help for internet config on a 2811 router 1

[sukadelic]

Recently I had a task to configure a internet connection on a 2811 router, but i'm a newbie so not sure i did it correctly.

First of all, my router has only 2 Fast ethernet ports. Also, what's the purpose of backend IPs. Here is the config below (ip has been modified):

ISP config: Router Interface: CAR1.NWR1 PC105
Switch Port: MCD101.NWR1 :interface 1/0/18
Vlan: 141
Front-End IPs: 4.1.1.0/30 (Level3 side: 4.1.1.2, Customer side: 4.1.1.1)
Back-End IPs: 8.8.8.0/24 (Useables: 8.8.8.1 - 8.8.8.254)

My router config:

Current configuration : 1338 bytes
!
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname 120B_Internet
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$kEJE$bMaRvgVqPbrrJpdiBYarE1
!
no aaa new-model
!
resource policy
!
clock timezone est -5
clock summer-time EDT recurring
!
!
ip cef
!
!
no ip domain lookup
ip accounting-threshold 1000
!
!
voice-card 0
no dspfarm

interface FastEthernet0/0
description Link to ISP - Level3
ip address 4.1.1.2 255.255.255.252
ip accounting output-packets
duplex full
speed 100
!
interface FastEthernet0/1
no ip address
duplex full
speed auto
!
interface FastEthernet0/1.1
description Management VLAN 1 - Native Vlan
encapsulation dot1Q 1 native
ip address 8.8.8.1 255.255.255.0
no snmp trap link-status
!
!
!
ip http server
no ip http secure-server
!
logging synchronous
login
line aux 0
password 7 1316021F0609167372
login
line vty 0 4
password 7 04481E0B02245E1750
login
transport input none
line vty 5 1180
login
transport input none
!
scheduler allocate 20000 1000
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
!
end


i didn't create any acl and NAT yet. Please correct my config if it's wrong.

thank you very much!!

 

[burtsbees]

Are you doing router-on-a-stick?

If so, you'll have a major bottleneck for all vlans/vlan uisers and a single point of failure...not a good idea.

Also, I would make the native vlan something other than vlan 1, and I would definitely not put an entire subnet of users on the native vlan!

Burt

 

[sukadelic]

yes i'm doing router-on-a-stick.

any suggestion on solving my problem? please help?

basically my setup is isp ->router->switch-> 2 firewalls. without a vlan 1, how does the router talk to switch?

 

[burtsbees]

I said make the native vlan something OTHER than "vlan1", like "vlan763" or something.

What problem are you having? You never mentioned any problems...also, as far as any suggestions go, I already made a few! How many users are we talking here?

Burt

 

[Minue]

Hi Burt
He said he's a newbie.So you may need to show him some examples.We don't want him to bring down the companies network
Regards

 

[sukadelic]

Hi Burt,

there will be 100 users sharing this internet line.

Is it correct to assign one of the back-end IPs to the switch fa0/1 (a whole /24 of usable IPs available) and 2 firewalls?

Behind firewalls is office Lan, which uses 192.168.47.0 and 192.168.48.0. Should I need to configure the router to see them as well or firewall does it?

thanks

 

[sukadelic]

not the switch fa0/1...it's the router fa0/1 to the switch

 

[brianinms]

1. Don't use the 8.8.8.x subnet internally.

2. Ditch the router and get a layer 3 switch.

 

[sukadelic]

I'm not using 8.8.8.x subnet for internal office use. this subnet was given by ISP for public use(NATing from internal), which lives before firewalls.

 

[w4nn4b1337]

The front end addresses are for the outside interface on your router and the ISP's router. Essentially all you need to apply is the front end address 4.1.1.1 on your routers outside interface and create a static route to the ISP address 4.1.1.2. (You have set 4.1.1.2 on your inside interface so you'll need to change it.)
The command for the static default route is IP ROUTE 0.0.0.0 0.0.0.0 4.1.1.2 but you will need to set your inside (back end address) first.

The back end address range is your public address space. They gave you a class C CIDR block of 256 addresses from a class A address. It appears that you selected 8.8.8.1/24 for your inside gateway address.

You should have traffic flowing through the router at this point. Go to Cisco.com and search for instructions on how to configure the router for use with SDM.

I believe your router is capable of using it and since you said you are a newbie the SDM GUI is a better choice then the command line. There is an option to do an automatic security assessment and lock down tool.
Before you do this though, considering that the AUX and VTY password on that configuration is summer99 you may want to change them and sanitize your posts in the future before bringing the router online.

 

[sukadelic]

what tool did you use to crack the AUX and VTY password?

thanks for your tips!

 

[silverhairb]

As I mentioned in posts several months ago, brute force attacks are pretty easy given the cyphertext output and the known one-way encryption algorithm.

Its best to not post the password cryptogram since it is so weakly protected.

[the other] Bill

 

[brianinms]

Disregard my last post, I now realize that level 3 does own that address space.

 

[burtsbees]

http://www.ifm.net.nz/cookbooks/passwordcracker.html

http://www.securitystats.com/tools/ciscocrack.php

That's not a brute force attacker, Bill---the website with the Java script, anyway. It is written in C...the guy Pete that originally came up with it from the report on Bugtraq is found here...

http://www.kazmier.com/computer/cisco-noswing.html

The code can be found here

http://www.securiteam.com/tools/6V0011PEBY.html

John the Ripper also cracks level 7 passwords, but not level 5 (MD5).

Burt

 

[w4nn4b1337]

Password crackers are a dime a dozen. Just do a google search and have a field day. (I recommend installing a VM tool such as Sun's Virtual Box and create a xVM workstation from a Linux live CD or something to browse sites like these)

http://www.packetstorm.org

is a good source for hack tools. I know a lot of folks are opposed to sharing information like this but as an admin you need to keep a finger on the pulse of the dark side so you know what you are up against.

By the way the enable secret password appears to be the same as the AUX and VTY passwords.

 

[burtsbees]

And how would you know what the enable secret password is? Not that MD5 is un-crackable, but did you crack that cipher?

Burt

 

[w4nn4b1337]

It was a lucky guess. Basically, I was reversing the process.
Cain does have a MD5 brute force tool but you can also test passwords against the hash. Amazing enough by assuming he used the same password on both AUX and VTY he would also use the same password for his enable secret. It is the convienience vs security problem. I guessed he wants more convienience then security. So I just seeded the crack tool with the plain text password that I already found which came back as a match. I didn't really crack the password but used the tool to basically confirm it with a known password.

It's nothing amazing at all.

 

[burtsbees]

Actually, I don't think the IOS will let you make the secret the same as the console or vty passwords...

The hash would be different every time..."So I just seeded the crack tool with the plain text password that I already found which came back as a match."---so what matched? Just curious...

Burt

 

[trashbin18]

You could also run the "router# auto secure" secure command to help lock down the router. If you do not want to download the SDM.

 

[w4nn4b1337]

After reading what you wrote I had to double check myself and realized I made a mistake - I'm man enough to admit..what happened in Cain happens no matter what I plug into it. (Guess I shouldn't pretend to know what I'm talking about.) Thanks for checking me and being polite about it. My first clue should have been what shows up in the config file is not a 16 bit hex hash. (The dollar signs should have been the second clue) I made a mistake so disregard the part about the enable secret password -

I can howerver say that the IOS does allow the same password set for CON/VTY/AUX and enable secret. Because I have to question myself now, I just confirmed it with a brand new 2811 I just pulled out of the box. At the command line, it allows me to set all passwords as the same. (the IOS is:: (2800NM-ADVIPSERVICESK9-M), Version 12.4(3i)
However, it will not let me set the enable secret to be the same as the enable password. Is that what you are talking about?

Thanks for the integrity check though - I really do appreciate it.