Results 1 to 5 of 5

Thread: Cisco IOS 837 Router config.

  1. #1
    Junior Member JohnCanty's Avatar
    Join Date
    Mar 2009
    Location
    Manchester, NH
    Posts
    2

    Cisco IOS 837 Router config.

    Network Configuration
    Cisco 837 border router
    Cisco IOS Software, C837 Software (C837-K9O3SY6-M), Version 12.3(11)T5, RELEASE SOFTWARE (fc1)
    DSL interface ppoe connected to Fairpoint.
    Ethernet interface
    IP 192.168.1.1
    running DHCP
    Running configuration
    Building configuration...

    Current configuration : 4985 bytes
    !
    version 12.3
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    service compress-config
    service sequence-numbers
    !
    hostname router
    !
    boot-start-marker
    boot-end-marker
    !
    no logging buffered
    enable secret 5 123456789123456789
    !
    username something password 7 123456789123456789
    no aaa new-model
    ip subnet-zero
    !
    !
    ip dhcp excluded-address 192.168.1.1
    !
    ip dhcp pool CLIENT
    import all
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.1
    domain-name fupc.net
    lease 0 2
    !
    !
    ip name-server 64.222.165.243
    ip name-server 64.222.84.243
    no ip bootp server
    ip inspect name myfw cuseeme timeout 3600
    ip inspect name myfw ftp timeout 3600
    ip inspect name myfw rcmd timeout 3600
    ip inspect name myfw realaudio timeout 3600
    ip inspect name myfw smtp timeout 3600
    ip inspect name myfw tftp timeout 30
    ip inspect name myfw udp timeout 15
    ip inspect name myfw tcp timeout 3600
    ip inspect name myfw h323 timeout 3600
    ip ips po max-events 100
    ip ssh time-out 60
    ip ssh authentication-retries 2
    ip ssh version 2
    no ftp-server write-enable
    !
    !
    !
    !
    !
    !
    !
    interface Ethernet0
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    no cdp enable
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    atm vc-per-vp 64
    no atm ilmi-keepalive
    dsl operating-mode auto
    pvc 0/35
    pppoe-client dial-pool-number 1
    !
    !
    interface FastEthernet1
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet2
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet3
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet4
    no ip address
    duplex auto
    speed auto
    !
    interface Dialer1
    ip address negotiated
    ip access-group 111 in
    ip mtu 1492
    ip nat outside
    ip inspect myfw out
    ip virtual-reassembly
    encapsulation ppp
    ip tcp adjust-mss 1452
    dialer pool 1
    dialer remote-name redback
    dialer-group 1
    no cdp enable
    ppp authentication pap chap callin
    ppp chap hostname blah@blah.com
    ppp chap password 7 123456789123456789
    ppp pap sent-username blah@Blah.com password 123456789123456789
    ppp ipcp dns request
    ppp ipcp wins request
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    !
    no ip http server
    no ip http secure-server
    !
    ip nat inside source list 102 interface Dialer1 overload
    ip nat inside source static udp 192.168.1.2 49156 interface Dialer1 49156
    ip nat inside source static tcp 192.168.10.20 49156 interface Dialer1 49156
    ip nat inside source static tcp 192.168.10.20 49155 interface Dialer1 49155
    ip nat inside source static tcp 192.168.10.20 49157 interface Dialer1 49157
    !
    access-list 23 permit 192.168.1.0 0.0.0.255
    access-list 102 permit udp any any eq domain
    access-list 102 permit udp any any eq 49156
    access-list 102 permit udp any any eq 443
    access-list 102 permit udp any any eq 5198
    access-list 102 permit udp any any eq 5199
    access-list 102 permit udp any any eq non500-isakmp
    access-list 102 permit udp any any eq isakmp
    access-list 102 permit esp any any
    access-list 102 permit tcp any any eq www
    access-list 102 permit tcp any any eq 443
    access-list 102 permit tcp any any eq 49155
    access-list 102 permit tcp any any eq 49156
    access-list 102 permit tcp any any eq 49157
    access-list 102 permit tcp any any eq 8000
    access-list 102 permit tcp any any eq 6667
    access-list 102 permit tcp any any eq 8080
    access-list 102 permit tcp any any eq ftp-data
    access-list 102 permit tcp any any eq ftp
    access-list 102 permit tcp any any eq 22
    access-list 102 permit tcp any any eq 7000
    access-list 102 permit tcp any any eq telnet
    access-list 102 permit tcp any any eq 995
    access-list 102 permit tcp any any eq 587
    access-list 102 permit tcp any any eq smtp
    access-list 102 permit tcp any any eq 5010
    access-list 102 permit tcp any any eq 5222
    access-list 102 permit tcp any any eq 5100
    access-list 102 permit tcp any any eq 5190
    access-list 102 permit tcp any any eq 5050
    access-list 102 permit tcp any any eq pop3
    access-list 102 permit tcp any any eq 5200
    access-list 102 permit icmp any any
    access-list 102 deny ip any any
    access-list 111 permit udp any host 192.168.1.2 eq 49156
    access-list 111 permit tcp any host 192.168.1.2 eq 49156
    access-list 111 permit tcp any host 192.168.1.2 eq 49155
    access-list 111 permit tcp any host 192.168.1.2 eq 49157
    access-list 111 permit udp any any eq domain
    access-list 111 permit esp any any
    access-list 111 permit udp any any eq isakmp
    dialer-list 1 protocol ip permit
    no cdp run
    !
    !
    control-plane
    !
    !
    line con 0
    exec-timeout 120 0
    no modem enable
    stopbits 1
    line aux 0
    line vty 0 4
    access-class 23 in
    exec-timeout 120 0
    login local
    length 0
    transport preferred ssh
    transport input ssh
    !
    scheduler max-task-time 5000
    end
    The next device in line is a cisco pix 506 firewall. Untrusted interface acquires it's ip via dhcp
    Trusted interface is a dhcp server with limited pool so I can statically assign my workstation and server.
    Configuration:
    PIX Version 6.3(5)
    interface ethernet0 10full
    interface ethernet1 10full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 123456789 encrypted
    passwd 123456789 encrypted
    hostname firewall
    domain-name blah.net
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    no fixup protocol tftp 69
    names
    object-group service bittorrent tcp
    port-object range 49155 49157
    object-group service torrent udp
    port-object range 49155 49157
    access-list outbound permit udp 192.168.10.0 255.255.255.0 any eq domain
    access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq www
    access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq https
    access-list outbound permit tcp 192.168.10.0 255.255.255.0 any object-group bittorrent
    access-list outbound permit udp any any eq 49156
    access-list outbound permit tcp any any object-group bittorrent
    access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq 8000
    access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq 6667
    access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq 8080
    access-list outbound permit icmp 192.168.10.0 255.255.255.0 any
    access-list outbound permit udp 192.168.10.0 255.255.255.0 any eq 443
    access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq ftp-data
    access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq ftp
    access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq ssh
    access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq 7000
    access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq telnet
    access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq 995
    access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq 587
    access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq smtp
    access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq 5010
    access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq 5222
    access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq 5100
    access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq 5050
    access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq aol
    access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq pop3
    access-list outbound permit udp 192.168.10.0 255.255.255.0 any eq 5198
    access-list outbound permit udp 192.168.10.0 255.255.255.0 any eq 5199
    access-list outbound permit udp any any eq 4500
    access-list outbound permit udp any any eq isakmp
    access-list outbound permit udp 192.168.10.0 255.255.255.0 any eq tftp
    access-list outbound permit esp any any
    access-list outbound permit tcp 192.168.10.0 255.255.255.0 any eq 5200
    access-list outbound deny ip any any
    access-list inbound permit udp any interface outside eq 49156
    access-list inbound permit udp any interface outside eq tftp
    access-list inbound permit tcp any interface outside object-group bittorrent
    access-list inbound deny ip any any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 192.168.10.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface 49157 192.168.10.21 49157 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 49156 192.168.10.21 49156 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 49155 192.168.10.21 49155 netmask 255.255.255.255 0 0
    static (inside,outside) udp interface 49156 192.168.10.21 49156 netmask 255.255.255.255 0 0
    static (inside,outside) udp interface tftp 192.168.10.20 tftp netmask 255.255.255.255 0 0
    access-group inbound in interface outside
    access-group outbound in interface inside
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10

    So a couple questions based on this setup.
    I would like to lock the router down to the same set of outbound packets as the firewall (this I think I may have completed). At some point in time I would like to put a VOIP server in the "dmz" between the border router and the firewall, nothing critical just a fun project for myself and a couple of my friends. Also there is the possibility of a forum server going in there. Anyway long story short, the pressing issue I have now is that bittorrent doesn't work. I assume this is due to a lack of port forwarding on my border router. The access list permits it, there is just no static route. I had it working before I changed out the router so if someone could give me the proper syntax for the route command that would be great. The other issue at hand is my packets for bittorrent are nat overloaded twice (pat) does this cause an issue, am i trying the impossible? Oh yes, please don't make fun of me for not logging the firewall and router properly it's still a work in progress.

    Thank You,

    //John

  2. #2
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378
    bittorrent uses ports 6881-6889

    object-group service BitTorrent tcp
      port-object range 6881 6889


    access-list outside_access_in remark BitTorrent Ports
    access-list outside_access_in permit tcp any object-group BitTorrent interface outside object-group BitTorrent

    static (inside,outside) tcp interface 6881 192.168.1.20 6881 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 6882 192.168.1.20 6882 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 6883 192.168.1.20 6883 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 6884 192.168.1.20 6884 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 6885 192.168.1.20 6885 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 6886 192.168.1.20 6886 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 6887 192.168.1.20 6887 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 6888 192.168.1.20 6888 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 6889 192.168.1.20 6889 netmask 255.255.255.255 0 0
    In God We Trust....Everything else we backup.

  3. #3
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378
    To be clear...

    You are going to static route from the PIX to the router (192.168.1.1)
    then static route on the router to the machine behind it running bittorrent(192.168.1.21 ???).
    Additionally, you will need to ensure you have inbound acls on both devices to allow this traffic.
    In God We Trust....Everything else we backup.

  4. #4
    Junior Member JohnCanty's Avatar
    Join Date
    Mar 2009
    Location
    Manchester, NH
    Posts
    2
    yes I forced my bittorrent client on 192.168.10.21 to use ports 49155-49157 and use udp 49156

    I would assume the router has to know about the network behind the nat on the firewall?


    Quote Originally Posted by Cheap Scotch Ron View Post
    To be clear...

    You are going to static route from the PIX to the router (192.168.1.1)
    then static route on the router to the machine behind it running bittorrent(192.168.1.21 ???).
    Additionally, you will need to ensure you have inbound acls on both devices to allow this traffic.

  5. #5
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378
    Well, if you are going to do that
    I forced my bittorrent client on 192.168.10.21 to use ports 49155-49157 and use udp 49156
    then let the bittorrent traffic flow through the PIX firewall on the usual bittorrent ports and then port forward on the 837 from the usual ports to the ones you have substituted.
    In God We Trust....Everything else we backup.

Similar Threads

  1. Cisco Security Advisory: Cisco Telnet Denial of Service Vulnerability
    By Spyder32 in forum Miscellaneous Security Discussions
    Replies: 1
    Last Post: May 27th, 2008, 01:17 PM
  2. Cisco Router Enumeration
    By n00bius in forum The Security Tutorials Forum
    Replies: 10
    Last Post: July 24th, 2007, 03:48 PM
  3. Port List
    By ThePreacher in forum Miscellaneous Security Discussions
    Replies: 17
    Last Post: December 14th, 2006, 09:37 PM
  4. anyone want to help me with some cisco hw?
    By Simo in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: October 28th, 2003, 03:47 PM
  5. how to hack cisco a router... wow
    By NUKEM6 in forum Non-Security Archives
    Replies: 1
    Last Post: February 3rd, 2002, 11:28 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •