Help me understand this network config - 1700 -> 871

[jme77]

Hello,

We currently have the following network configuration:

T1 -> Cisco 1700 (w/ CSU/DSU) -> Cisco 871 -> Switch ->LAN

Here are the configs on each router:

1700:

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname blah
!
enable secret 5 xxxx
enable password 7 xxxx
!
username none privilege 15 password 7 xxxx
username none2 privilege 15 password 7 xxxx
!
!
!
!
memory-size iomem 25
ip subnet-zero
ip name-server xxxx
!
!
process-max-time 200
!
interface Serial0
 ip address ISP.GATEWAY.ADDRESS 255.255.255.252
 no ip directed-broadcast
 ip nat outside
 service-module t1 timeslots 1-24
!
interface BRI0
 no ip address
 no ip directed-broadcast
 shutdown
 isdn guard-timer 0 on-expiry accept
!
interface FastEthernet0
 ip address ONE.PUBLIC.IP.98 255.255.255.248
 no ip directed-broadcast
 ip nat inside
!
router rip
 version 2
 passive-interface Serial0
 network OUR.NETWORK.ADDRESS.0
 no auto-summary
!
ip nat pool GLOBALPOOL ONE.PUBLIC.IP.98 ONE.PUBLIC.IP.98 netmask 255.255.255.248
ip nat inside source list 1 pool GLOBALPOOL overload
ip classless
ip route 0.0.0.0 0.0.0.0 ISP.ROUTE.IP
ip route 192.168.1.0 255.255.255.0 PUBLIC.IP.OF.871
no ip http server
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password 7 xxxx
 login
!
end

871:

Current configuration : 5948 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname blah2
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 xxx
enable password 7 xxx
!
username xxx privilege 15 secret 5 xxx
username xxx privilege 0 password 7 xxx
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local 
aaa session-id common
ip subnet-zero
ip cef
ip dhcp excluded-address 192.168.1.1 192.168.1.20
ip dhcp excluded-address 192.168.1.100 192.168.1.200
!
ip dhcp pool lanpool
   network 192.168.1.0 255.255.255.0
   dns-server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx 
   default-router 192.168.1.1 
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip ssh time-out 15
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
! 
!
crypto isakmp policy 3
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group xxx
 key xxx
 pool ippool
 acl 105
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac 
!
crypto dynamic-map dynmap 10
 set transform-set myset 
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap 
!
bridge irb
!
!
interface FastEthernet0
 no ip address
 no cdp enable
!
interface FastEthernet1
 no ip address
 no cdp enable
!
interface FastEthernet2
 no ip address
 no cdp enable
!
interface FastEthernet3
 no ip address
 no cdp enable
!
interface FastEthernet4
 ip address ONE.PUBLIC.IP.99 255.255.255.248
 ip access-group 101 in
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
 crypto map clientmap
!
interface Dot11Radio0
 no ip address
 !
 encryption key 1 size 40bit 7 xxxx transmit-key
 encryption mode wep mandatory 
 !
 ssid xxxx
    authentication open 
    guest-mode
 !
 speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 no ip address
 bridge-group 1
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip local pool ippool 192.168.2.1 192.168.2.254
ip classless
ip route 0.0.0.0 0.0.0.0 IP.ADDRESS.OF.1700
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source route-map nonat interface FastEthernet4 overload

!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit icmp any any
access-list 101 permit tcp any host 192.168.1.5 eq www
access-list 101 permit tcp any host 192.168.1.5 eq 22
access-list 101 permit tcp any host 192.168.1.5 eq smtp
access-list 101 permit esp any any
access-list 101 permit udp any any eq netbios-ns
access-list 101 permit udp any any eq netbios-dgm
access-list 101 permit gre any any
access-list 101 permit udp any any eq bootpc
access-list 101 permit udp any any eq bootps
access-list 101 permit tcp any host 192.168.1.5 eq 8080
access-list 102 permit ip any any
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

no cdp run
route-map nonat permit 10
 match ip address 110
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
 transport preferred all
 transport output telnet
line aux 0
 transport preferred all
 transport output telnet
line vty 0 4
 privilege level 15
 password 7 xxxx
 transport preferred all
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
no scheduler allocate
end

This setup is for a small business, 15 workstations and 1 linux webserver. I have a few questions about this setup as I don't think it is very good.

1.) Why would the 871 have a public IP address? This seems like a waste of our public IP space.
2.) Should the NAT'ing and DHCP be moved out to the 1700?
3.) Is it better to setup the 871 as a WAP only? (after doing #2, giving the eth interface on the 1700 a secondary IP of 192.168.1.1 and plugging it directly into the switch).
4.) Can I setup a site to site VPN with this equipment?
5.) Why is NAT'ing setup on the 1700 when everything goes out the 871?
6.) What config change do I need to be able to telnet into the 871 from the 1700?
7.) Am I the only one who thinks this network config is strange?

I've just "inherited" this network and am in the process of re-designing it. The first thing I'm going to purchase is a PIX 501.



Thanks!
-j

 

[tech1994]

I would suggest that you don't use telnet from outside your network. Telnet is sent in clear text.

Your setup
T1 -> Cisco 1700 (w/ CSU/DSU) -> Cisco 871 -> Switch ->LAN
is common.

Your 1700 is your border router. If you are looking into new equipment perhaps the new Cisco ASA may be of interest. If your business is not large enough to have a need for a ASA perhaps something along the lines of a 2800 series?

----------------------

http://www.ciscohq.com

 

[JOAMON]

By the subnet mask I assume that you have the standard 8 block of address space. If this were my setup I would remove the nat from the 1700 and modify the 871W accordingly. You do not need the route to your private lan as the 1700 and the 871W are on the same subnet and it will know how to get there. The 871W must use one of your public IP address as it is setup to work as a VPN server for your remote clients.

On the 1700 I would add the following

access-list 12 permit ip (Outside IP Address Of 871W)

line vty 0 4
access-class 12 in

This will allow you to only telnet into that router from your 871W router...effectively stopping telnet access from the internet.

I would also remove RIP from the 1700 as you are not using it on the 871 it is not necessary so long as you have the static route to your ISP. Also disable CDP on that router as well...no since sending that info to the internet.

 

[JOAMON]

Are you aware of the Cisco program called Security Device Manager? It looks to be enabled on your 871W router. If no you can find info and download for your PC at the following location:

http://www.cisco.com/en/US/products/sw/secursw/ps5318/index.html

 

[JOAMON]

Why go with a PIX. What will that give you that your 871W will not. The 871W is part of Cisco's new ISR router lineup. With the right feature set it will allow for FW/IPS VPN and no need to purchase any lisences as you must for the PIX. It is a full featured router. I would check out it's capabilities and compare to your needs before replacing it.

http://www.cisco.com/en/US/products/hw/routers/ps380/products_data_sheet0900aecd8028a976.html