OK, hopefully this might benefit/entertain others. Else I can take it
off-list if need be.
So, I'm working on my CCNA (From the books/net, no class. =( )and I just
redid my network. The config I have is working and an nmap scan of the
outside (cable modem) interface shows all ports filtered. However, I added a
wireless router onto the 806 instead of running it separate and I'm guessing
I've probably missed a big hole somewhere. Like presenting 2 interfaces to
the world instead of one. Albeit one is non-routable. Yes, I realize NTP
might be a problem. I tried to set no login on the vty's but it (I) messed
up AAA somehow doing that.
I have 128 bit WEP on the wireless. I don't broadcast the SSID and the ports
are filtered there as well. I guess my question is do I need a policy on the
inside cisco interface? Is my idea correct that the 806 can be a DMZ after I
connect the other routers? Or am I getting way past myself here LOL.
Right now it looks like this. I will be attaching a 2503, 2505 and 1924
later to practice on. Also, I'm getting Prelude-IDS (Nagios, Nessus, Snort,
Samhain) set up on the .2 linux box.
Thanks,
Darrin
Internet (cable) --- (DHCP) cisco 806 (192.168.0.1) --- (.2,.3)
|
|
(192.168.0.4)
netgear wireless
(192.168.1.1)
|
|
(wireless hosts)
Here is the config:
Using 7260 out of 131072 bytes
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cerberus
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 2 log
security passwords min-length 11
logging console critical
logging monitor informational
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login local_auth local
aaa session-id common
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip dhcp excluded-address 192.168.0.1 192.168.0.4
!
ip dhcp pool CLIENT
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
lease 0 2
!
!
ip domain name XXXXXXXXXXXXXXXXXXX
ip host elektra 192.168.0.2
ip host lumi 192.168.0.3
ip host wgt624 192.168.0.4
no ip bootp server
ip cef
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip ips po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
login block-for 5 attempts 5 within 5
no ftp-server write-enable
!
!
username XXX secret 5 XXXXXXXXXXXXXXXXXXXXXXXXX
!
!
!
!
!
interface Ethernet0
description LAN Interface
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no cdp enable
hold-queue 32 in
!
interface Ethernet1
description WAN Interface
ip address dhcp client-id Ethernet1
ip access-group autosec_complete_bogon in
ip verify unicast source reachable-via rx allow-default 100
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect autosec_inspect out
ip virtual-reassembly
no cdp enable
!
ip classless
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list 102 interface Ethernet1 overload
!
!
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended autosec_complete_bogon
permit icmp any any administratively-prohibited
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any traceroute
permit icmp any any unreachable
permit udp any eq bootps any eq bootpc
permit udp any eq bootps any eq bootps
permit udp any eq domain any
permit udp any any eq ntp
deny ip 1.0.0.0 0.255.255.255 any
deny ip 2.0.0.0 0.255.255.255 any
deny ip 5.0.0.0 0.255.255.255 any
deny ip 7.0.0.0 0.255.255.255 any
deny ip 23.0.0.0 0.255.255.255 any
deny ip 27.0.0.0 0.255.255.255 any
deny ip 31.0.0.0 0.255.255.255 any
deny ip 36.0.0.0 0.255.255.255 any
deny ip 37.0.0.0 0.255.255.255 any
deny ip 39.0.0.0 0.255.255.255 any
deny ip 41.0.0.0 0.255.255.255 any
deny ip 42.0.0.0 0.255.255.255 any
deny ip 49.0.0.0 0.255.255.255 any
deny ip 50.0.0.0 0.255.255.255 any
deny ip 58.0.0.0 0.255.255.255 any
deny ip 59.0.0.0 0.255.255.255 any
deny ip 60.0.0.0 0.255.255.255 any
deny ip 70.0.0.0 0.255.255.255 any
deny ip 71.0.0.0 0.255.255.255 any
deny ip 72.0.0.0 0.255.255.255 any
deny ip 73.0.0.0 0.255.255.255 any
deny ip 74.0.0.0 0.255.255.255 any
deny ip 75.0.0.0 0.255.255.255 any
deny ip 76.0.0.0 0.255.255.255 any
deny ip 77.0.0.0 0.255.255.255 any
deny ip 78.0.0.0 0.255.255.255 any
deny ip 79.0.0.0 0.255.255.255 any
deny ip 83.0.0.0 0.255.255.255 any
deny ip 84.0.0.0 0.255.255.255 any
deny ip 85.0.0.0 0.255.255.255 any
deny ip 86.0.0.0 0.255.255.255 any
deny ip 87.0.0.0 0.255.255.255 any
deny ip 88.0.0.0 0.255.255.255 any
deny ip 89.0.0.0 0.255.255.255 any
deny ip 90.0.0.0 0.255.255.255 any
deny ip 91.0.0.0 0.255.255.255 any
deny ip 92.0.0.0 0.255.255.255 any
deny ip 93.0.0.0 0.255.255.255 any
deny ip 94.0.0.0 0.255.255.255 any
deny ip 95.0.0.0 0.255.255.255 any
deny ip 96.0.0.0 0.255.255.255 any
deny ip 97.0.0.0 0.255.255.255 any
deny ip 98.0.0.0 0.255.255.255 any
deny ip 99.0.0.0 0.255.255.255 any
deny ip 100.0.0.0 0.255.255.255 any
deny ip 101.0.0.0 0.255.255.255 any
deny ip 102.0.0.0 0.255.255.255 any
deny ip 103.0.0.0 0.255.255.255 any
deny ip 104.0.0.0 0.255.255.255 any
deny ip 105.0.0.0 0.255.255.255 any
deny ip 106.0.0.0 0.255.255.255 any
deny ip 107.0.0.0 0.255.255.255 any
deny ip 108.0.0.0 0.255.255.255 any
deny ip 109.0.0.0 0.255.255.255 any
deny ip 110.0.0.0 0.255.255.255 any
deny ip 111.0.0.0 0.255.255.255 any
deny ip 112.0.0.0 0.255.255.255 any
deny ip 113.0.0.0 0.255.255.255 any
deny ip 114.0.0.0 0.255.255.255 any
deny ip 115.0.0.0 0.255.255.255 any
deny ip 116.0.0.0 0.255.255.255 any
deny ip 117.0.0.0 0.255.255.255 any
deny ip 118.0.0.0 0.255.255.255 any
deny ip 119.0.0.0 0.255.255.255 any
deny ip 120.0.0.0 0.255.255.255 any
deny ip 121.0.0.0 0.255.255.255 any
deny ip 122.0.0.0 0.255.255.255 any
deny ip 123.0.0.0 0.255.255.255 any
deny ip 124.0.0.0 0.255.255.255 any
deny ip 125.0.0.0 0.255.255.255 any
deny ip 126.0.0.0 0.255.255.255 any
deny ip 197.0.0.0 0.255.255.255 any
deny ip 201.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip 240.0.0.0 15.255.255.255 any
deny ip 0.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip any any log
logging trap debugging
logging facility local2
no cdp run
!
control-plane
!
banner motd ^C
Authorized Access Only
This system is the property of XXXXXXXXXXXXXXXXX.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged.
^C
!
line con 0
exec-timeout 5 0
password 7 NNNNNNNNNNNNNNNNNN
logging synchronous
login authentication local_auth
transport output ssh
line vty 0 4
password 7 NNNNNNNNNNNNNNNN
logging synchronous
login authentication local_auth
transport preferred ssh
transport input ssh
!
scheduler max-task-time 5000
ntp clock-period 17168539
ntp server 216.136.10.198
ntp server 213.222.11.222
end
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:20:03 EDT