06-07-2015 06:48 PM - edited 03-08-2019 12:26 AM
Hello,
I have a simple network with a number of computers connected to 887VAW router which is connected to the internet via an ISP.
The wired and wireless connections are working and able to access the internet from each computer. I am worried someone
my be able to access my network from outside of it through the router.
Here is my configuration;
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
!
hostname my_host
!
boot-start-marker
boot-end-marker
!
!
logging buffered 65535
logging console informational
enable password my_password
!
no aaa new-model
memory-size iomem 10
clock timezone ACST 9 30
clock summer-time ACST recurring 1 Sun Oct 2:00 1 Sun Apr 2:00
!
!
no ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.0.0.10
!
ip dhcp pool lan
import all
network 10.0.0.0 255.255.255.0
default-router 10.0.0.115
dns-server my_dns1 my_dns2
lease infinite
!
!
!
no ip bootp server
ip domain name isp_domain
ip name-server my_dns1
ip name-server my_dns2
no ipv6 cef
!
!
license udi pid C887VA-W-A-K9 sn my_sn
!
!
archive
log config
hidekeys
username my_username privilege 15 password 0 my_password
!
!
!
!
!
controller VDSL 0
operating mode adsl2+ annex M
!
ip ssh time-out 90
ip ssh authentication-retries 2
!
!
!
!
!
!
!
!
!
interface ATM0
description --- ISP ADSL ---
no ip address
no atm ilmi-keepalive
pvc 8/35
tx-ring-limit 3
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport trunk allowed vlan 1,1002-1005
switchport mode trunk
no ip address
!
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan1
!
interface Vlan1
description --- Ethernet LAN ---
ip address 10.0.0.115 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1420
!
interface Dialer0
description --- ISP ADSL ---
ip address negotiated
ip mtu 1460
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname my_host_name
ppp chap password 0 my_host_password
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
no ip nat service sip udp port 5060
ip nat inside source list NAT interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended MGMT-IN
permit ip my_isp_gateway 0.0.0.255 any !-- for ISP gateway, not sure if this is required.
permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended NAT
permit ip 10.0.0.0 0.0.0.255 any
!
no cdp run
!
!
!
line con 0
login local
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
access-class MGMT-IN in
login local
transport input all
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
sntp server my_dns_1
!
end
I tried the following ACL settings, however was then un-able to access the internet. Are these changes
recommended and if so, would I have to make any modifications to my configuration above, so they
would work.
!--- Anti-spoofing entries are shown here.
!--- Deny special-use address sources. !--- Refer to RFC 3330 for additional special use addresses.
access-list 110 deny ip host 0.0.0.0 any
access-list 110 deny ip 127.0.0.0 0.255.255.255 any
access-list 110 deny ip 192.0.2.0 0.0.0.255 any
access-list 110 deny ip 224.0.0.0 31.255.255.255 any
!--- Filter RFC 1918 space.
access-list 110 deny ip 10.0.0.0 0.255.255.255 any
access-list 110 deny ip 172.16.0.0 0.15.255.255 any
access-list 110 deny ip 192.168.0.0 0.0.255.255 any
!--- Deny your space as source from entering your AS. !--- Deploy only at the AS edge.
access-list 110 deny ip YOUR_CIDR_BLOCK any
!--- Permit BGP.
! access-list 110 permit tcp host bgp_peer host router_ip eq bgp
! access-list 110 permit tcp host bgp_peer eq bgp host router_ip
!--- Deny access to internal infrastructure addresses.
access-list 110 deny ip any INTERNAL_INFRASTRUCTURE_ADDRESSES
!--- Permit transit traffic.
access-list 110 permit ip any any
Do I need BGP settings for ACL?
Also I was wondering if firewall settings are recommended to make my network safe.and what code
I would need to implement a firewall.
Thankyou
Regards
06-07-2015 09:41 PM
Hi
What ios version are you running on the firewall? You should implement a firewall on you router. Have a look at CBAC.
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_cbac_fw/configuration/12-4t/sec-data-cbac-fw-12-4t-book/config-cbac-fw.html.
For a start you could configure the following:
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW icmp
access-list 110 deny ip any any
interface Dialer0
ip inspect FW out
ip access-group 110 in
You do not need BGP in the access-list since you are not using it.
How are you authenticating the wireless clients? I do not see any authentication for wireless clients in your config.
Thanks
John
06-07-2015 11:47 PM
Hello,
Here is my wireless AP configuration;
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ap
!
logging buffered 20000 debugging
logging rate-limit console 9
enable password my_password
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid cisco
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 my_key
!
!
!
username my_username privilege 15 password 0 my_password
!
!
ip ssh time-out 90
ip ssh authentication-retries 2
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm tkip
!
broadcast-key change 3600
!
!
ssid cisco
!
antenna gain 0
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.
0 54.0
station-role root
no dot11 extension aironet
world-mode dot11d country-code AU both
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecti
ng AP with the host router
no ip address
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
description --- Wireless and Customer LAN Bridge ---
ip address 10.0.0.116 255.255.255.0
no ip route-cache
!
ip default-gateway 10.0.0.115
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
banner exec ^CC
% Password change notice.
-----------------------------------------------------------------------
Default username/password setup on AP is cisco/cisco with privilege level 15.
It is strongly suggested that you create a new username with privilege level
15 using the following command for console security.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to
use. After you change your username/password you can turn off this message
by configuring "no banner login" and "no banner exec" in privileged mode.
-----------------------------------------------------------------------
^C
banner login ^CC
% Password change notice.
-----------------------------------------------------------------------
Default username/password setup on AP is cisco/cisco with privilege level 15.
It is strongly suggested that you create a new username with privilege level
15 using the following command for console security.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to
use. After you change your username/password you can turn off this message
by configuring "no banner login" and "no banner exec" in privileged mode.
-----------------------------------------------------------------------
^C
banner motd ^Cotd^CYou do not have per^C
!
line con 0
privilege level 15
login local
no activation-character
line vty 0 4
login local
!
cns dhcp
end
I do not know how to set up security for the wireless. I have a WAP2 key. How do I setup security for the wireless or is this already done. As far as the version of the firewall I was wondering if I have one. It's a 887VAW router with wireless AP.
Thankyou
06-08-2015 12:55 AM
Hi,
You have configured security for the wireless using a preshared key. If this is your home lan which you use then that should be fine. If the wireless is used by a number of users, then you may consider using Radius server. Depending on the ios you have you could configure the router as a local Radius server.
Thanks
John
06-08-2015 01:02 AM
Dear John,
Sorry I missed read posting, my IOS software is:
Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.2(4)M6, RELEA
SE SOFTWARE (fc2)
06-08-2015 01:25 AM
I was wondering what these firewalls do, all I wan't is to browse the internet, read and write email, and use a FTP port forward, with the same security in standard Internet Explorer and Windows.
I was wondering what the 6 lines you posted does, would all I have to do setup a port forward?
06-08-2015 04:55 AM
Hi,
To understand CBAC and the commands i have given,have a read of the following documents:
http://www.cisco.com/c/en/us/products/collateral/security/ios-firewall/product_implementation_design_guide09186a00800fd670.html.
Thanks
John
06-08-2015 04:27 PM
Thankyou for your help.
Best Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide