Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

basic but secure config for CISCO2811-HSEC/K9 advanced IP with a hwic-1fe

Hi There,

I am in the process of having to setup a 2811 with a HWIC-1FE for a third routing interface. i have to get this setup or its....

The box is a 2811 (which is in coming as we speak by fed ex - you couldn't make it up) with hwic-1fe on the current most secure and stable Advanced IP services IOS. I presume its circa 12.4*

I havnt setup a IOS box before, but I have a little networking knowledge

Is 12.4(15)T4 the the most recent IOS image that has proven to be the most secure for a basic config?

I was wondering where I might see a really basic but reasonably secure config for such a set-up, or where i might cobble together one - from DESC below.

External NIC is transparent to internal NIC.

just send dodgy packets to null and any other security REQ. blocking ICMP etc to internal NIC.

The third NIC just has to route traffic from 3-4 boxes on its interface to the outside world (via external) and back again with absolultely no interference to layer 3 (and above) traffic. These servers are not visible but are on live IP addresses.

Further the external nic has to allow basic vpn smtp, SSL VPN and http/s traffic to the internal NIC to connect to a asa5510 unit.

SMTP would be locked down to a IP scope (either 1 IP or small range), VPN traffic would be coming from anywhere as would SSL VPN. HTTP/S traffic would be from anywhere. as would torrent software downloads (purely legal) CentOS ISOs etc and other business type traffic.

I had heard varying ideas on deny IP any and other varianets the options being:


access-list 100 deny ip any log

or 2

another method

what is the better option?

Im are not going to use SIP or any other time sensitive protocol. box just needs to be real tight in the lockdown.

i was also going to syslog events. is kiwi syslog daemon the best bet? seems to be the main option that costs yadda.. its is free for commerical use.. i will need to review this.

is there anything else I should be looking out for. i dont think i need TACACS. any config change would be done locally, or from management interface.

Will the "no ip unreachables" break the VPN connectivity since its in front of the VPN server? VPN server (IPSEC and SSL) is in a ASA box behind internal 2811 NIC.

i was going to reject ICMP traffic to inbound NIC, but leave it open to 3rd HWIC 1FE interface.

I had wondered about using the firewall, but the concern was it went beyond a stateful firewall. Does the firewall interfere, in anyway, with the traffic ie ICMP or TCP flags manipulation etc?

Thanks in advance for your time and help

kind regards


Ps i know this is asking a lot, but the obvious option, get a engineer in, is not an option - cost - we are a V small outfit. if you feel like telling me to get lost I hear you and I will.