Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco 1721

Reply
Thread Tools

Cisco 1721

 
 
habutti habutti is offline
Junior Member
Join Date: Feb 2008
Posts: 2
 
      02-21-2008
Hi, we setup a Cisco 1721 to work with Comcast cable (DHCP address from ISP) in a small environment. All the clients/host on the LAN are getting an IP address and can ping the gateway but we cannot get to the outside world (Internet). Your help is greatly appreciated as well as all suggestions for performance/security improvements. Non working config follows:

boot-start-marker
boot-end-marker
no service pad
no ip source-route
no scheduler allocate
no ip forward-protocol udp tftp
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
no ip http server
no ip http secure-server
no ip bootp server
no ip finger
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service tcp-keepalives-in
logging buffered 4096 debugging
logging console warnings
ip tcp synwait-time 15
ip cef
ip audit notify log
ip audit po max-events 100
no cdp run
!
hostname 9014MD
!
enable secret 5 <xxxxxxxxxxx>
!
username JonDoe privilege 15 password 7 <xxxxxxxxxx>
clock timezone EST -5
clock summer-time EDT recurring
!
aaa new-model
aaa authentication ppp default local
aaa authorization network default if-authenticated
aaa session-id common
ip subnet-zero
!
!
ip dhcp excluded-address 172.16.0.1 172.16.0.10
!
ip dhcp pool INTERNAL
network 172.16.0.0 255.255.255.0
default-router 172.16.0.1
dns-server 68.87.73.242 68.87.71.226
!
interface Ethernet0
description WAN Interface to Comcast
ip address dhcp
ip access-group 100 in
ip access-group 101 out
no shutdown
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
full-duplex
no cdp enable
!
interface FastEthernet0
description LAN Interface to Private Network
ip address 172.16.0.1 255.255.255.0
no shutdown
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
speed 100
full-duplex
!
ip nat inside source list 110 interface Ethernet0 overload
ip classless
!
ip route 0.0.0.0 0.0.0.0 Ethernet0
ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
!
access-list 100 remark Basic Firewall to protect from Internet intruders
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log-input
access-list 100 deny ip 172.16.0.0 0.15.255.255 any log-input
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log-input
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log-input
access-list 100 deny ip 255.0.0.0 0.255.255.255 any log-input
access-list 100 deny ip 224.0.0.0 31.255.255.255 any log-input
access-list 100 deny ip host 0.0.0.0 any log-input
access-list 100 deny ip any any log-input
!
access-list 101 remark Deny Illegitimate Traffic go outbound
access-list 101 deny tcp any any eq 135 log-input
access-list 101 deny tcp any eq 135 any log-input
access-list 101 deny udp any any eq 135 log-input
access-list 101 deny udp any eq 135 any log-input
access-list 101 deny tcp any any range 137 139 log-input
access-list 101 deny tcp any range 137 139 any log-input
access-list 101 deny udp any any range netbios-ns netbios-ss log-input
access-list 101 deny udp any range netbios-ns netbios-ss any log-input
access-list 101 deny tcp any any eq 445 log-input
access-list 101 deny tcp any eq 445 any log-input
access-list 101 deny udp any any eq 445 log-input
access-list 101 deny udp any eq 445 any log-input
access-list 101 deny tcp any any eq 593 log-input
access-list 101 deny tcp any eq 593 any log-input
access-list 101 deny tcp any any eq 707 log-input
access-list 101 deny tcp any eq 707 any log-input
access-list 101 deny tcp any any eq 4444 log-input
access-list 101 deny tcp any eq 4444 any log-input
access-list 101 deny ip host 0.0.0.0 any log-input
access-list 101 deny ip host 255.255.255.255 any log-input
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log-input
access-list 101 deny ip any 10.0.0.0 0.255.255.255 log-input
access-list 101 deny ip any 172.16.0.0 0.15.255.255 log-input
access-list 101 deny ip any 192.168.0.0 0.0.255.255 log-input
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny udp any any eq netbios-dgm
access-list 101 deny udp any any eq netbios-ss
access-list 101 deny ip any any log-input
!
access-list 110 remark Deny NAT/PAT for Illegitimate Traffic
access-list 110 permit ip 172.16.0.0 0.0.0.255 any
access-list 110 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.255.255.255 log-input
access-list 110 deny ip 10.0.0.0 0.0.0.255 172.16.0.0 0.15.255.255 log-input
access-list 110 deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.255.255 log-input
access-list 110 deny ip 10.0.0.0 0.0.0.255 any
access-list 110 deny ip any any log-input
!
!
control-plane
!
banner motd #

**********THIS SYSTEM IS FOR AUTHORIZED USERS ONLY**********

Individuals using this computer system are
subject to monitoring for compliance with
applicable policies and laws.

