Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Help with improving this Router Config

I am building a small network for a 70-user business in town. They have two Cisco switches connecting to a Cisco 3800 series router with Advanced IP services IOS. The intention being to use the built-in IPS feature.

Essentially here is the way its going to be wired.

Switch 1 >> Trunk >> Switch 2 >> Router >> WAN

I have SDM installed on one of the PCs connected to one of the two switches.

The Router has Dynamic NAT, Firewall and IPS enabled. The customer is very particular about this network being good at intrusion prevention.

Below is my Config (fake IPs etc.). What else can I do to improve this configuration ?

!version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname MyRouter

!DR

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 !@#%@$#%@#$!@!@#!$!@#

!

no aaa new-model

ip cef

!

!

!

!

ip domain name yourdomain.com

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

ip ips sdf location flash://256MB.sdf autosave

ip ips notify SDEE

ip ips name sdm_ips_rule

!

voice-card 0

no dspfarm

!

!

!

!

!

!

!

!

!

!

!

!

!

!

crypto pki trustpoint TP-self-signed-1408452671

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1408452671

revocation-check none

rsakeypair TP-self-signed-1408452671

!

!

crypto pki certificate chain TP-self-signed-1408452671

certificate self-signed 01

<clipped>

quit

username <myuser> privilege 15 secret 5 <mypassword>

!

!

!

!

!

!

!

interface GigabitEthernet0/0

description WAN_OUTSIDE

ip address 222.22.121.34 255.255.255.0

ip access-group 101 in

ip verify unicast reverse-path

ip nat outside

ip inspect SDM_LOW out

ip ips sdm_ips_rule in

ip virtual-reassembly

duplex auto

speed auto

media-type rj45

!

interface GigabitEthernet0/1

description LAN_INSIDE

ip address 192.168.10.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

media-type rj45

!

ip forward-protocol nd

!

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 7 interface GigabitEthernet0/0 overload

!

access-list 7 permit 192.168.10.0 0.0.0.255

access-list 23 permit 192.168.10.203

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip 222.22.121.0 0.0.0.255 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 deny ip 192.168.10.0 0.0.0.255 any

access-list 101 permit icmp any host 222.22.121.34 echo-reply

access-list 101 permit icmp any host 222.22.121.34 time-exceeded

access-list 101 permit icmp any host 222.22.121.34 unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any log

!

!

! <vty stuff clipped>

!

end

Full config attached.

3 REPLIES

Re: Help with improving this Router Config

I am nowhere good enough right now to give feedback on hardening your router.

But here is a good article on hardening Cisco devices....

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

Silver

Re: Help with improving this Router Config

looks pretty good.

What routing protocol are you using? I did not see any routes so I do not know if there are any suggestions there, for instance if you are running bgp you could use a password in the bgp config with the peer. Other than that you look like you have a pretty good config there for what you need.

New Member

Re: Help with improving this Router Config

engagerocks, you are correct on the lack of routing protocol.

This router will be connected via GE0/0 to a service provider's router. Is there a need for anything more than a static route ?

118
Views
0
Helpful
3
Replies