Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations dencom on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

2514 utilizing dhcp ACL question

Status
Not open for further replies.
labgrl76

labgrl76

IS-IT--Management
Dec 2, 2005
40
US
Hi all,
Well I've been able to get things going with my incoming connection but am experiencing issues when attempting to apply ACLs. Since I'm not running a dhcp server at home, I am basically using the 2514 to hand out addresses on my internal network (int e1). My question is since DHCP is being utilized, what basic ACL could I apply to make sure I've got some type of security to keep out the bad folk. :)
Thanks for any help in advance.

hostname 2514
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$2IKU$EGG/PBCXnzFDUi4OGjrgq.
enable password 6265
!
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
no ip domain lookup
no ip dhcp conflict logging
ip dhcp excluded-address 10.0.100.1 10.0.100.99
!
ip dhcp pool internal
network 10.0.100.0 255.255.255.0
default-router 10.0.100.1
dns-server xx.xx.64.146 xx.xx.75.194
netbios-name-server 10.0.100.2 10.0.100.3
lease 5
!
no ip bootp server
!
!
!
interface Ethernet0
description DMZ
ip address dhcp
ip nat outside
no cdp enable
!
interface Ethernet1
description INTERNAL
ip address 10.0.100.1 255.255.255.0
ip nat inside
no cdp enable
!
interface Serial0
no ip address
shutdown
no fair-queue
no cdp enable
!
interface Serial1
no ip address
shutdown
no fair-queue
!
ip nat inside source list 1 interface Ethernet0 overload
no ip http server
ip classless
!
!
access-list 1 permit 10.0.100.0 0.0.0.255
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password xxxxxx
login
!
!
end
 
Sort by date Sort by votes
does this setup actually work? was pretty sure the last time I looked you couldn't have 2 interfaces with address within htte same subnet, as it confuses the router as where to route things, your dmz interface being on the same subnet as the internal usually flips the router.

but in a normal NAT set up, unless you have static NAT mapping from external to internal, no outside connections can be made through the router.

you can tighten your config up by adding; no ip directed-broadcasts to the internal interface.
 
Upvote 0 Downvote
he has no ip attached to the internal interface. it should work fine.

and because of the nat setup there should be no outside access to the device.

you should put an access-list on your vty 0 4 though so that nobody can telnet directly to your router...
 
Upvote 0 Downvote
Thanks actually I had posted an older config. I did manage to put an ACL on the vty as seen below. Just needed some peace of mind since it's for the most part my first line of defense :)

hostname 2514
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$2IKU$EGG/PBCXnzFDUi4OGjrgq.
enable password xxxx
!
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
no ip domain lookup
no ip dhcp conflict logging
ip dhcp excluded-address 10.0.100.1 10.0.100.99
!
ip dhcp pool internal
network 10.0.100.0 255.255.255.0
default-router 10.0.100.1
dns-server xx.xx.64.146 xx.xx.75.194
netbios-name-server 10.0.100.2 10.0.100.3
lease 5
!
no ip bootp server
!
!
!
interface Ethernet0
description DMZ
ip address dhcp
ip access-group 100 in
ip access-group 101 out
no ip unreachables
no ip proxy-arp
ip nat outside
no cdp enable
!
interface Ethernet1
description INTERNAL
ip address 10.0.100.1 255.255.255.0
no ip proxy-arp
ip nat inside
no ip route-cache
no cdp enable
!
interface Serial0
no ip address
shutdown
no fair-queue
no cdp enable
!
interface Serial1
no ip address
shutdown
no fair-queue
!
ip nat inside source list 1 interface Ethernet0 overload
no ip http server
ip classless
!
!
access-list 1 permit 10.0.100.0 0.0.0.255
access-list 105 permit ip 10.0.100.0 0.0.0.255 any
access-list 105 deny ip any any
!
!
line con 0
access-class 105 in
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password xxxxxx
login
!
!
end
 
Upvote 0 Downvote
I'd probably scrap ACL 105 and simply apply ACL 1 to the VTY's instead (you only need to check the source address for people trying to telnet into the device.. destination address is irrelevant)


 
Upvote 0 Downvote
Thanks Kisco, by chance what's the best syntax for applying ACL 1 to the vty? I am not too advanced at this point to figure it out :)
 
Upvote 0 Downvote
Whilst I'm at, probably worth putting a password on the console connection.. it's open at the moment. From the router's enable mode (# or hash prompt), do the following:

2514#conf t
2514(config)#line con 0
2514(config-line)#no access-class 105 in
2514(config-line)#login
2514(config-line)#password xxxxxxx
2514(config-line)#line vty 0 4
2514(config-line)#access-class 1 in
2514(config-line)#exit
2514(config)#exit
2514#write memory

Write memory saves your new configuration. Omit this line and perform this later if you want to test the new password, VTY ACL first before saving it
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Zero6
  • Locked
  • Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
307
Zero6
Zero6
Mogles49
  • Locked
  • Question
Firewall ACL question
Replies
1
Views
244
burtsbees
burtsbees
acabezas2014
  • Locked
  • Question
Create ACL for ip range
Replies
2
Views
218
acabezas2014
acabezas2014
rubberhead10
  • Locked
  • Question
Increas dhcp pool size
Replies
0
Views
175
rubberhead10
rubberhead10
mkc1962
  • Locked
  • Question
Cisco 2602e connection question
Replies
0
Views
146
mkc1962
mkc1962

Part and Inventory Search

Sponsor

Back
Top