Hi All, I'm after a bit of advice, I've built a lab with the following:
1801W DSL Router as internet gateway (Using NO-IP.org for ddns)
1841 used just for DNS and DHCP (2x subnets 1 voice 1 data) To sort of simulate a windows server that would do the same.
2651 Used as a dialup backup circuit HSRP'd with the 1801W
3560 POE Switch
Mitel 3300 CXI (This is my main skill, I'm teaching myself Cisco!)
2821 Used as a PRI and BRI simulator for the Mitel
2x Vlans (Voice Vlan2 and data untagged Vlan1)
I have managed to set up and get working (to my surprise!! a Cisco VPN client on a laptop which works and my Mitel softphone registers and works well and I can reach both subnets via the VPN)
Everything works well so far, but my knowledge of Firewalls and good ACL security is next to none. I did use Cisco CP to create a firewall setup but it ended up blocking most internet traffic and seemed to have a lot of spurious entries such as yahoo messenger and edonkey?? Below I've pasted the config for my 1801W, can anyone suggest and improvments I could make? It's only in use by myself and not part of a real live setup left connected all the time.
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ADSL_GW
!
boot-start-marker
boot-end-marker
!
!
logging buffered 10000
enable secret 4 ******
!
aaa new-model
aaa local authentication attempts max-fail 3
!
!
aaa authentication login default local
aaa authentication login local_auth local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
clock timezone gmt 0 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2840028802
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2840028802
revocation-check none
rsakeypair TP-self-signed-2840028802
!
!
crypto pki certificate chain TP-self-signed-*
certificate self-signed 01
******
quit
dot11 syslog
!
dot11 ssid Cisco_AP01
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 ******
!
ip source-route
!
!
no ip dhcp use vrf connected
!
!
!
ip cef
ip domain name moorhill.local
ip name-server 62.6.40.178
ip name-server 194.72.9.38
ip ddns update method myupdate
!
ip ddns update method no-ip
HTTP
add interval maximum 0 0 5 0
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1801W-AG-E/K9 sn *****
archive
log config
hidekeys
username ***** password 7 ******
username ****** password 7 *******
!
!
track 1 interface ATM0 line-protocol
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group *******
key *********
dns 192.168.10.1
pool SDM_POOL_1
acl 101
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group ********
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
bridge irb
!
!
!
!
interface ATM0
no ip address
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
ip flow ingress
pvc 0/38
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
broadcast-key vlan 1 change 30
!
!
ssid Cisco_AP01
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
!
encryption vlan 1 mode ciphers tkip
!
broadcast-key vlan 1 change 30
!
!
ssid Cisco_AP01
!
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface FastEthernet0
no ip address
shutdown
speed 100
full-duplex
!
interface FastEthernet1
switchport voice vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet2
switchport voice vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet3
switchport voice vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet4
description trunk to dhcp_rtr
switchport trunk allowed vlan 1-1005
switchport mode trunk
switchport voice vlan 2
no ip address
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet5
switchport voice vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet6
switchport voice vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet7
switchport voice vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet8
description trunk_to_SW1
switchport trunk allowed vlan 1-1005
switchport mode trunk
no ip address
duplex full
speed 100
spanning-tree portfast
!
interface Virtual-Template1 type tunnel
ip unnumbered Dialer1
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
no ip address
bridge-group 1
!
interface Vlan2
description Voice
ip address 192.168.2.200 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
ip ddns update hostname *******
ip ddns update no-ip
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname ******
ppp chap password 7 *******
!
interface Dialer100
no ip address
!
interface BVI1
ip address 192.168.10.253 255.255.255.0
ip nat inside
ip virtual-reassembly in
standby 1 ip 192.168.10.254
standby 1 priority 110
standby 1 preempt
standby 1 track 1 decrement 110
!
ip local pool SDM_POOL_1 192.168.10.210 192.168.10.215
ip forward-protocol nd
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.10.200 9100 interface Dialer1 9100
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
banner exec ^CCCC
************
^C
!
line con 0
line aux 0
line vty 0 4
login authentication local_auth
transport input telnet
transport output none
!
ntp server 130.88.200.6
end
1801W DSL Router as internet gateway (Using NO-IP.org for ddns)
1841 used just for DNS and DHCP (2x subnets 1 voice 1 data) To sort of simulate a windows server that would do the same.
2651 Used as a dialup backup circuit HSRP'd with the 1801W
3560 POE Switch
Mitel 3300 CXI (This is my main skill, I'm teaching myself Cisco!)
2821 Used as a PRI and BRI simulator for the Mitel
2x Vlans (Voice Vlan2 and data untagged Vlan1)
I have managed to set up and get working (to my surprise!! a Cisco VPN client on a laptop which works and my Mitel softphone registers and works well and I can reach both subnets via the VPN)
Everything works well so far, but my knowledge of Firewalls and good ACL security is next to none. I did use Cisco CP to create a firewall setup but it ended up blocking most internet traffic and seemed to have a lot of spurious entries such as yahoo messenger and edonkey?? Below I've pasted the config for my 1801W, can anyone suggest and improvments I could make? It's only in use by myself and not part of a real live setup left connected all the time.
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ADSL_GW
!
boot-start-marker
boot-end-marker
!
!
logging buffered 10000
enable secret 4 ******
!
aaa new-model
aaa local authentication attempts max-fail 3
!
!
aaa authentication login default local
aaa authentication login local_auth local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
clock timezone gmt 0 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2840028802
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2840028802
revocation-check none
rsakeypair TP-self-signed-2840028802
!
!
crypto pki certificate chain TP-self-signed-*
certificate self-signed 01
******
quit
dot11 syslog
!
dot11 ssid Cisco_AP01
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 ******
!
ip source-route
!
!
no ip dhcp use vrf connected
!
!
!
ip cef
ip domain name moorhill.local
ip name-server 62.6.40.178
ip name-server 194.72.9.38
ip ddns update method myupdate
!
ip ddns update method no-ip
HTTP
add interval maximum 0 0 5 0
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1801W-AG-E/K9 sn *****
archive
log config
hidekeys
username ***** password 7 ******
username ****** password 7 *******
!
!
track 1 interface ATM0 line-protocol
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group *******
key *********
dns 192.168.10.1
pool SDM_POOL_1
acl 101
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group ********
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
bridge irb
!
!
!
!
interface ATM0
no ip address
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
ip flow ingress
pvc 0/38
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
broadcast-key vlan 1 change 30
!
!
ssid Cisco_AP01
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
!
encryption vlan 1 mode ciphers tkip
!
broadcast-key vlan 1 change 30
!
!
ssid Cisco_AP01
!
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface FastEthernet0
no ip address
shutdown
speed 100
full-duplex
!
interface FastEthernet1
switchport voice vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet2
switchport voice vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet3
switchport voice vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet4
description trunk to dhcp_rtr
switchport trunk allowed vlan 1-1005
switchport mode trunk
switchport voice vlan 2
no ip address
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet5
switchport voice vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet6
switchport voice vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet7
switchport voice vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet8
description trunk_to_SW1
switchport trunk allowed vlan 1-1005
switchport mode trunk
no ip address
duplex full
speed 100
spanning-tree portfast
!
interface Virtual-Template1 type tunnel
ip unnumbered Dialer1
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
no ip address
bridge-group 1
!
interface Vlan2
description Voice
ip address 192.168.2.200 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
ip ddns update hostname *******
ip ddns update no-ip
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname ******
ppp chap password 7 *******
!
interface Dialer100
no ip address
!
interface BVI1
ip address 192.168.10.253 255.255.255.0
ip nat inside
ip virtual-reassembly in
standby 1 ip 192.168.10.254
standby 1 priority 110
standby 1 preempt
standby 1 track 1 decrement 110
!
ip local pool SDM_POOL_1 192.168.10.210 192.168.10.215
ip forward-protocol nd
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.10.200 9100 interface Dialer1 9100
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
banner exec ^CCCC
************
^C
!
line con 0
line aux 0
line vty 0 4
login authentication local_auth
transport input telnet
transport output none
!
ntp server 130.88.200.6
end