sackohammers
Technical User
Hello. I'm new to Cisco. Have the cookbook. Spent several hours over the last several days looking at examples and coming up with my own config. I usually don't ask for handouts, but I need some help to stay sane. I'm at the point now where I need to ask for help - just to get things up and running.
Below is my config. It likely has many mistakes. Right now, I can't DHCP working on the inside.
Cisco 871.
Port FE4 is connected to my cable modem. Its getting its address from the cable modem (DHCP) just fine. It even has DNS enabled and I can ping out successfully by hostname.
Port FE0 is for a guest VLAN - VLAN 21. This is for guests like my inlaws to plug in their virus-ridden laptops when they come over. So it doesn't affect my machines. Currently, DHCP isn't working here.
Port FE1-3 is for VLAN 11 where I'll have my machines.
This is where DHCP is failing. My machines inside are not getting an address from the router.
I have no idea what I'm doing with firewalls and it is possible the firewall settings I have are getting in the way. The firewall config I do have on there was taken from the tutorial over at tech-republic.
Any help is greatly appreciated. Please help me get DHCP up and running. Also, any advice on making the firewall more secure is greatly appreciated. With my current knowledge I wouldn't know if I were leaving any gaping holes open or not. Once I get the thing up and running, then I want to endeavor to understand more about the firewall configuration and learn on my own.
Eventually, I'll want to implement QoS (for gaming, no VOIP). If there is an easy way to implement that, I'd appreciate advice there as well.
Config pasted below:
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname FW
!
boot-start-marker
boot-end-marker
!
enable secret <Removed by Poster>
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
!
ip domain name <Removed by Poster>
!
crypto key generate rsa
1024
ip ssh time-out 120
ip ssh authentication-retries 4
ip ssh version 2
!
!
ip cef
!
! I might be missing some passwords here
line con 0
no modem enable
line aux 0
line vty 0 4
! This line removes "Telnet" as the default command when in terminal mode - to prevent timeouts when a typo is entered
transport preferred none
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp excluded-address 10.10.10.100 10.10.10.254
ip dhcp excluded-address 10.10.20.100 10.10.20.254
!
service dhcp
!
ip dhcp pool VLAN11
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.254
domain-name <Removed by Poster>
lease 4
!
ip dhcp pool VLAN21
import all
network 10.10.20.0 255.255.255.0
default-router 10.10.20.254
domain-name <Removed by Poster>
lease 4
!
!
ip inspect log drop-pkt
ip inspect name MYFW tcp
ip inspect name MYFW udp
ip inspect name MYFW icmp
! Dynamic DNS to update IP address with no-IP.com
ip ddns update method MYUPDATE
HTTP
add by Poster>:<Removed by Poster>%40dynupdate.no-ip.com/nic/update%3Fhostname=<Removed by Poster>
! remove by Poster>:<Removed by Poster>%40dynupdate.no-ip.com/nic/update%3Fhostname=<Removed by Poster>
interval maximum 0 0 2 0
interval minimum 0 0 1 0
!
!
multilink bundle-name authenticated
!
!
username rtradmin secret <Removed by Poster>
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
switchport access vlan 21
no shut
!
interface FastEthernet1
switchport access vlan 11
no shut
!
interface FastEthernet2
switchport access vlan 11
no shut
!
interface FastEthernet3
switchport access vlan 11
no shut
!
interface FastEthernet4
! Dynamic DNS to update IP address with no-IP.com
ip ddns update hostname <Removed by Poster>
ip ddns update MYUPDATE
!
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip inspect MYFW out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface VLAN11
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
!
interface VLAN21
description Guest Network
no ip address
ip nat inside
ip virtual-reassembly
!
! ip forward-protocol udp
!
no ip http server
no ip http secure-server
!
ip access-list extended Internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
!
! Turning off diag info to improve security
no cdp run
!
!
!
!
control-plane
!
banner login ^C
+--------------------------------------------------------------------+
/ WARNING /
/ ------- /
/ This system is solely for the use of authorized users for official /
/ purposes. You have no expectation of privacy in its use and to /
/ ensure that the system is functioning properly, individuals using /
/ this computer system are subject to having all of their activities /
/ monitored and recorded by system personnel. Use of this system /
/ evidences an express consent to such monitoring and agreement that /
/ if such monitoring reveals evidence of possible abuse or criminal /
/ activity, system personnel may provide the results of such /
/ monitoring to appropriate officials. /
+--------------------------------------------------------------------+
^C
!
!
scheduler max-task-time 5000
end
FW#
Below is my config. It likely has many mistakes. Right now, I can't DHCP working on the inside.
Cisco 871.
Port FE4 is connected to my cable modem. Its getting its address from the cable modem (DHCP) just fine. It even has DNS enabled and I can ping out successfully by hostname.
Port FE0 is for a guest VLAN - VLAN 21. This is for guests like my inlaws to plug in their virus-ridden laptops when they come over. So it doesn't affect my machines. Currently, DHCP isn't working here.
Port FE1-3 is for VLAN 11 where I'll have my machines.
This is where DHCP is failing. My machines inside are not getting an address from the router.
I have no idea what I'm doing with firewalls and it is possible the firewall settings I have are getting in the way. The firewall config I do have on there was taken from the tutorial over at tech-republic.
Any help is greatly appreciated. Please help me get DHCP up and running. Also, any advice on making the firewall more secure is greatly appreciated. With my current knowledge I wouldn't know if I were leaving any gaping holes open or not. Once I get the thing up and running, then I want to endeavor to understand more about the firewall configuration and learn on my own.
Eventually, I'll want to implement QoS (for gaming, no VOIP). If there is an easy way to implement that, I'd appreciate advice there as well.
Config pasted below:
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname FW
!
boot-start-marker
boot-end-marker
!
enable secret <Removed by Poster>
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
!
ip domain name <Removed by Poster>
!
crypto key generate rsa
1024
ip ssh time-out 120
ip ssh authentication-retries 4
ip ssh version 2
!
!
ip cef
!
! I might be missing some passwords here
line con 0
no modem enable
line aux 0
line vty 0 4
! This line removes "Telnet" as the default command when in terminal mode - to prevent timeouts when a typo is entered
transport preferred none
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp excluded-address 10.10.10.100 10.10.10.254
ip dhcp excluded-address 10.10.20.100 10.10.20.254
!
service dhcp
!
ip dhcp pool VLAN11
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.254
domain-name <Removed by Poster>
lease 4
!
ip dhcp pool VLAN21
import all
network 10.10.20.0 255.255.255.0
default-router 10.10.20.254
domain-name <Removed by Poster>
lease 4
!
!
ip inspect log drop-pkt
ip inspect name MYFW tcp
ip inspect name MYFW udp
ip inspect name MYFW icmp
! Dynamic DNS to update IP address with no-IP.com
ip ddns update method MYUPDATE
HTTP
add by Poster>:<Removed by Poster>%40dynupdate.no-ip.com/nic/update%3Fhostname=<Removed by Poster>
! remove by Poster>:<Removed by Poster>%40dynupdate.no-ip.com/nic/update%3Fhostname=<Removed by Poster>
interval maximum 0 0 2 0
interval minimum 0 0 1 0
!
!
multilink bundle-name authenticated
!
!
username rtradmin secret <Removed by Poster>
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
switchport access vlan 21
no shut
!
interface FastEthernet1
switchport access vlan 11
no shut
!
interface FastEthernet2
switchport access vlan 11
no shut
!
interface FastEthernet3
switchport access vlan 11
no shut
!
interface FastEthernet4
! Dynamic DNS to update IP address with no-IP.com
ip ddns update hostname <Removed by Poster>
ip ddns update MYUPDATE
!
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip inspect MYFW out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface VLAN11
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
!
interface VLAN21
description Guest Network
no ip address
ip nat inside
ip virtual-reassembly
!
! ip forward-protocol udp
!
no ip http server
no ip http secure-server
!
ip access-list extended Internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
!
! Turning off diag info to improve security
no cdp run
!
!
!
!
control-plane
!
banner login ^C
+--------------------------------------------------------------------+
/ WARNING /
/ ------- /
/ This system is solely for the use of authorized users for official /
/ purposes. You have no expectation of privacy in its use and to /
/ ensure that the system is functioning properly, individuals using /
/ this computer system are subject to having all of their activities /
/ monitored and recorded by system personnel. Use of this system /
/ evidences an express consent to such monitoring and agreement that /
/ if such monitoring reveals evidence of possible abuse or criminal /
/ activity, system personnel may provide the results of such /
/ monitoring to appropriate officials. /
+--------------------------------------------------------------------+
^C
!
!
scheduler max-task-time 5000
end
FW#