Questions

Configuration of Cisco 851 router - please help!

+
0 Votes
Locked

Configuration of Cisco 851 router - please help!

andreas
I have tried several guides and posts around the configuration of Cisco 851, but since I am new to Cisco IOS, I would greatly appreciate any help to get this device up and running. Thank you very much in advance.

With the current config, the Internet access seems to be working from the device, but not from internal LAN, and also I am unsure about adding server access.

ISP information
WAN address: 87.63.224.94
Additional addresses: 87.63.224.95, 87.63.224.93, 87.63.224.92
Gateway: 87.63.224.93
Subnet: 255.255.255.252
Ip-net: 87.63.224.92
DNS (primary): 194.239.134.83 (ns3.tele.dk)
DNS (secondary): 193.162.153.164 (ns3.inet.tele.dk)
SMTP relay: pasmtp.tele.dk
Time: 193.162.159.194 (ntp1.tele.dk), 193.162.145.130 (ntp2.tele.dk)

Subnet A
What I want to achieve is to have one subnet A, say 192.168.1.0/24, for connecting clients. This subnet should have DHCP enabled; the DNS should point to the external name servers (194.239.134.83 and 193.162.153.164). All incoming traffic to this subnet should be blocked, all outgoing should be permitted. When users browse the Internet, they should have public IP 87.63.224.94.

Servers
The additional public IPs should bridge (or forward, since I am not sure bridging is possible in this scenario/with this router?) to separate servers, e.g. 87.63.224.92 to server A (say 10.10.10.1 if bridging is not possible), 87.63.224.95 to server B (say 10.10.10.2 if bridging is not possible) and so on. When these servers access the Internet, they should have the corresponding public IP, say 87.63.224.92 for server A and 87.63.224.95 for server B. All incoming and outgoing traffic should be enabled since these servers will have firewall etc themselves.

!This is the running config of the router: 10.10.10.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname c851
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$8nr9$qXmAPcM9d6n8saPOJRuaL1
enable password XXXXXXXXXXXXXXXXXXXXXXX
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-1027398853
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1027398853
revocation-check none
rsakeypair TP-self-signed-1027398853
!
!
crypto pki certificate chain TP-self-signed-1027398853
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303237 33393838 3533301E 170D3032 30333031 30353030
33315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30323733
39383835 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BB07 98DE77AF 5E9A52B8 8ED22B54 61FEAA2C B2B95E3B E4E99975 3D797F9A
C82EF0AB A793A419 2480B80F 5F8BBE49 39151C4A 29DF86BF D2C44236 6E831F22
79A74117 9BAD0C0B 41DF3DD2 205EF7CE AD2A00B5 D520A2E5 521792F6 0F94B0CB
B5C7CE24 5C7AB0A3 4D5EB95C 7A7B740A 573B8C16 06873927 B399DA17 F0A6454B
F1A10203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 13633835 312E796F 7572646F 6D61696E 2E636F6D 301F0603
551D2304 18301680 14CE5618 F260DE4C DA5FB915 DED9D3A8 2C3E1ECB D5301D06
03551D0E 04160414 CE5618F2 60DE4CDA 5FB915DE D9D3A82C 3E1ECBD5 300D0609
2A864886 F70D0101 04050003 81810011 188B1B2D 4A188135 A225954A 061222C6
E11172A7 154BD34A EAC00E53 DAEEC6F2 A86F8B7B A4BB83C0 6E5C1855 1B6E9B67
9B7C557F 8AFBB713 8130F66C 32CEB8D1 A98FE9F9 A1333FF8 4AF59079 5813F317
6B236FA3 482D80A7 23998DFB ABDE377D AE0EEC08 29226052 45806998 A742A5DE
F2B1565B 52B1D450 E97D9978 B9D5D6
quit
dot11 syslog
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool sdm-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
dns-server 194.239.134.83 193.162.153.164
lease 4
!
ip dhcp pool Internal-net
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 194.239.134.83 193.162.153.164
lease 4
!
!
ip cef
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name yourdomain.com
ip name-server 194.239.134.83
ip name-server 193.162.153.164
!
!
!
username XXXXXXXXXXXXXX privilege 15 password 7 XXXXXXXXXXXXXXXXXXXXXXXXX
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 87.63.224.94 255.255.255.252
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.248
ip tcp adjust-mss 1452
!
interface BVI2
description Bridge to Internal Network
mtu 1514
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 87.63.224.93
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 192.168.1.0 0.0.0.255
no cdp run
!
control-plane
!
banner exec ^CAuthorized access only!!!
^C
banner login ^CAuthorized access only!!!
^C
!
line con 0
password 7 XXXXXXXXXXXXXXXXXXXXXXXX
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
password 7 XXXXXXXXXXXXXXXXX
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
  • +
    0 Votes
    Fregeus

    You do not have all the external IP you mentionned. Your IP are set as follows

    87.63.224.92: Network definition (Cannot be used)
    87.63.224.93: Your ISP router
    87.63.224.94: Your router
    87.63.224.95: Broadcast definition, (Cannot be used)

    Therefore, you have one address and one address only, which is the .94

    Second, you created 2 vlans but did not assign any of them to interfaces, making them, well, useless. You either configure the interfaces without the vlans or you create the vlans and then assign them to interfaces.

    You need to create firewall rules (access-lists) in order to allow your users to browse and protect them at the same time. Remember that a Cisco router is not stateful, therefore you have to create rules for outgoing request AND incoming replies.

    That's it for now. Only took a quick look.

    OH, recreate your certificate and don't show it next time.


    TCB

  • +
    0 Votes
    Fregeus

    You do not have all the external IP you mentionned. Your IP are set as follows

    87.63.224.92: Network definition (Cannot be used)
    87.63.224.93: Your ISP router
    87.63.224.94: Your router
    87.63.224.95: Broadcast definition, (Cannot be used)

    Therefore, you have one address and one address only, which is the .94

    Second, you created 2 vlans but did not assign any of them to interfaces, making them, well, useless. You either configure the interfaces without the vlans or you create the vlans and then assign them to interfaces.

    You need to create firewall rules (access-lists) in order to allow your users to browse and protect them at the same time. Remember that a Cisco router is not stateful, therefore you have to create rules for outgoing request AND incoming replies.

    That's it for now. Only took a quick look.

    OH, recreate your certificate and don't show it next time.


    TCB