Questions

Tweaking the CISCO 851w/871w config generated by techrepublic script

Tags:
+
0 Votes
Locked

Tweaking the CISCO 851w/871w config generated by techrepublic script

jnicita1970
I used the script created by George that I downloaded from here. I
used the script that was for the 851w because for some reason my
871w doesn't allow the multiple vlans, I paid 800, but didn't get the
advanced ios. Anyways, I needed to setup 2 secured wireless lans, one
that couldn't talk to the other for guests. The problem is, I don't have
any firewalls activated, and whenever I attempt to activate the basic
firewall, it starts complaining that exisiting rule sets need adjustment
and I assume it for the 2 wlans. I've gone ahead and let it make its
changes, but then my network doesnt work. I also have 2 services
inside my network I would like to present outside with nat'ing but
using the nat config from SDM I have the entered it all the way I had
before, but none of that is working as well.

Here's my config, maybe someone can at least tell me why my nat'ing
isnt working for port 3389 and port 5001


Building configuration...

Current configuration : 5723 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname nicita_router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $blah blah blah
enable password 7 blah blah
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp excluded-address 192.168.2.1 192.168.2.99
ip dhcp excluded-address 192.168.0.130 192.168.0.254
ip dhcp excluded-address 192.168.2.116 192.168.2.254
!
ip dhcp pool Internal-net
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
domain-name nicita.com
dns-server 68.6.16.30 68.2.16.30
netbios-name-server 192.168.0.200
lease 4
!
ip dhcp pool VLAN20
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 68.6.16.30 68.2.16.30
!
!
ip inspect name MYFW tcp
ip inspect name MYFW udp
no ip domain lookup
ip domain name nicita.com
ip name-server 68.6.16.30
!
!
crypto pki trustpoint TP-self-signed-518058115
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-518058115
revocation-check none
rsakeypair TP-self-signed-518058115
!
!
crypto pki certificate chain TP-self-signed-518058115
certificate self-signed 01
3082024E 308201B7 A0030201 02020101 300D0609 2A864886
F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967
6E65642D 43657274
69666963 6174652D 35313830 35383131 35301E17 0D303730
35303230 30303835
335A170D 32303031 30313030 30303030 5A303031 2E302C06
03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174
652D3531 38303538
31313530 819F300D 06092A86 4886F70D 01010105 0003818D
00308189 02818100
BED25EB2 86933954 0155F22A 8A53F826 388DAD48 341A577B
750144B4 F184753E
F123C14A DF5793BB A74BE3A8 C220B2DE FA03C35F DD5879C5
950CFD4F DC249E11
A24D8E7B 3C27F20E E035C85B 58011B2B 66F6BFBA 896B9733
056C62EC 21A2A1E7
E6D1DD58 F1C5F5D3 260D1242 1473F19C E295E4F0 B4F0BD89
3AF11B74 7D1AF039
02030100 01A37830 76300F06 03551D13 0101FF04 05300301
01FF3023 0603551D
11041C30 1A82186E 69636974 615F726F 75746572 2E6E6963
6974612E 636F6D30
1F060355 1D230418 30168014 A5573A10 DBB3FAFE B588DF97
BDC0D64E B5CD0FE5
301D0603 551D0E04 160414A5 573A10DB B3FAFEB5 88DF97BD
C0D64EB5 CD0FE530
0D06092A 864886F7 0D010104 05000381 81008BD8 427F3807
B8A0F981 A2A88082
112BE417 8E033C44 1A23CA57 EE9969BD 5E06F167 6D0C9F3F
05F52DB6 1EA120B1
44222BAF 34FCD884 6088FA73 A7F51591 65F082C2 AD2CB751
2B8FA6AE F79B08CE
D4FB70C9 785A8337 BBDBD078 4456D55B 1D6DC260 412FBFFA
CBB992DF F58DADD2
C028E029 090508F8 75294C89 90E1D197 1A95
quit
username nicitaja privilege 15 password blah blah
!
!
!
bridge irb
!
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4
ip address 70.166.24.xxx 255.255.255.192
ip access-group Internet-inbound-ACL in
ip inspect MYFW out
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
encryption vlan 20 mode ciphers tkip
!
ssid nicita-eng
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 7 blah
!
ssid nicita-guest
vlan 20
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 blah
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0
24.0 36.0 48.0 54.0
channel 2412
station-role root
no dot11 extension aironet
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.20
description Guest wireless LAN - routed WLAN
encapsulation dot1Q 20
ip address 192.168.2.1 255.255.255.0
ip access-group Guest-ACL in
ip inspect MYFW out
ip nat inside
ip virtual-reassembly
no snmp trap link-status
!
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description Bridge to Internal Network
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 70.166.24.193
!
ip http server
ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.0.240 5001 interface
FastEthernet4 5001
ip nat inside source static tcp 192.168.0.200 3389 interface
FastEthernet4 3389
ip nat inside source static udp 192.168.0.200 3389 interface
FastEthernet4 3389
!
ip access-list extended Guest-ACL
deny ip any 192.168.0.0 0.0.0.255
permit ip any any
ip access-list extended Internet-inbound-ACL
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
!
control-plane
!
bridge 1 route ip
!
line con 0
password 7 054F031F35454D2D1C04031A
no modem enable
line aux 0
line vty 0 4
password 7 100A0C09111E112F09053E23
!
scheduler max-task-time 5000
end
  • +
    0 Votes
    retro77

    Just as a precaution, mask out all your passwords, even if they are just hashes. Also mask out public IP addresses.

    You have a lot of stuff going on here. What works currently? Also did you just copy the script from here word for word or did you incorporate your it into an existing config.

    Just for starters, do you need an Ip address on the VLAN interface?

    I forget the command [its been 4 years since I worked on Cisco] but you need to verify what version of software you are running. then go to Cisco's website and verify that your version of software can run the features you are trying to run.

    +
    0 Votes
    jnicita1970

    Its all working right now, I got the config here, after my device got jacked up and I did a write erase and reload. Last time I started with SDM and managed to get it all working. This time I used the script from here, the one for standard ios because for some reason I dont have advanced ios on the router. As I posted it, both wireless lans work, and as wanted, users that join the guest wlan (x.x.2.x) cant get to the primary wlan(x.x.0.x). The stuff that isnt working is the stuff I added later by other articles, basically the 3 hand added lines of nat inside commands on the br1 interface. Also, no firewall is loaded, so when I goto firewall and it tells me none do I want to create on (in SDM) when its done, nothing works anymore. I had all the nat port translation working previously so I know it should work, its now trying to get it to work without jacking up the configuration that keeps the two networks from being able to communicate with each other. Just get completely lost within the config at times. And thought I would ask.

  • +
    0 Votes
    retro77

    Just as a precaution, mask out all your passwords, even if they are just hashes. Also mask out public IP addresses.

    You have a lot of stuff going on here. What works currently? Also did you just copy the script from here word for word or did you incorporate your it into an existing config.

    Just for starters, do you need an Ip address on the VLAN interface?

    I forget the command [its been 4 years since I worked on Cisco] but you need to verify what version of software you are running. then go to Cisco's website and verify that your version of software can run the features you are trying to run.

    +
    0 Votes
    jnicita1970

    Its all working right now, I got the config here, after my device got jacked up and I did a write erase and reload. Last time I started with SDM and managed to get it all working. This time I used the script from here, the one for standard ios because for some reason I dont have advanced ios on the router. As I posted it, both wireless lans work, and as wanted, users that join the guest wlan (x.x.2.x) cant get to the primary wlan(x.x.0.x). The stuff that isnt working is the stuff I added later by other articles, basically the 3 hand added lines of nat inside commands on the br1 interface. Also, no firewall is loaded, so when I goto firewall and it tells me none do I want to create on (in SDM) when its done, nothing works anymore. I had all the nat port translation working previously so I know it should work, its now trying to get it to work without jacking up the configuration that keeps the two networks from being able to communicate with each other. Just get completely lost within the config at times. And thought I would ask.