enduranceaid
IS-IT--Management
Hello All,
I have just installed a Cisco 2621 Router in a school as a NAT device, it is not yet being used by clients as I am unsure whether it has been configured in the best way/securely. It has two Fast Ethernet interfaces, one to the internet (Fe0/1) and one to the LAN (Fe0/0). I have used cisco IOS in the past but I am out of touch with how things are done these days, would someone mind having a look at my config file so far and checking for any hazards I may have found myself in and general comments really?
Once working I will hope to implement the following:
---------------------------------------------
- The four ip subnets using Fe0/0 are to be vlanned off in to vlan id's 1-4, is this possible using only one physical interface?
- Internal access to the router by SSH needs to be limited to users on subnet 192.168.0.x
- External access to the router by SSH can be from ip's in an ACL that I will create.
- Other future additions include firewall setup...
Any help would be a bonus, I am really out of my depth here!
Cheers
Matt
Description:
------------
- Timezone UK in summertime, ive set to UTC +1 but im not sure the summer time setting is ok. The time is also set to sync with an NTP server.
- Two DNS servers have been specified, these must be used instead of the ones given by DHCP (they are provided by an internet filtering company to stop the kiddies looking at inappropriate material!)
- The user admin has been created for SSH access, no other users are required.
- Interface 0/0 has 4 ip's and is the internal NAT interface NATting for all four ip subnets.
-- 10.0.0.x : Wireless clients
-- 192.168.0.x : Management network
-- 192.168.1.x : Office network
-- 192.168.2.x : Student network
- Interface 0/1 is connected to a cable modem for internet access and the ip is assigned using DHCP by the ISP (although we do have a static MAC binding so it never changes).
- No HTTP access is allowed, all configuration is by SSH.
- The time is synced by an NTP server.
----------------------SHOW VERSION----------------------
net-gateway#show version
Cisco IOS Software, C2600 Software (C2600-ADVSECURITYK9-M), Version 12.4(8), RELEASE SOFTWARE (fc1)
Technical Support: Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Mon 15-May-06 14:17 by prod_rel_team
ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
net-gateway uptime is 2 minutes
System returned to ROM by power-on
System image file is "flash:c2600-advsecurityk9-mz.124-8.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 2621 (MPC860) processor (revision 1.2) with 61772K/3764K bytes of memory.
Processor board ID JAD044701UU
M860 processor: part number 0, mask 49
2 FastEthernet interfaces
32K bytes of NVRAM.
16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
--------------------------------------------------------
----------------------SHOW CONFIG-----------------------
Building configuration...
Current configuration : 1862 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname net-gateway
!
boot-start-marker
boot-end-marker
!
enable secret 5 <removed>
enable password <removed>
!
no aaa new-model
!
resource policy
!
clock timezone UTC 1
clock summer-time UTC recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip routing
no ip cef
!
!
!
!
ip domain name internal.domainname.sch.uk
ip name-server 38.103.17.189
ip name-server 38.103.17.190
!
!
!
!
username admin password 0 <removed>
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.254 255.255.255.0 secondary
ip address 192.168.1.254 255.255.255.0 secondary
ip address 192.168.2.254 255.255.255.0 secondary
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
no mop enabled
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
no ip http server
no ip http secure-server
ip nat pool WANPOOL <wanip> <wanip> netmask 255.255.252.0
ip nat inside source list 10 pool WANPOOL overload
!
access-list 10 permit 192.168.0.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 permit 192.168.2.0 0.0.0.255
access-list 10 permit 10.0.0.0 0.0.0.255
!
!
control-plane
!
!
!
banner motd ^C
<motd message>
^C
!
line con 0
line aux 0
line vty 0 4
login local
transport input ssh
!
ntp server 130.88.212.143
!
end
----------------------------------------------------------
I have just installed a Cisco 2621 Router in a school as a NAT device, it is not yet being used by clients as I am unsure whether it has been configured in the best way/securely. It has two Fast Ethernet interfaces, one to the internet (Fe0/1) and one to the LAN (Fe0/0). I have used cisco IOS in the past but I am out of touch with how things are done these days, would someone mind having a look at my config file so far and checking for any hazards I may have found myself in and general comments really?
Once working I will hope to implement the following:
---------------------------------------------
- The four ip subnets using Fe0/0 are to be vlanned off in to vlan id's 1-4, is this possible using only one physical interface?
- Internal access to the router by SSH needs to be limited to users on subnet 192.168.0.x
- External access to the router by SSH can be from ip's in an ACL that I will create.
- Other future additions include firewall setup...
Any help would be a bonus, I am really out of my depth here!
Cheers
Matt
Description:
------------
- Timezone UK in summertime, ive set to UTC +1 but im not sure the summer time setting is ok. The time is also set to sync with an NTP server.
- Two DNS servers have been specified, these must be used instead of the ones given by DHCP (they are provided by an internet filtering company to stop the kiddies looking at inappropriate material!)
- The user admin has been created for SSH access, no other users are required.
- Interface 0/0 has 4 ip's and is the internal NAT interface NATting for all four ip subnets.
-- 10.0.0.x : Wireless clients
-- 192.168.0.x : Management network
-- 192.168.1.x : Office network
-- 192.168.2.x : Student network
- Interface 0/1 is connected to a cable modem for internet access and the ip is assigned using DHCP by the ISP (although we do have a static MAC binding so it never changes).
- No HTTP access is allowed, all configuration is by SSH.
- The time is synced by an NTP server.
----------------------SHOW VERSION----------------------
net-gateway#show version
Cisco IOS Software, C2600 Software (C2600-ADVSECURITYK9-M), Version 12.4(8), RELEASE SOFTWARE (fc1)
Technical Support: Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Mon 15-May-06 14:17 by prod_rel_team
ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
net-gateway uptime is 2 minutes
System returned to ROM by power-on
System image file is "flash:c2600-advsecurityk9-mz.124-8.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 2621 (MPC860) processor (revision 1.2) with 61772K/3764K bytes of memory.
Processor board ID JAD044701UU
M860 processor: part number 0, mask 49
2 FastEthernet interfaces
32K bytes of NVRAM.
16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
--------------------------------------------------------
----------------------SHOW CONFIG-----------------------
Building configuration...
Current configuration : 1862 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname net-gateway
!
boot-start-marker
boot-end-marker
!
enable secret 5 <removed>
enable password <removed>
!
no aaa new-model
!
resource policy
!
clock timezone UTC 1
clock summer-time UTC recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip routing
no ip cef
!
!
!
!
ip domain name internal.domainname.sch.uk
ip name-server 38.103.17.189
ip name-server 38.103.17.190
!
!
!
!
username admin password 0 <removed>
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.254 255.255.255.0 secondary
ip address 192.168.1.254 255.255.255.0 secondary
ip address 192.168.2.254 255.255.255.0 secondary
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
no mop enabled
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
no ip http server
no ip http secure-server
ip nat pool WANPOOL <wanip> <wanip> netmask 255.255.252.0
ip nat inside source list 10 pool WANPOOL overload
!
access-list 10 permit 192.168.0.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 permit 192.168.2.0 0.0.0.255
access-list 10 permit 10.0.0.0 0.0.0.255
!
!
control-plane
!
!
!
banner motd ^C
<motd message>
^C
!
line con 0
line aux 0
line vty 0 4
login local
transport input ssh
!
ntp server 130.88.212.143
!
end
----------------------------------------------------------
