Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

My Lab router... Security Ideas?

Status
Not open for further replies.

tdmneil

Programmer
Jan 11, 2011
111
GB
Hi All, I'm after a bit of advice, I've built a lab with the following:

1801W DSL Router as internet gateway (Using NO-IP.org for ddns)
1841 used just for DNS and DHCP (2x subnets 1 voice 1 data) To sort of simulate a windows server that would do the same.
2651 Used as a dialup backup circuit HSRP'd with the 1801W
3560 POE Switch
Mitel 3300 CXI (This is my main skill, I'm teaching myself Cisco!)
2821 Used as a PRI and BRI simulator for the Mitel

2x Vlans (Voice Vlan2 and data untagged Vlan1)

I have managed to set up and get working (to my surprise!! a Cisco VPN client on a laptop which works and my Mitel softphone registers and works well and I can reach both subnets via the VPN)

Everything works well so far, but my knowledge of Firewalls and good ACL security is next to none. I did use Cisco CP to create a firewall setup but it ended up blocking most internet traffic and seemed to have a lot of spurious entries such as yahoo messenger and edonkey?? Below I've pasted the config for my 1801W, can anyone suggest and improvments I could make? It's only in use by myself and not part of a real live setup left connected all the time.

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ADSL_GW
!
boot-start-marker
boot-end-marker
!
!
logging buffered 10000
enable secret 4 ******
!
aaa new-model
aaa local authentication attempts max-fail 3
!
!
aaa authentication login default local
aaa authentication login local_auth local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
clock timezone gmt 0 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2840028802
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2840028802
revocation-check none
rsakeypair TP-self-signed-2840028802
!
!
crypto pki certificate chain TP-self-signed-*

certificate self-signed 01

******
quit
dot11 syslog
!
dot11 ssid Cisco_AP01
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 ******
!
ip source-route
!
!
no ip dhcp use vrf connected
!
!
!
ip cef
ip domain name moorhill.local
ip name-server 62.6.40.178
ip name-server 194.72.9.38
ip ddns update method myupdate
!
ip ddns update method no-ip
HTTP
add interval maximum 0 0 5 0
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1801W-AG-E/K9 sn *****
archive
log config
hidekeys
username ***** password 7 ******
username ****** password 7 *******
!
!
track 1 interface ATM0 line-protocol
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group *******
key *********
dns 192.168.10.1
pool SDM_POOL_1
acl 101
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group ********
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
bridge irb
!
!
!
!
interface ATM0
no ip address
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
ip flow ingress
pvc 0/38
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
broadcast-key vlan 1 change 30
!
!
ssid Cisco_AP01
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
!
encryption vlan 1 mode ciphers tkip
!
broadcast-key vlan 1 change 30
!
!
ssid Cisco_AP01
!
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface FastEthernet0
no ip address
shutdown
speed 100
full-duplex
!
interface FastEthernet1
switchport voice vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet2
switchport voice vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet3
switchport voice vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet4
description trunk to dhcp_rtr
switchport trunk allowed vlan 1-1005
switchport mode trunk
switchport voice vlan 2
no ip address
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet5
switchport voice vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet6
switchport voice vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet7
switchport voice vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet8
description trunk_to_SW1
switchport trunk allowed vlan 1-1005
switchport mode trunk
no ip address
duplex full
speed 100
spanning-tree portfast
!
interface Virtual-Template1 type tunnel
ip unnumbered Dialer1
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
no ip address
bridge-group 1
!
interface Vlan2
description Voice
ip address 192.168.2.200 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
ip ddns update hostname *******
ip ddns update no-ip
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname ******
ppp chap password 7 *******
!
interface Dialer100
no ip address
!
interface BVI1
ip address 192.168.10.253 255.255.255.0
ip nat inside
ip virtual-reassembly in
standby 1 ip 192.168.10.254
standby 1 priority 110
standby 1 preempt
standby 1 track 1 decrement 110
!
ip local pool SDM_POOL_1 192.168.10.210 192.168.10.215
ip forward-protocol nd
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.10.200 9100 interface Dialer1 9100

ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
banner exec ^CCCC





************

^C
!
line con 0
line aux 0
line vty 0 4
login authentication local_auth
transport input telnet
transport output none
!
ntp server 130.88.200.6
end
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top