Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Help setup a 1721 router

Hello everyone;

I got this all done and tried to send it but I got an error and lost it =( . I have been given the task of setting up a 1721 router. I have no training in setting up routers. The below config is what I have put together from the manuals and reading the NSA website about router security. This config works but is not very secure. Could you look at it and suggest what I can do to make it more secure? I have also added to access lists I have created but not implemented yet. Will those work, are they any good?

My company uses the internet mainly for email (provider) and surfing the web. I have thought about blocking all ports but HTTP and FTP but not sure if that is the way to go.

My ISP gave me 6 IP’s. Is there a way w/ this router to setup 4 of those IP’s to be used in the NAT and 2 to be static to internal machines? Or will I have to do port replication? Right now I only use 1 IP I would like to do something with them so I do not lose them.

------------------------------------------------------------------------------------------------------------

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname "#########"

!

enable secret 5 ##########################

!

username ###### password 7 #########################

username ###### password 7 #########################

clock timezone EST 0

ip subnet-zero

ip name-server 10.255.138.0

ip name-server 10.255.138.0

!

no ip bootp server

!

!!

interface FastEthernet0

ip address 172.16.50.1 255.255.255.###

ip access-group 106 in

no ip proxy-arp

ip nat inside

speed auto

no cdp enable

!

interface Serial0

description Frame Relay

no ip address

no ip proxy-arp

ip nat outside

encapsulation frame-relay IETF

no ip route-cache

frame-relay lmi-type ansi

!

interface Serial0.1 point-to-point

ip address 10.255.138.0 255.255.255.###

ip access-group 105 in

no ip proxy-arp

ip nat outside

no ip route-cache

no cdp enable

frame-relay interface-dlci 255 IETF

!

ip nat pool vsapool 10.255.138.0 10.255.138.0 netmask 255.255.255.###

ip nat inside source list 2 pool vsapool overload

ip classless

ip route 0.0.0.0 0.0.0.0 10.255.138.0

no ip http server

!

!

ip access-list extended s0-in

deny ip 192.168.0.0 0.0.255.255 any log

deny ip 0.0.0.0 0.255.255.255 any log

deny ip host 255.255.255.255 any log

deny ip 127.0.0.0 0.255.255.255 any log

deny ip 224.0.0.0 15.255.255.255 any log

deny ip 240.0.0.0 7.255.255.255 any log

deny ip 10.0.0.0 0.255.255.255 any log

deny ip 172.16.0.0 0.0.255.255 any log

deny ip 192.0.2.0 0.0.0.255 any log

deny ip 169.254.0.0 0.0.255.255 any log

!

logging source-interface FastEthernet0

logging 172.16.50.21

access-list 1 permit 172.16.50.21 log

access-list 1 deny any log

access-list 2 permit 172.16.50.0 0.0.0.255

access-list 105 deny tcp any any eq 6346 log

access-list 105 deny tcp any any eq 6347 log

access-list 105 permit ip any any

access-list 106 deny tcp any any eq 6346 log

access-list 106 deny tcp any any eq 6347 log

access-list 106 deny tcp any eq 6346 any log

access-list 106 deny tcp any eq 6347 any log

access-list 106 permit ip any any

no cdp run

banner motd ^C

This is a private system operated for and by

##############################

Authorization from ######### is required to use this system

Use by unauthorized persons is prohibited

^C

!

line con 0

password 7 ##########################

login

line aux 0

line vty 0 4

access-class 1 in

password 7 ###########################

login local

!

end

Here are the 2 lists I have created but not implemented

!internal

access-list 100 deny ip host 255.255.255.255 any log

access-list 100 deny ip 0.0.0.0 0.255.255.255 any log

access-list 100 deny ip 10.0.0.0 0.255.255.255 any log

access-list 100 deny ip 127.0.0.0 0.255.255.255 any log

access-list 100 deny ip 172.16.0.0 0.15.255.255 any log

access-list 100 deny ip 172.16.0.0 0.0.255.255 any log

access-list 100 deny ip 169.254.0.0 0.0.255.255 any log

access-list 100 deny ip 192.0.2.0 0.0.0.255 any log

access-list 100 deny ip 192.168.0.0 0.0.255.255 any log

access-list 100 deny ip 240.0.0.0 7.255.255.255 any log

access-list 100 deny ip 224.0.0.0 15.255.255.255 any log

access-list 100 deny ip any host 172.16.50.0 log

access-list 100 permit tcp any 172.16.50.0 0.0.0.128 established

access-list 100 deny icmp any any echo log

access-list 100 deny icmp any any redirect log

access-list 100 deny icmp any any mask-request log

access-list 100 permit icmp any 172.16.50.0 0.0.0.128

access-list 100 deny tcp any any range 6000 6063 log

access-list 100 deny tcp any any eq 6667 log

access-list 100 deny tcp any any range 12345 12346 log

access-list 100 deny tcp any any eq 31337 log

access-list 100 permit tcp any eq 20 172.16.50.0 0.0.0.128 gt 1023

access-list 100 deny udp any any eq 2049 log

access-list 100 deny udp any any eq 31337 log

access-list 100 deny udp any any range 33400 34400 log

access-list 100 permit udp any eq 53 172.16.50.0 0.0.0.128 gt 1023

access-list 100 deny tcp any eq 6346 any log

access-list 100 deny tcp any any eq 6346 log

access-list 100 deny tcp any eq 6347 any log

access-list 100 deny tcp any any eq 6347 log

access-list 100 deny tcp any range 0 65535 any range 0 65535 log

access-list 100 deny udp any range 0 65535 any range 0 65535 log

access-list 100 deny ip any any log

!

!external

access-list 102 deny ip host 172.16.50.1 host 172.16.50.1 log

access-list 102 permit icmp 172.16.50.0 0.0.0.255 any echo

access-list 102 permit icmp 172.16.50.0 0.0.0.255 any parameter-problem

access-list 102 permit icmp 172.16.50.0 0.0.0.255 any packet-too-big

access-list 102 permit icmp 172.16.50.0 0.0.0.255 any source-quench

access-list 102 deny tcp any any range 1 19 log

access-list 102 deny tcp any any eq 43 log

access-list 102 deny tcp any any eq 93 log

access-list 102 deny tcp any any range 135 139 log

access-list 102 deny tcp any any eq 445 log

access-list 102 deny tcp any any range 512 518 log

access-list 102 deny tcp any any eq 540 log

access-list 102 permit tcp 172.16.50.0 0.0.0.128 gt 1023 any lt 1024

access-list 102 permit udp 172.16.50.0 0.0.0.128 gt 1023 any eq 53

access-list 102 permit udp 172.16.50.0 0.0.0.128 gt 1023 any range 33400 34400 log

access-list 102 permit ip any any

!DENY ALL - access-list 102 deny tcp any range 0 65535 any range 0 65535 log

!DENY ALL - access-list 102 deny udp any range 0 65535 any range 0 65535 logno cdp run

Thank You very much for any help you can give me

Paul

  • Other Network Infrastructure Subjects
1 REPLY
Silver

Re: Help setup a 1721 router

The configuration seems to be OK overall. But there could be some mis-configurations which you might have over-looked. You could refer the configuration guides given for the Cisco 1721 router.

For a basic configuration please refer:

Cisco 1700 Series Access Routers- Introduction to Router Configuration

http://www.cisco.com/en/US/products/hw/routers/ps221/products_configuration_guide_chapter09186a008007e591.html

For more complex configurations refer:

Cisco 1721 Modular Access Router

http://www.cisco.com/en/US/products/hw/routers/ps221/ps224/index.html

These URLs should help you configure the Cisco 1721 router.

255
Views
0
Helpful
1
Replies