration certainly allowed the ISP to provide me with an IP address, but in the process also shut down any outgoing internet access.

Hello, yes unfortunately applying an ACL on the inbound direction you are bound to stop traffic that is actually wanted to permit, I didn't think of it when I suggested the initial config - sorry!

Could you try adding line 30 and then see if you can browse out?

ip access-list extended ISP

10 permit udp any any eq bootpc

20 permit udp any any eq bootps

30 permit tcp any any eq established

Alain is trying to say, why are you using an ACL on your internal network - Assuming that the DLINK router is handing the router down a private ip address within RFC1918 address range. Therefore you do not really need an ACL in this scenario since the DLINK is already doing firewalling/NAT to some extent?

If your DLINK or ISP modem was giving an internet facing IP address on your router, then you would need to use ACL's.

Hope this helps.

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

The end goal is to remove the D-link and toss it in a box somewhere and only use the cisco 1811.

The Dlink has been useful on the wan interface as a tool for limited troubleshooting (testing ping, testing DHCP) but only plan on using it for testing and providing internet access until I get the cisco properly configured.

I am using an ACL on my internal network because I blindly followed some cookbook that I found on the internet without fully understanding the steps I was taking.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a00809454c7.shtml

I cherry picked what I thought was relevant information and it (sort of ) worked...

Yes, my ISP is (going to be) giving me a public internet facing IP address on fa0 The cisco router will need to provide firewall services between fa0 and vlan1

30 permit tcp any any established

This did not work for me (my IOS didn't like the eq between established and any)

Perhaps what I might need to do is start a new topic specific to my firewall issue rather than having it buried in this thread...

Sorry, that's my fault there shouldn't be an 'eq' in that line.

30 permit tcp any any established

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Hi,

there is something I don't understand: how can the DHCP requests or replies can be blocked by a Zone Based Firewall config by default.They shouldn't as by default everything is permitted from self to any and from any to self and when the router is a DHCP client it originates the requests and receives the replies.

Furthermore what's the use of a ZBF config and putting another ACL on a zone member interface, if it is ZBF fault then he should  edit his ZBF config instead.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

As it turns out my origional configuration appears to be correct and what I am really fighting is multiple? hardware issues...

I may have an intermittant fa0 interface on the 1811 router.

I think A crossover cable also seems to work better between the fa0 and the thompson modem. While a straight through cable did work, it took more coaxing to get going. This all may be part of the fa0 port being intermittant though.

Still have a bunch of picking to do to get a better understanding of what works and what doesn't....

Review Cisco Networking for a $25 gift card