Results 1 to 4 of 4

Thread: Cisco 837 Config

  1. #1
    Member ffantasy's Avatar
    Join Date
    May 2002
    Location
    SG
    Posts
    69

    Cisco 837 Config

    Hi,

    I'm in the process of upgrading from aal5mux encapsulation to aal5snap RFC 1483 encapsulation. My main purpose is just for webserver and SMTP, and workstation internet access. The new ADSL connection does not need PPP username and password

    could someone please help me to tweak my configuration and check if there is error i'm still a newbie on cisco. Below is the working config. thanks.

    *********************************************************
    !
    version 12.3
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname Cisco837
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 3 log
    security passwords min-length 6
    logging buffered 51200 debugging
    logging console critical
    enable secret *********************************
    !
    username cisco837 privilege 15 secret ***********************.
    clock timezone PCTime 8
    no aaa new-model
    ip subnet-zero
    no ip source-route
    ip dhcp excluded-address 192.168.1.254
    !
    !
    ip cef
    ip inspect name DEFAULT100 cuseeme
    ip inspect name DEFAULT100 ftp
    ip inspect name DEFAULT100 h323
    ip inspect name DEFAULT100 icmp
    ip inspect name DEFAULT100 netshow
    ip inspect name DEFAULT100 rcmd
    ip inspect name DEFAULT100 realaudio
    ip inspect name DEFAULT100 rtsp
    ip inspect name DEFAULT100 esmtp
    ip inspect name DEFAULT100 sqlnet
    ip inspect name DEFAULT100 streamworks
    ip inspect name DEFAULT100 tftp
    ip inspect name DEFAULT100 tcp
    ip inspect name DEFAULT100 udp
    ip inspect name DEFAULT100 vdolive
    ip ips po max-events 100
    ip ssh time-out 60
    ip ssh authentication-retries 2
    no ftp-server write-enable
    !
    !
    !
    !
    !
    !
    !
    interface Ethernet0
    description $LAN$
    ip address 192.168.1.254 255.255.255.0
    ip access-group 100 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    no cdp enable
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface ATM0.1 point-to-point
    description $WAN$
    ip address x.x.x.x 255.255.255.252
    ip access-group 101 in
    ip verify unicast reverse-path
    ip nat outside
    ip inspect DEFAULT100 out
    ip virtual-reassembly
    pvc 8/35
    encapsulation aal5snap
    !
    !
    interface FastEthernet1
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet2
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet3
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet4
    no ip address
    duplex auto
    speed auto
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 ATM0.1
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    ip nat inside source static tcp 192.168.1.10 25 interface ATM0.1 25
    ip nat inside source static tcp 192.168.1.10 80 interface ATM0.1 25
    !
    !
    logging trap debugging
    access-list 1 remark INSIDE_IF=Ethernet0
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 192.168.1.0 0.0.0.255
    access-list 100 remark auto generated by Cisco SDM Express firewall configuratio
    n
    access-list 100 remark SDM_ACL Category=1
    access-list 100 deny ip x.x.x.x 0.0.0.3 any
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    access-list 101 remark auto generated by Cisco SDM Express firewall configuratio
    n
    access-list 101 remark SDM_ACL Category=1
    access-list 101 permit tcp any host x.x.x.x eq smtp
    access-list 101 permit tcp any host x.x.x.x eq http
    access-list 101 deny ip 192.168.1.0 0.0.0.255 any
    access-list 101 permit icmp any host x.x.x.x echo-reply
    access-list 101 permit icmp any host x.x.x.x time-exceeded
    access-list 101 permit icmp any host x.x.x.x unreachable
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any
    no cdp run
    !
    control-plane
    !
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
    login local
    no modem enable
    transport output telnet
    line aux 0
    login local
    transport output telnet
    line vty 0 4
    privilege level 15
    login local
    transport input telnet ssh
    !
    scheduler max-task-time 5000
    scheduler interval 500
    end
    Last edited by ffantasy; 06-23-05 at 10:41 PM.

  2. #2
    SG Enthusiast
    Join Date
    Mar 2002
    Location
    Poland
    Posts
    1,107

    RE : c837 cfg - first look OK

    despite that is looking good few comments

    lack off :
    'ip dhcp pool CLIENT
    import all
    network <IP address>
    default-router <IP>
    lease 0 2'

    yours:
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any


    in this case more effective method is routing than access-list
    so recommendation for :
    interface Null0
    no ip unreachables
    and
    ip route <IP address> Null0
    lines respectively

    lack off :
    'access-class' in for line vty 0 4
    and
    'sntp server <IP> version 3'

  3. #3
    Member ffantasy's Avatar
    Join Date
    May 2002
    Location
    SG
    Posts
    69
    Thx for the help

  4. #4
    SG Enthusiast
    Join Date
    Mar 2002
    Location
    Poland
    Posts
    1,107
    OK
    OTOH ... Security on Cisco routers
    highly depends on which IOS image run.
    Can you post your "show version" command? ...

Similar Threads

  1. Would you be interested in any of the following courses???
    By JawZ in forum General Discussion Board
    Replies: 66
    Last Post: 03-11-09, 05:38 PM
  2. Cisco 2620 - not holding config.
    By adamt56 in forum Wireless Networks & Routers
    Replies: 4
    Last Post: 06-08-05, 06:46 PM
  3. Need help with Cisco 1605 config
    By wopper in forum Networking Forum
    Replies: 5
    Last Post: 03-27-02, 01:50 PM
  4. Replies: 16
    Last Post: 05-08-01, 01:18 PM
  5. Cisco 1600 router config help for internet sharing
    By wopper in forum Networking Forum
    Replies: 2
    Last Post: 04-23-01, 11:47 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •