Network Configuration
Cisco 837 border router
Cisco IOS Software, C837 Software (C837-K9O3SY6-M), Version 12.3(11)T5, RELEASE SOFTWARE (fc1)
DSL interface ppoe connected to Fairpoint.
Ethernet interface
IP 192.168.1.1
running DHCP
Running configuration
Building configuration...

Current configuration : 4985 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service compress-config
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 123456789123456789
!
username something password 7 123456789123456789
no aaa new-model
ip subnet-zero
!
!
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool CLIENT
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name fupc.net
lease 0 2
!
!
ip name-server 64.222.165.243
ip name-server 64.222.84.243
no ip bootp server
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip ips po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
ip access-group 111 in
ip mtu 1492
ip nat outside
ip inspect myfw out
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer remote-name redback
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname blah@blah.com
ppp chap password 7 123456789123456789
ppp pap sent-username blah@Blah.com password 123456789123456789
ppp ipcp dns request
ppp ipcp wins request
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static udp 192.168.1.2 49156 interface Dialer1 49156
ip nat inside source static tcp 192.168.10.20 49156 interface Dialer1 49156
ip nat inside source static tcp 192.168.10.20 49155 interface Dialer1 49155
ip nat inside source static tcp 192.168.10.20 49157 interface Dialer1 49157
!
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 102 permit udp any any eq domain
access-list 102 permit udp any any eq 49156
access-list 102 permit udp any any eq 443
access-list 102 permit udp any any eq 5198
access-list 102 permit udp any any eq 5199
access-list 102 permit udp any any eq non500-isakmp
access-list 102 permit udp any any eq isakmp
access-list 102 permit esp any any
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq 443
access-list 102 permit tcp any any eq 49155
access-list 102 permit tcp any any eq 49156
access-list 102 permit tcp any any eq 49157
access-list 102 permit tcp any any eq 8000
access-list 102 permit tcp any any eq 6667
access-list 102 permit tcp any any eq 8080
access-list 102 permit tcp any any eq ftp-data
access-list 102 permit tcp any any eq ftp
access-list 102 permit tcp any any eq 22
access-list 102 permit tcp any any eq 7000
access-list 102 permit tcp any any eq telnet
access-list 102 permit tcp any any eq 995
access-list 102 permit tcp any any eq 587
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any any eq 5010
access-list 102 permit tcp any any eq 5222
access-list 102 permit tcp any any eq 5100
access-list 102 permit tcp any any eq 5190
access-list 102 permit tcp any any eq 5050
access-list 102 permit tcp any any eq pop3
access-list 102 permit tcp any any eq 5200
access-list 102 permit icmp any any
access-list 102 deny ip any any
access-list 111 permit udp any host 192.168.1.2 eq 49156
access-list 111 permit tcp any host 192.168.1.2 eq 49156
access-list 111 permit tcp any host 192.168.1.2 eq 49155
access-list 111 permit tcp any host 192.168.1.2 eq 49157
access-list 111 permit udp any any eq domain
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane
!
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
transport preferred ssh
transport input ssh
!
scheduler max-task-time 5000
end
The next device in line is a cisco pix 506 firewall. Untrusted interface acquires it's ip via dhcp
Trusted interface is a dhcp server with limited pool so I can statically assign my workstation and server.
Configuration:
PIX Version 6.3(5)
interface ethernet0 10full
interface ethernet1 10full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 123456789 encrypted
passwd 123456789 encrypted
hostname firewall
domain-name blah.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
object-group service bittorrent tcp
port-object range 49155 49157
object-group service torrent udp
port-object range 49155 49157
access-list outbound permit udp 192.168.10.0 255.255.255.0 any eq domain
access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq www
access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq https
access-list outbound permit tcp 192.168.10.0 255.255.255.0 any object-group bittorrent
access-list outbound permit udp any any eq 49156
access-list outbound permit tcp any any object-group bittorrent
access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq 8000
access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq 6667
access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq 8080
access-list outbound permit icmp 192.168.10.0 255.255.255.0 any
access-list outbound permit udp 192.168.10.0 255.255.255.0 any eq 443
access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq ftp-data
access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq ftp
access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq ssh
access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq 7000
access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq telnet
access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq 995
access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq 587
access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq smtp
access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq 5010
access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq 5222
access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq 5100
access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq 5050
access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq aol
access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq pop3
access-list outbound permit udp 192.168.10.0 255.255.255.0 any eq 5198
access-list outbound permit udp 192.168.10.0 255.255.255.0 any eq 5199
access-list outbound permit udp any any eq 4500
access-list outbound permit udp any any eq isakmp
access-list outbound permit udp 192.168.10.0 255.255.255.0 any eq tftp
access-list outbound permit esp any any
access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq 5200
access-list outbound deny ip any any
access-list inbound permit udp any interface outside eq 49156
access-list inbound permit udp any interface outside eq tftp
access-list inbound permit tcp any interface outside object-group bittorrent
access-list inbound deny ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 49157 192.168.10.21 49157 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 49156 192.168.10.21 49156 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 49155 192.168.10.21 49155 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 49156 192.168.10.21 49156 netmask 255.255.255.255 0 0
static (inside,outside) udp interface tftp 192.168.10.20 tftp netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group outbound in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10

So a couple questions based on this setup.
I would like to lock the router down to the same set of outbound packets as the firewall (this I think I may have completed). At some point in time I would like to put a VOIP server in the "dmz" between the border router and the firewall, nothing critical just a fun project for myself and a couple of my friends. Also there is the possibility of a forum server going in there. Anyway long story short, the pressing issue I have now is that bittorrent doesn't work. I assume this is due to a lack of port forwarding on my border router. The access list permits it, there is just no static route. I had it working before I changed out the router so if someone could give me the proper syntax for the route command that would be great. The other issue at hand is my packets for bittorrent are nat overloaded twice (pat) does this cause an issue, am i trying the impossible? Oh yes, please don't make fun of me for not logging the firewall and router properly it's still a work in progress.

Thank You,

//John