Cisco 1721

Discussion in 'Cisco' started by habutti, Feb 21, 2008.

  1. habutti

    habutti

    Joined:
    Feb 21, 2008
    Messages:
    2
    Cisco 1721 Configuration Issues

    Hi, we setup a Cisco 1721 to work with Comcast cable (DHCP address from ISP) in a small environment. All the clients/host on the LAN are getting an IP address and can ping the gateway but we cannot get to the outside world (Internet). Your help is greatly appreciated as well as all suggestions for performance/security improvements. Non working config follows:

    boot-start-marker
    boot-end-marker
    no service pad
    no ip source-route
    no scheduler allocate
    no ip forward-protocol udp tftp
    no ip forward-protocol udp netbios-ns
    no ip forward-protocol udp netbios-dgm
    no ip forward-protocol udp tacacs
    no ftp-server write-enable
    no scripting tcl init
    no scripting tcl encdir
    no ip http server
    no ip http secure-server
    no ip bootp server
    no ip finger
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service tcp-keepalives-in
    logging buffered 4096 debugging
    logging console warnings
    ip tcp synwait-time 15
    ip cef
    ip audit notify log
    ip audit po max-events 100
    no cdp run
    !
    hostname 9014MD
    !
    enable secret 5 <xxxxxxxxxxx>
    !
    username JonDoe privilege 15 password 7 <xxxxxxxxxx>
    clock timezone EST -5
    clock summer-time EDT recurring
    !
    aaa new-model
    aaa authentication ppp default local
    aaa authorization network default if-authenticated
    aaa session-id common
    ip subnet-zero
    !
    !
    ip dhcp excluded-address 172.16.0.1 172.16.0.10
    !
    ip dhcp pool INTERNAL
    network 172.16.0.0 255.255.255.0
    default-router 172.16.0.1
    dns-server 68.87.73.242 68.87.71.226
    !
    interface Ethernet0
    description WAN Interface to Comcast
    ip address dhcp
    ip access-group 100 in
    ip access-group 101 out
    no shutdown
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    full-duplex
    no cdp enable
    !
    interface FastEthernet0
    description LAN Interface to Private Network
    ip address 172.16.0.1 255.255.255.0
    no shutdown
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    speed 100
    full-duplex
    !
    ip nat inside source list 110 interface Ethernet0 overload
    ip classless
    !
    ip route 0.0.0.0 0.0.0.0 Ethernet0
    ip route 10.0.0.0 255.0.0.0 Null0
    ip route 172.16.0.0 255.240.0.0 Null0
    ip route 192.168.0.0 255.255.0.0 Null0
    !
    access-list 100 remark Basic Firewall to protect from Internet intruders
    access-list 100 deny ip 192.168.0.0 0.0.255.255 any log-input
    access-list 100 deny ip 172.16.0.0 0.15.255.255 any log-input
    access-list 100 deny ip 10.0.0.0 0.255.255.255 any log-input
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any log-input
    access-list 100 deny ip 255.0.0.0 0.255.255.255 any log-input
    access-list 100 deny ip 224.0.0.0 31.255.255.255 any log-input
    access-list 100 deny ip host 0.0.0.0 any log-input
    access-list 100 deny ip any any log-input
    !
    access-list 101 remark Deny Illegitimate Traffic go outbound
    access-list 101 deny tcp any any eq 135 log-input
    access-list 101 deny tcp any eq 135 any log-input
    access-list 101 deny udp any any eq 135 log-input
    access-list 101 deny udp any eq 135 any log-input
    access-list 101 deny tcp any any range 137 139 log-input
    access-list 101 deny tcp any range 137 139 any log-input
    access-list 101 deny udp any any range netbios-ns netbios-ss log-input
    access-list 101 deny udp any range netbios-ns netbios-ss any log-input
    access-list 101 deny tcp any any eq 445 log-input
    access-list 101 deny tcp any eq 445 any log-input
    access-list 101 deny udp any any eq 445 log-input
    access-list 101 deny udp any eq 445 any log-input
    access-list 101 deny tcp any any eq 593 log-input
    access-list 101 deny tcp any eq 593 any log-input
    access-list 101 deny tcp any any eq 707 log-input
    access-list 101 deny tcp any eq 707 any log-input
    access-list 101 deny tcp any any eq 4444 log-input
    access-list 101 deny tcp any eq 4444 any log-input
    access-list 101 deny ip host 0.0.0.0 any log-input
    access-list 101 deny ip host 255.255.255.255 any log-input
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any log-input
    access-list 101 deny ip any 10.0.0.0 0.255.255.255 log-input
    access-list 101 deny ip any 172.16.0.0 0.15.255.255 log-input
    access-list 101 deny ip any 192.168.0.0 0.0.255.255 log-input
    access-list 101 deny udp any any eq netbios-ns
    access-list 101 deny udp any any eq netbios-dgm
    access-list 101 deny udp any any eq netbios-ss
    access-list 101 deny ip any any log-input
    !
    access-list 110 remark Deny NAT/PAT for Illegitimate Traffic
    access-list 110 permit ip 172.16.0.0 0.0.0.255 any
    access-list 110 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.255.255.255 log-input
    access-list 110 deny ip 10.0.0.0 0.0.0.255 172.16.0.0 0.15.255.255 log-input
    access-list 110 deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.255.255 log-input
    access-list 110 deny ip 10.0.0.0 0.0.0.255 any
    access-list 110 deny ip any any log-input
    !
    !
    control-plane
    !
    banner motd #

    **********THIS SYSTEM IS FOR AUTHORIZED USERS ONLY**********

    Individuals using this computer system are
    subject to monitoring for compliance with
    applicable policies and laws.

    Anyone using this system expressly consents to such
    monitoring, and is advised that if monitoring
    reveals evidence of what could constitute
    illegal activity under federal and/or applicable
    state law, system personnel may refer this evidence
    to appropriate law enforcement officials.#
    !
    line con 0
    exec-timeout 0 0
    password 7 <xxxxxxx>
    logging synchronous
    exec-timeout 5 0
    line aux 0
    password 7 <xxxxxxx>
    no exec
    line vty 0 4
    access-class 25 in
    exec-timeout 5 0
    password 7 <xxxxxxx>
    !
    ntp server 207.211.160.111 prefer
    !
    end
     
    Last edited: Feb 21, 2008
    habutti, Feb 21, 2008
    #1
    1. Advertising

  2. habutti

    habutti

    Joined:
    Feb 21, 2008
    Messages:
    2
    Cisco 1721 Config/Performance Issues

    Hi, I've done major changes to the config and at least now I am getting and IP address on the public interface, but I still cannot gain internet access. Your help is greatly appreciated, thank you. Here is the current config:

    interface Ethernet0
    description WAN Interface to Comcast
    ip address dhcp
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    full-duplex
    no cdp enable
    !
    interface FastEthernet0
    description LAN Interface to Private Network
    ip address 172.16.0.1 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    speed 100
    full-duplex
    !
    ip nat inside source list 1 interface Ethernet0 overload
    ip classless
    no ip forward-protocol udp tftp
    no ip forward-protocol udp netbios-ns
    no ip forward-protocol udp netbios-dgm
    no ip forward-protocol udp tacacs
    ip route 0.0.0.0 0.0.0.0 Ethernet0
    ip route 10.0.0.0 255.0.0.0 Null0
    ip route 172.16.0.0 255.240.0.0 Null0
    ip route 192.168.0.0 255.255.0.0 Null0
    no ip http server
    no ip http secure-server
    !
    !
    !
    access-list 1 permit 172.16.0.0 0.0.0.255
    access-list 1 deny any
    access-list 100 remark Basic Firewall to protect from Internet intruders
    access-list 100 deny ip 192.168.0.0 0.0.255.255 any log-input
    access-list 100 deny ip 172.16.0.0 0.15.255.255 any log-input
    access-list 100 deny ip 10.0.0.0 0.255.255.255 any log-input
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any log-input
    access-list 100 deny ip 255.0.0.0 0.255.255.255 any log-input
    access-list 100 deny ip 224.0.0.0 31.255.255.255 any log-input
    access-list 100 deny ip host 0.0.0.0 any log-input
    access-list 100 deny ip any any log-input
    access-list 101 remark Deny Illegitimate Traffic go outbound
    access-list 101 deny tcp any any eq 135 log-input
    access-list 101 deny tcp any eq 135 any log-input
    access-list 101 deny udp any any eq 135 log-input
    access-list 101 deny udp any eq 135 any log-input
    access-list 101 deny tcp any any range 137 139 log-input
    access-list 101 deny tcp any range 137 139 any log-input
    access-list 101 deny udp any any range netbios-ns netbios-ss log-input
    access-list 101 deny udp any range netbios-ns netbios-ss any log-input
    access-list 101 deny tcp any any eq 445 log-input
    access-list 101 deny tcp any eq 445 any log-input
    access-list 101 deny udp any any eq 445 log-input
    access-list 101 deny udp any eq 445 any log-input
    access-list 101 deny tcp any any eq 593 log-input
    access-list 101 deny tcp any eq 593 any log-input
    access-list 101 deny tcp any any eq 707 log-input
    access-list 101 deny tcp any eq 707 any log-input
    access-list 101 deny tcp any any eq 4444 log-input
    access-list 101 deny tcp any eq 4444 any log-input
    access-list 101 deny ip host 0.0.0.0 any log-input
    access-list 101 deny ip host 255.255.255.255 any log-input
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any log-input
    access-list 101 deny ip any 10.0.0.0 0.255.255.255 log-input
    access-list 101 deny ip any 172.16.0.0 0.15.255.255 log-input
    access-list 101 deny ip any 192.168.0.0 0.0.255.255 log-input
    access-list 101 deny udp any any eq netbios-ns
    access-list 101 deny udp any any eq netbios-dgm
    access-list 101 deny udp any any eq netbios-ss
    access-list 101 deny ip any any log-input
    no cdp run
    !
     
    habutti, Feb 21, 2008
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Christian Lungwitz
    Replies:
    1
    Views:
    1,318
    thrill
    Jan 2, 2005
  2. Christian Lungwitz

    Cisco newbie: Cisco 1721 in rommon.

    Christian Lungwitz, Jan 25, 2005, in forum: Cisco
    Replies:
    4
    Views:
    4,149
    Christian Lungwitz
    Jan 26, 2005
  3. Scooter
    Replies:
    1
    Views:
    926
    BradReeseCom
    Feb 25, 2005
  4. sam@nospam.org
    Replies:
    10
    Views:
    1,340
    sam@nospam.org
    May 1, 2005
  5. Himselff
    Replies:
    4
    Views:
    1,026
    Himselff
    Jun 27, 2005
Loading...

Share This Page