Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

837 config advise

i have created this config to do NO-NAT on my 837 but it does seem to work.

im not sure if its an auth problem or a routing issue.

!

interface ethernet0

no shut

ip address 81.xxx.xxx.97 255.255.255.240

no ip directed-broadcast

!

interface ATM0

no ip address

ip route-cache policy

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface Dialer0

ip unnumbered Ethernet0

encapsulation ppp

dialer pool 1

ppp chap hostname xxxxxx@isp.net

ppp chap password xxxxxx

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

!

2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Purple

Re: 837 config advise

Hello,

while in ROMMON, type:

rommon>config-register 2102

and then:

rommon>reset

which will reload the router.

Regards,

GP

Purple

Re: 837 config advise

Hi Aaron,

You have to apply the ACL inbound on the dialer interface to filter inbound traffic.

In the absence of reflexive ACLs, the following should get you closer:

access-list 101 deny tcp any any eq 135

access-list 101 deny tcp any eq 135 any

access-list 101 permit ip any any

!

access-list 102 permit tcp any host1-ip eq 443

access-list 102 permit tcp any host1-ip eq 3389

access-list 102 permit tcp any any established

access-list 102 permit udp any any

!

interface ethernet 0

ip access-group 101 in

!

interface dialer 0

ip access-group 102 in

What this will do is block all incoming TCP sessions (except to port 443 and 3389 on the designated IPs). However, it will still allow UDP flows inbound...

You can profile your traffic and create tigher ACLs but I'm not sure that you can do much more with the features you have...

Hope that helps - pls rate helpful posts.

Regards,

Paresh.

21 REPLIES
VIP Purple

Re: 837 config advise

Hello,

what exactly is not working ? Try to change the default route and have it point to the next hop instead of the Dialer0 interface (if you know the IP address of the next hop):

ip route 0.0.0.0 0.0.0.0 x.x.x.x (where x.x.x.x is the IP address of the next hop)...

Also, it looks like you are conecting to an ISP ? Try and add the following to your config:

ppp authentication chap callin

HTH,

GP

New Member

Re: 837 config advise

perfect this worked just i am not able to use an ip for the gateway as my isp only have dynamic gateway which are assigned upon connection.

also ATM 0 was down so i did "no shut" and added "ppp authentication chap callin"

now everything works great

Thanks again

now on to the next step configuring the access-list lol

VIP Purple

Re: 837 config advise

Hello,

what are you trying to achieve with your access list ?

A basic access list for just Internet access and FTP would look like this:

access-list 101 permit tcp any any eq 443

access-list 101 permit tcp any any eq www

access-list 101 permit udp any any eq domain

access-list 101 permit tcp any any eq ftp

Regards,

GP

New Member

Re: 837 config advise

i want to allow all traffic outbound except 135/tcp and block all in aceept ssh/tcp, 3389/tcp to a couple pc's

Purple

Re: 837 config advise

Looks like you need reflexive acess-lists.

Try the following

ip access-list extended outbound

deny tcp any any eq 135

deny tcp any eq 135 any

permit ip any any reflect goodtraffic

!

ip access-list extended inbound

permit tcp any host eq ssh

permit tcp any host eq ssh

permit tcp any host eq 3389

permit tcp any host eq 3389

evaluate goodtraffic

interface ethernet

ip access-group outbound in

!

interface dialer

ip access-group inbound in

Hope that helps - pls rate the post if it does.

Paresh.

New Member

Re: 837 config advise

hi there,

im almost there but which level do i do this ive tried

(enable)

(config term)

and also (interface dialer0 and ethernet0(

VIP Purple

Re: 837 config advise

Hello,

I am not sure if a reflexive access list is what you want. This would only allow connections to be established from the inside to the outside. Are you planning on remote controlling your PC´s using RDP from the Internet ?

Regards,

GP

Purple

Re: 837 config advise

Hi Georg,

If you look at the acl called 'inbound' you will see that it explicitly allows inbound connections from the internet.

To the original poster:

The ACL needs to be configured at the global config level... 'en', then 'conf t'.

Paresh.

VIP Purple

Re: 837 config advise

Paresh, Aaron,

good point, I missed that...

Regards,

GP

New Member

Re: 837 config advise

it doesen't seem to like the command extended.

Router>en

Password:

Router#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#ip access-list extended outbound

^

% Invalid input detected at '^' marker.

Router(config)#ip acc

Router(config)#ip access-list ?

log-update Control access list log updates

logging Control access list logging

resequence Resequence Access List

Router(config)#ip access-list

VIP Purple

Re: 837 config advise

Hello,

looks like named access lists are not supported in your IOS. If you have a possibility to upgrade, you need at least IP/FW/3DES 12.3(14)T5

(image name) c837-k9o3y6-mz.12.3-14.T5, or IP/FW/PLUS 3DES 12.2(13)ZG

(image name c837-k9o3sy6-mz.12.2-13.ZG).

If you cannot upgrade the IOS, I guess you will have to use numbered access lists, but then, unfortunately, the reflexive access list feature is not supported.

The numbered access lists would look like this:

access-list 101 deny tcp any any eq 135

access-list 101 permit ip any any

!

access-list 102 permit tcp any host1_ip_address eq 443

access-list 102 permit tcp any host1_ip_address eq 3389

!

interface Ethernet0

ip access-group 101 in

!

interface Dialer0

ip access-group 102 out

Can you try this and see if that works for you ?

Regards,

GP

New Member

Re: 837 config advise

URGENT Please help

unfortuntaly this dident work,

but i currently have a more serious probelm i managed to get my self in to ROMMON mode so how, i found a command in the docs saying use "confreg 0x142" which has now got IOS booting, but it doesent load startup-config anymore the file if there but not used on startup

current image is c837-k9o3y6-mz.122-13.ZH2

VIP Purple

Re: 837 config advise

Hello,

while in ROMMON, type:

rommon>config-register 2102

and then:

rommon>reset

which will reload the router.

Regards,

GP

VIP Purple

Re: 837 config advise

Hello,

you are right, that access list doesn´t work, because it won´t allow traffic back in...aaarggh !

Since the reflexive access lists doesn´t work, there is another feature which is somewhat similar in functionality, called Context-Based Access Control (CBAC). You would configure this as following:

ip inspect name FW h323

ip inspect name FW smtp

ip inspect name FW tcp

ip inspect name FW udp

ip inspect name FW fragment maximum 256 timeout 1

ip inspect name FW tftp

ip inspect name FW ftp

Add whatever you want to allow outbound, e.g. www or ssh, in a similar fashion.

Then, apply the rule to the Ethernet0 interface:

interface Ethernet0

ip inspect FW in

Also, create an access list that allows everything except for TCP prort 135, and apply that to the Ethernet0 interface as well:

access-list 101 deny tcp any any eq 135

access-list 101 permit ip any any

interface Ethernet0

ip access-group 101 in

Regards,

GP

New Member

Re: 837 config advise

thanks for the rommon thats fixed now (very scary)

this does block 135 out but doesent block anything coming in.

do i need to create a list and group for inbound traffic on the ATM0 interface or the dialer0 to prevent inbound and then specify other port etc which i want to permit in.

Purple

Re: 837 config advise

Hi Aaron,

You have to apply the ACL inbound on the dialer interface to filter inbound traffic.

In the absence of reflexive ACLs, the following should get you closer:

access-list 101 deny tcp any any eq 135

access-list 101 deny tcp any eq 135 any

access-list 101 permit ip any any

!

access-list 102 permit tcp any host1-ip eq 443

access-list 102 permit tcp any host1-ip eq 3389

access-list 102 permit tcp any any established

access-list 102 permit udp any any

!

interface ethernet 0

ip access-group 101 in

!

interface dialer 0

ip access-group 102 in

What this will do is block all incoming TCP sessions (except to port 443 and 3389 on the designated IPs). However, it will still allow UDP flows inbound...

You can profile your traffic and create tigher ACLs but I'm not sure that you can do much more with the features you have...

Hope that helps - pls rate helpful posts.

Regards,

Paresh.

New Member

Re: 837 config advise

Hi Paresh,

I have been using this config with great sucess although i would like to block udp inbound and any attempt to do so causes loss of all outbound traffic mainly http, can you offer any help on this?

Many Thanks ...... Aaron

Purple

Re: 837 config advise

access-list 101 deny tcp any any eq 135

access-list 101 deny tcp any eq 135 any

access-list 101 permit ip any any

!

access-list 102 permit tcp any host1-ip eq 443

access-list 102 permit tcp any host1-ip eq 3389

access-list 102 permit tcp any any established

access-list 102 permit udp any any

!

interface ethernet 0

ip access-group 101 in

!

interface dialer 0

ip access-group 102 in

Hi Aaron,

Unfortunately, with your IOS feature set, we cannot do anything that is gonna be rock-solid. However, there is one thing you can do - you can set up your incoming access-list so that it blocks all traffic received from non-well-known UDP source ports as such:

access-list 102 permit tcp any host1-ip eq 443

access-list 102 permit tcp any host1-ip eq 3389

access-list 102 permit tcp any any established

access-list 102 permit udp any range 0 1023 any

Once again, this should get you closer to where you want to be, without being totally perfect. What this config will do is to deny any inbound packets that have a source UDP port greater than 1023. Generally, well-known services run on UDP ports between 0 and 1023. Therefore, when your clients generate UDP packets to these servers, they will use a destination port between 0 and 1023. The return packets will have a source port between 0 and 1023.

Try this out. Undoubtedly this will result in your PCs unable to access certain UDP applications. If that happens all you need to do is go in an add a line for each such port to access-list 102 as such to:

access-list 102 permit udp any eq any

Hope that helps - pls rate the post if it does.

Regards,

Paresh.

New Member

Re: 837 config advise

which IOS release would you recommend

Purple

Re: 837 config advise

Hi Aaron,

The feature that would solve your problem is reflexive ACLs. Unfortunately, this feature is not supported on any of the images on the 837.

Have you tried the alternative solution I proposed in my last post.

Cheers

Paresh.

New Member

Re: 837 config advise

Not yet I thought a later release of the IOS might be a better solution such as 12.4T but I didn’t realise it didn’t support reflexive ACLs

184
Views
0
Helpful
21
Replies
CreatePlease to create content