Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

help with temp config

Hi All,

I have a small site that will be getting a temporary internet connection until I can get the perm one there. I do not want to go through the expense of purchasing a firewall for this location, would the following config work ok if the users are only using internet and vpn? is the security sufficient?

interface FastEthernet0/0

description LAN Int

ip address <lan ip>255.255.255.0

ip nat inside

duplex auto

speed auto

!

!

interface Serial0/0/0:1

ip address <ip> 255.255.255.252

ip access-group 120 in

ip access-group 130 out

no ip redirects

ip nat outside

ip route-cache flow

no fair-queue

!

ip classless

!

ip nat inside source list 2 interface Serial0/0/0:1 overload

!

access-list 2 remark NAT

access-list 2 permit <lan ip net> 0.0.0.255

access-list 120 deny ip <ip> 0.0.0.31 any

access-list 120 deny ip 10.0.0.0 0.255.255.255 any

access-list 120 deny ip 127.0.0.0 0.255.255.255 any

access-list 120 deny ip 172.16.0.0 0.15.255.255 any

access-list 120 deny ip 192.168.0.0 0.0.255.255 any

access-list 120 deny ip 224.0.0.0 31.255.255.255 any

access-list 120 deny tcp any any eq telnet

access-list 120 permit ip any any

access-list 130 permit ip <ip> 0.0.0.31 any

access-list 130 deny ip any any

TIA,

R

3 REPLIES
Purple

Re: help with temp config

Hi,

I would actually look at the following template in order to come up with a config with a bit more security than you have got there:

http://www.cymru.com/Documents/secure-ios-template.html

It may be overkill for your network so you can remove the bits that you think are not relevant.

Pls do remember to rate posts.

Paresh

Community Member

Re: help with temp config

Wow, thats quite a bit of stuff! Thanks for the template.

Community Member

Re: help with temp config

The only other point I would make is if they are only using web and vpn, only permit port 80 and whatever port your VPN uses rather than the permit any any on your access-list.

163
Views
4
Helpful
3
Replies
CreatePlease to create content