Anyone using this system expressly consents to such
monitoring, and is advised that if monitoring
reveals evidence of what could constitute
illegal activity under federal and/or applicable
state law, system personnel may refer this evidence
to appropriate law enforcement officials.#
!
line con 0
exec-timeout 0 0
password 7 <xxxxxxx>
logging synchronous
exec-timeout 5 0
line aux 0
password 7 <xxxxxxx>
no exec
line vty 0 4
access-class 25 in
exec-timeout 5 0
password 7 <xxxxxxx>
!
ntp server 207.211.160.111 prefer
!
end
 

Last edited by habutti; 02-21-2008 at 04:50 AM..
Reply With Quote
 
 
 
 
habutti habutti is offline
Junior Member
Join Date: Feb 2008
Posts: 2
 
      02-21-2008
Hi, I've done major changes to the config and at least now I am getting and IP address on the public interface, but I still cannot gain internet access. Your help is greatly appreciated, thank you. Here is the current config:

interface Ethernet0
description WAN Interface to Comcast
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
full-duplex
no cdp enable
!
interface FastEthernet0
description LAN Interface to Private Network
ip address 172.16.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
speed 100
full-duplex
!
ip nat inside source list 1 interface Ethernet0 overload
ip classless
no ip forward-protocol udp tftp
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip route 0.0.0.0 0.0.0.0 Ethernet0
ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
no ip http server
no ip http secure-server
!
!
!
access-list 1 permit 172.16.0.0 0.0.0.255
access-list 1 deny any
access-list 100 remark Basic Firewall to protect from Internet intruders
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log-input
access-list 100 deny ip 172.16.0.0 0.15.255.255 any log-input
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log-input
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log-input
access-list 100 deny ip 255.0.0.0 0.255.255.255 any log-input
access-list 100 deny ip 224.0.0.0 31.255.255.255 any log-input
access-list 100 deny ip host 0.0.0.0 any log-input
access-list 100 deny ip any any log-input
access-list 101 remark Deny Illegitimate Traffic go outbound
access-list 101 deny tcp any any eq 135 log-input
access-list 101 deny tcp any eq 135 any log-input
access-list 101 deny udp any any eq 135 log-input
access-list 101 deny udp any eq 135 any log-input
access-list 101 deny tcp any any range 137 139 log-input
access-list 101 deny tcp any range 137 139 any log-input
access-list 101 deny udp any any range netbios-ns netbios-ss log-input
access-list 101 deny udp any range netbios-ns netbios-ss any log-input
access-list 101 deny tcp any any eq 445 log-input
access-list 101 deny tcp any eq 445 any log-input
access-list 101 deny udp any any eq 445 log-input
access-list 101 deny udp any eq 445 any log-input
access-list 101 deny tcp any any eq 593 log-input
access-list 101 deny tcp any eq 593 any log-input
access-list 101 deny tcp any any eq 707 log-input
access-list 101 deny tcp any eq 707 any log-input
access-list 101 deny tcp any any eq 4444 log-input
access-list 101 deny tcp any eq 4444 any log-input
access-list 101 deny ip host 0.0.0.0 any log-input
access-list 101 deny ip host 255.255.255.255 any log-input
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log-input
access-list 101 deny ip any 10.0.0.0 0.255.255.255 log-input
access-list 101 deny ip any 172.16.0.0 0.15.255.255 log-input
access-list 101 deny ip any 192.168.0.0 0.0.255.255 log-input
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny udp any any eq netbios-dgm
access-list 101 deny udp any any eq netbios-ss
access-list 101 deny ip any any log-input
no cdp run
!
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
cisco 1721 triangle whit 2 cisco 800 over isdn 128k Himselff Cisco 4 06-27-2005 12:42 PM
Cisco 2611 and Cisco 1721 : Why , why , why ????? sam@nospam.org Cisco 10 05-01-2005 08:49 AM
1721 connect to Pix 515 - which IOS for 1721? Scooter Cisco 1 02-25-2005 08:06 PM
Cisco newbie: Cisco 1721 in rommon. Christian Lungwitz Cisco 4 01-26-2005 07:51 AM
Cisco Newbie: Cisco 1721 - no internet - no idea why - Here´s the config. Christian Lungwitz Cisco 1 01-02-2005 02:03 AM



Advertisments