1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

871W Config Problem

Discussion in 'Other Cisco Equipment' started by DocLarge, Mar 17, 2007.

Thread Status:
Not open for further replies.
  1. DocLarge

    DocLarge Super Moderator Staff Member Member

    Kspare and I actually had this working until I messed with it :) Hey, I wanted to put it together on my own for assurance, and now it's crapped its shorts.
    Can anyone spot the problem, because I can't. Wireless works, I'm getting ip's from the gateway, but I can't get on the internet:
    --------------------------------------------------------------------------
    Guardwire#sh run
    Building configuration...

    Current configuration : 3783 bytes
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname Guardwire
    !
    boot-start-marker
    boot-end-marker
    !
    no logging console
    !
    no aaa new-model
    !
    resource policy
    !
    ip subnet-zero
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 172.16.32.1 172.16.32.12
    ip dhcp excluded-address 172.16.32.101
    ip dhcp excluded-address 172.16.32.102 172.16.32.255
    !
    ip dhcp pool Guardtower
    import all
    network 172.16.32.0 255.255.255.0
    domain-name guardtower-solutions.biz
    dns-server 172.16.32.1
    default-router 172.16.32.1
    lease 7
    !
    !
    no ip domain lookup
    ip domain name guardtower-solutions.biz
    !
    !
    crypto pki trustpoint TP-self-signed-3833788792
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-3833788792
    revocation-check none
    rsakeypair TP-self-signed-3833788792
    !
    !
    crypto pki certificate chain TP-self-signed-3833788792
    certificate self-signed 01
    3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 33383333 37383837 3932301E 170D3037 30333136 32303036
    31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38333337
    38383739 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    81009A2C 6C6366DB 7C09A587 CE434D20 8394AF3B B4AE5217 3A8345E1 EDE53555
    F02D0C01 E170AD99 F1003587 3C7EBC91 E8D8843F 65514CC9 12912944 32490D5E
    61828BE6 CBBE36FE 95DBE84F 4A5C38AC 01F6D222 E83A9962 64D8A99E 834D2B9D
    106E64DD CF812CF3 7DA9378F FC2107A8 B06FB680 731B264C 371430B7 AE952D9A
    1E4B0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
    551D1104 0B300982 07526F75 7465722E 301F0603 551D2304 18301680 144E66FC
    DE015B03 09B08F4A F7F0BA66 82DDFF14 0A301D06 03551D0E 04160414 4E66FCDE
    015B0309 B08F4AF7 F0BA6682 DDFF140A 300D0609 2A864886 F70D0101 04050003
    81810072 74FC6F5C 8B1C128D BFCD0BA7 B0156602 44F2FCB1 29ABA57E 71591DFB
    ECEE9B3D 10ED97C1 955607C4 40915B64 34AE2533 065C1184 4B41DFA7 17EF74EF
    2CB09A18 E1669C82 46626C1F 286D5C00 FB5A7219 C977CBC3 6463B099 7A3A643A
    03823A6D 6F436B50 4FB563AD F531EA2F 31F4170C 85AFBA37 2CEEFEDF 196B9E0A B581FF

    quit
    username doclarge privilege 15 password 0 xxxxxxxxxxxx
    !
    !
    !
    bridge irb
    !
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface FastEthernet4
    ip address dhcp
    ip access-group 10 in
    ip access-group 10 out
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface Dot11Radio0
    no ip address
    !
    encryption mode ciphers tkip
    !
    ssid guardwire
    authentication open
    authentication key-management wpa
    wpa-psk ascii 0 guardwire
    !
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
    54.0
    station-role root
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    !
    interface Vlan1
    no ip address
    bridge-group 1
    !
    interface BVI1
    ip address 172.16.32.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 FastEthernet4
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip nat inside source route-map nonat interface FastEthernet4 overload
    !
    access-list 10 permit any
    route-map nonat permit 10
    match ip address 110
    !
    !
    control-plane
    !
    bridge 1 protocol ieee
    bridge 1 route ip
    !
    line con 0
    no modem enable
    line aux 0
    line vty 0 4
    password xxxxxxxxxxxxx
    login local
    transport input telnet ssh
    !
    scheduler max-task-time 5000
    end
    --------------------------------------------------------------------------
    Oh where art thou issue?

    Jay
     
  2. ifican

    ifican Network Guru Member

    several recommendations that we will get into later, nothing jumps right out at me, everything seems to be in order enough to make it work. I would do the following 1) make sure your router is pulling an ip via FE4 the command Show ip interface brief will do that for you. If its got an ip see if you can ping past the router via ip, maybe its a name resolution issue. Check if you can ping from the router out and then from a host out we can proceed from there.
     
  3. kspare

    kspare Computer Guy Staff Member Member

    match ip address 110 needs to be match ip address 10
     
  4. ifican

    ifican Network Guru Member

    That was one of the things i was going to suggest a clean up on because when i glanced over the config I didnt see a route-map implemented but low and behold when i looked closely.

    ip nat inside source route-map nonat interface FastEthernet4 overload

    There it was plain as day, funny thing is my horoscope said yesterday pay close attention or youll miss something, it was right for once :). Good catch and i second the motion that should fix yas right up.
     
  5. kspare

    kspare Computer Guy Staff Member Member

    actually. We're both still wrong.

    It should be.

    access-list 110 permit ip 172.16.32.0 0.0.0.255 any
    route-map nonat permit 10
    match ip address 110

    You don't want to use the same list as as 10, you should specify the literal subnets that can be natted. The 110 access list will be used later on for vpns.
     
  6. ifican

    ifican Network Guru Member

    Well for confusion sake that is correct, but it should have still worked that way. Also why we are at it there is not need for the acl on FE4 that really isnt doing anything. And just curious but if you want to run any acl on FE4 why not use one based on and utilizing the firewall feature set the router comes with i.e. ip inspect? That why you let cbac decide what gets in and what doesnt.
     
  7. DocLarge

    DocLarge Super Moderator Staff Member Member

    Man,

    I'm still pretty much "in the dark" with this router. I'm slowly making my way through. I actually had it working Saturday morning, but when I got back Sunday evening, it had stopped working again. I did a "sh ip int brief" and saw that fa4 didn't have an ip assiged to it anymore. I stuck my WRVS4400N in place of the 871w and it pulled an wan ip address.

    This is pissing me off...

    Jay
     
  8. Toxic

    Toxic Administrator Staff Member

    lol Jay.

    Linksys 1 - Cisco 0

    I'm sure you'll get there in the end. just needs more refinement than the linksys does:)
     
  9. DocLarge

    DocLarge Super Moderator Staff Member Member

    *heh*

    So true... Such is the price for moving to "the real thing." :)

    Jay
     
  10. kspare

    kspare Computer Guy Staff Member Member

    Have you got the latest IOS for the router?
     
  11. DocLarge

    DocLarge Super Moderator Staff Member Member

    Yep. And all is working. I deleted "everything" and just did a Frank Sinatra (My Way) and all is playing nice. I just need to figure out how to apply the firewall rules now. In the interim, I just threw firewall software on my two machines sitting behind my 871w till I figure that part out:
    --------------------------------------------------------------------------
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname Router
    !
    boot-start-marker
    boot-end-marker
    !
    no logging console
    !
    no aaa new-model
    !
    resource policy
    !
    ip subnet-zero
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 172.16.32.1 172.16.32.12
    ip dhcp excluded-address 172.16.32.15 172.16.32.101
    ip dhcp excluded-address 172.16.32.102 172.16.32.255
    !
    ip dhcp pool Guardtower
    network 172.16.32.0 255.255.255.0
    dns-server 172.16.32.12 194.xxx.xxx.100 194.xxx.xxx.100
    default-router 172.16.32.1
    domain-name guardtower.biz
    lease 7
    !
    !
    ip domain name guardtower.biz
    ip host guardnas 172.16.32.101
    ip host guard2 172.16.32.12
    ip host citadel13 172.16.32.13
    !
    !
    crypto pki trustpoint TP-self-signed-3833788792
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-3833788792
    revocation-check none
    rsakeypair TP-self-signed-3833788792
    !
    !
    crypto pki certificate chain TP-self-signed-3833788792
    certificate self-signed 01
    3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 33383333 37383837 3932301E 170D3037 30333137 30323035
    30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38333337
    38383739 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100F9EA 5F6FA1FB 24F64DEC 8F51C5E3 B446EF69 3AC9D3DD 8C913512 0538E1C1
    537B991F 219C25E8 A3539F5A A46AB63A E850F6B8 2249EF11 90B5A848 DA1D9487
    91011E8C A5B3A47E 72C9843A 25014A60 68ABE8D0 193ABDCA 1DCE5950 C3FEA4BB
    AAE656F3 708ECF86 370F00DA 92CC51B6 EB5BE58F 9FC24B30 E710F9F7 97DA6DD0
    492F0203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
    551D1104 19301782 15526F75 7465722E 67756172 64746F77 65722E62 697A301F
    0603551D 23041830 16801422 F955F1D3 A1D07F5C 4F9705F9 895BF92B C7DD3C30
    1D060355 1D0E0416 041422F9 55F1D3A1 D07F5C4F 9705F989 5BF92BC7 DD3C300D
    06092A86 4886F70D 01010405 00038181 0006C2A9 FCBFC6BF 0C9B675D 65ED778E
    B5250317 A23DDD4C 613DD313 89F0470E DFD6DF8C 39BEFEE0 2DB68267 BEF91ED7
    E795688D 472D9C93 8CED4E77 B6FFE2A8 56E188A2 F4C4FF50 C8704EAB C1F7A778
    1786AF35 43646048 7B842C14 6AB8126B 58775027 AA091C74 306F5DC2 352EFB0C
    6E7DF1A3 97F6314D 3B10894B 9C16DA5E 34
    quit
    username doclarge privilege 15 password 0 xxxxxxxx
    !
    !
    !
    bridge irb
    !
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface FastEthernet4
    ip address dhcp
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface Dot11Radio0
    no ip address
    !
    broadcast-key change 3600 membership-termination
    !
    !
    encryption mode ciphers tkip
    !
    ssid xxxxxxxxxxxxx
    authentication open
    authentication key-management wpa
    wpa-psk ascii 0 xxxxxxxxxxxxxxx
    !
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
    54.0
    station-role root
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    !
    interface Vlan1
    no ip address
    bridge-group 1
    !
    interface BVI1
    ip address 172.16.32.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    !
    ip classless
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip nat inside source list 10 interface FastEthernet4 overload
    !
    access-list 10 permit any
    !
    control-plane
    !
    bridge 1 protocol ieee
    bridge 1 route ip
    !
    line con 0
    no modem enable
    line aux 0
    line vty 0 4
    privilege level 15
    login local
    transport input telnet ssh
    !
    scheduler max-task-time 5000
    end
    --------------------------------------------------------------------------
    The signal strength is 100% considering I'm in the same room with it. I'll see if it stays up overnight...

    Jay
     
  12. Toxic

    Toxic Administrator Staff Member

    common, you've had this long enough to fix that VPN tunnel for me now m8:)
     
  13. DocLarge

    DocLarge Super Moderator Staff Member Member

    Get outta my azz, man! :) I just finally figured out how to get the friggin' thing to stay running longer than two minutes! *LOL*

    I can hide it no longer; it's "work" running IOS full time as opposed to the comfort of SOHO gear, but I recommend it to break from the norm :)

    Jay
     
  14. ifican

    ifican Network Guru Member

    It might be a little work to get it going, but in time it gets easier just like everything else. However once it is working you wont have to touch it unless something needs to be changed.
     
  15. DocLarge

    DocLarge Super Moderator Staff Member Member

    Truth be told, I'm loving it!! I was getting bored with SOHO stuff anyway (I needed the challenge).

    I'll probably stick with the "better and proven end" of Linksys gear (WRV54G, RV0xx series, and maybe WRVS4400N) for simple installs and look at CISCO for small business and medium business clients...

    Jay
     
  16. kspare

    kspare Computer Guy Staff Member Member

    IOS os easy to run. once you get going you just build your own template and voilla, you are doing configs in 5 mins....

    It's building the config that is the hard part.
     
  17. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    Agreed. Jay and I are configuring his 871W one step at a time. It's easier to digest that way so we've broken the work effort into different "lessons". Once Jay has completed each lesson, maybe we can convince him to compile the steps into a FAQ. I've put comments inline with all the configuration steps that I've sent him so it should be straightforward.

    So far:

    Lesson 1: We've got the SPI firewall and NAT config working.

    Lesson 2: We're currently working on site-to-site VPN.

    Lesson 3: Next step after that will be remote-access VPN.

    Lesson 4: Probably advanced protocol inspection rules

    Eric
     
  18. DocLarge

    DocLarge Super Moderator Staff Member Member

    I am "sooooo" kicking azz in this I may buy stock in cisco!! :) Barring my making "typos" that Eric strategically points out, I've got CISCO IOS flowing in my veins again!!!

    GO CISCO!!!

    Guys, I did a search on "router 101" and got a plethora of answers. If there any questions you want to know about IOS, this link has caputured mucho!! I'll post it in a separate thread I'll and make it a sticky most likely...

    Jay

    Jay
     
  19. kspare

    kspare Computer Guy Staff Member Member

    Atta boy!
     
  20. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    Lesson 1 and 2 complete. Jay now has a site-to-site, h/w-accelerated 128-bit AES VPN between my ASA5505 and his 871W. Stateful packet inspection is turned on too. Maybe we should do Lesson 4 next so he can put his VoIP solution in behind his 871W. We aren't inspecting SIP now but should.....

    Fun and games!
     
  21. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    Lesson 1 -- 871W Configured as SPI Firewall

    Note that this configuration will perform general inspection of TCP, UDP and ICMP traffic. It does NOT inspect FTP, SIP, IM, etc. That will be another "lesson" but suffice it to say this configuration will "break" these protocols from progressing properly across the firewall
    ! ===================================================================================
    ! Lesson I -- How to turn your 871W into a Stateful Packet Inspection (SPI) Firewall!
    ! ===================================================================================
    !
    ! Step (1) configures CBAC to inspect TCP, UDP and ICMP taffic
    ip inspect name OUTBOUND tcp
    ip inspect name OUTBOUND udp
    ip inspect name OUTBOUND icmp
    !
    ! Step (2) permits inside-initiated traffic FROM the 172.16.32.0/24 network (ie: inside hosts)
    ! to any host on the outside
    ! Note: These are extended access lists, meaning that they are filtering on both source & destination
    ! addresses and (optionally) port numbers....
    access-list 101 permit ip 172.16.32.0 0.0.0.255 any
    access-list 101 deny ip any any
    !
    ! applies the ACL and inspection rule to the inside interface in an inward direction
    ! (remember "inward" direction is with respect to the interface). In effect, this
    ! will inspect all outbound traffic (from a security level perspective)
    ! Your (now) stateful packet inspection firewall will only allow packets in to your network
    ! that match up as "replies" to the traffic that was allowed out.
    !
    ! This is your Bridge Virtual Interface which comprises your WLAN and LAN interfaces:
    interface BVI1
    ip inspect OUTBOUND in
    ip access-group 101 in
    !
    !
    !
    !
    ! Now you have an SPI firewall. It will block all unsolicited inbound packets, while allowing
    ! you to browse the Internet from any inside host.
     
  22. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    Lesson 2 -- 871W Site-to-Site VPN + Adjust NAT Config

    ! ===============================================================
    ! Lesson 2 -- Configuring a Site-to-Site VPN to a Remote Site
    ! ===============================================================
    ! (remember, The remote site will setup the same information, but in reverse,
    ! for this to work....
    ! Assume local network = 172.16.32.0/24, remote network = 192.168.0.0/24
    !----------------------------------
    ! Task 1: Configure Phase I Stuff
    !----------------------------------
    ! enable ISAKMP on your system
    crypto isakmp enable
    ! create an ISAKMP (Phase I) policy:
    crypto isakmp policy 10
    authentication pre-share
    encryption aes
    group 2
    hash sha
    lifetime 28800
    ! define how the VPN identifies itself (FQDN or IP address)
    crypto isakmp identity address
    ! define the preshared key back to the other VPN gateway (Breezy! in this case)
    crypto isakmp key <secretkey> address A.B.C.D
    !
    ! ----------------------------------
    ! Task 2: Configure Phase II Stuff
    ! ----------------------------------
    ! allow router to negotiate NAT-T
    crypto ipsec nat-transparency udp-encapsulation
    ! setup encryption cipher strength and hash
    crypto ipsec transform-set toBREEZY esp-aes esp-sha-hmac
    ! Configures global IPSec SA lifetime values used when negotiating IPSec security associations
    crypto ipsec security-association lifetime seconds 86400
    ! create an ACL which will define the traffic that will be protected by the VPN
    ! which in our case is source = 172.16.32.0/24 to destination = 192.168.0.0/24 (GuardTower to Breezy!)
    access-list 110 permit ip 172.16.32.0 0.0.0.255 192.168.0.0 0.0.0.255
    ! Define a crypto map which will define the security association to the other VPN gateway
    crypto map VPN-MAP 110 ipsec-isakmp
    match address 110
    set peer A.B.C.D
    set pfs group2
    set transform-set toBREEZY
    set security-association lifetime seconds 86400
    ! apply the crypto map to the outgoing interface
    ! and activate the IPSec policy...
    inteface fastethernet4
    crypto map VPN-MAP
    ! ==========================================
    ! Task 3: Adjust NAT Configuration (3 steps)
    ! ==========================================
    ! This configuration is for inside interface =BVI1, outside =FastEthernet4
    ! It assumes that there already is a basic PAT config on the router
    !
    ! Step 1
    ! ---------------------
    ! Now we'll change your NAT config to use a route-map to define which traffic will and will not
    ! be NAT'd. deny=don't NAT; permit=do NAT
    ! We'll create an access list that defines this rule:
    !
    access-list 199 deny ip 172.16.32.0 0.0.0.255 192.168.0.0 0.0.0.255
    access-list 199 permit ip 172.16.32.0 0.0.0.255 any
    !
    ! Step 2
    ! ---------------------
    ! Create a route map which, when applied to the NAT config, will prevent the source=your net / dest'n=my net
    ! traffic from being NAT'd. The access-list 199 defines this pattern:
    !
    route-map nonat permit 10
    match ip address 199
    !
    ! Step 3
    ! -----------------------
    ! Finally, apply the route map "nonat" to the PAT config so the site-to-site traffic *will not* be NAT'd
    ! but all other traffic will
    ! 1st, get rid of the old ip nat overload command....
    no ip nat inside source list 10 interface FastEthernet4 overload
    ! now, in with the new.....
    ip nat inside source route-map nonat interface FastEthernet4 overload
     
  23. DocLarge

    DocLarge Super Moderator Staff Member Member

    Yay!! It works!! This will be in a sticky by this weekend!

    Jay
     
  24. arSouth

    arSouth LI Guru Member

    i just got mine 871w last week, have been playing with it, and it's not letting me in from the outside with ssh or telnet.
    i setup a 877 at a company this week, and it's doing the samething, not leting me in from the outside with ssh or telnet.

    Same DSL ISP. when i scan it with nmap, it's saids the ports are filtered

    I have the the firewall and IPS disable.
    i can ping it, i can't get to it. pissing me off.
    setup for PPTP vpn, not working either.
    IPsec remote access with cisco vpn client, still doesn't work.

    do i have to create an access list to permit everything i want to come in?
    running Advance IP service IOS
     
  25. DocLarge

    DocLarge Super Moderator Staff Member Member

    ArSouth,

    I'm starting from scratch again because I've been away for two months in school and have forgotten my IOS commands again *sigh*

    How have you fared thus far with your 871w?

    Jay
     
  26. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    Setting up SSH and Telnet Access to Cisco IOS Router

    Access lists will control traffic going *through* your 871W...not *to* it. That said, here's what you need:

    Step (1) Set up vty's for dialin telnet and ssh:
    --------------------------------------------
    Router(config)#line vty 0 4
    Router(config-line)#privilege level 15
    Router(config-line)#login local
    Router(config-line)#transport input telnet ssh

    Explanation: line interfaces vty 0 through 4 are the virtual terminal interfaces *to* your device. When you telnet to the 871W you are using thes lines. The commands above will: 1) select the interfaces then 2) allow users in a local database that you set up separately to SSH and telnet to your 871W.

    Step (2) Set up a user/password database:
    ------------------------------------------
    Router(config)#username testuser privilege 15 password W0n'tF0r5etTh15

    Step (3) Set an enable password
    ---------------------------------
    Finally, there's a security feature on all Cisco routers that requires that the enable password be set before you can telnet/ssh to the router....regardless of whether you've done all the above:

    Router(config)#enable secret 5up3r53cr3t

    Now you should be telnet to your router, but (and here's the kicker) *not* SSH to it. You now need to setup encryption keys.

    Step (4) Set up an RSA key pair:
    ---------------------------------
    [sidebar: 1st you have to setup a hostname and domain name since the keys are generated based on these values]

    Router(config)#hostname DoogiesRouter
    DoogiesRouter(config)#ip domain-name example.com

    ...then generate the keys:
    DoogiesRouter(config)#crypto key generate rsa

    ...the output will look something like this:
    <begin output>
    The name for the keys will be: DoogiesRouter.example.com
    Choose the size of the key modulus in the range of 360 to 2048for your General Purpose Keys. Choosing a key modulus greater than512 may take a few minutes.
    How many bits in the modulus [512]: 768
    % Generating 768 bit RSA keys ...[OK]
    DoogiesRouter(config)#
    *Mar 1 00:17:13.337: %SSH-5-ENABLED: SSH 1.5 has been enabled
    DoogiesRouter(config)#
    <end output>

    Don't forget to save your configuration file.

    Additionally:
    ----------------
    This is the most rudimentary of configurations and doesn't create any policies as to who should be allowed to access your vty's. You might consider creating an access-list which restricts access to a specific range of *source* IP addresses, then apply it to the vty's (NOT the physical interfaces) to restrict access. The example below restricts access such that only the subnet 172.16.32.0/24 can access your vty's. (IOS routers use inverse masks).

    DoogiesRouter(config)#access-list 2 permit 172.16.32.0 0.0.0.255
    DoogiesRouter(config)#line vty 0 4
    DoogiesRouter(config-line)#access-class 2 in

    Hey Doc?! How about making this a sticky?

    /Eric
     
  27. DocLarge

    DocLarge Super Moderator Staff Member Member

    But of course, sir!

    jay
     
  28. DocLarge

    DocLarge Super Moderator Staff Member Member

    Lesson 1 - 871W Configured as an SPI Firewall

    Lesson 1 -- 871W Configured as SPI Firewall

    --------------------------------------------------------------------------------

    Note that this configuration will perform general inspection of TCP, UDP and ICMP traffic. It does NOT inspect FTP, SIP, IM, etc. That will be another "lesson" but suffice it to say this configuration will "break" these protocols from progressing properly across the firewall
    ! ================================================== =================================
    ! Lesson I -- How to turn your 871W into a Stateful Packet Inspection (SPI) Firewall!
    ! ================================================== =================================
    !
    ! Step (1) configures CBAC to inspect TCP, UDP and ICMP taffic
    ip inspect name OUTBOUND tcp
    ip inspect name OUTBOUND udp
    ip inspect name OUTBOUND icmp
    !
    ! Step (2) permits inside-initiated traffic FROM the 172.16.32.0/24 network (ie: inside hosts)
    ! to any host on the outside
    ! Note: These are extended access lists, meaning that they are filtering on both source & destination
    ! addresses and (optionally) port numbers....
    access-list 101 permit ip 172.16.32.0 0.0.0.255 any
    access-list 101 deny ip any any
    !
    ! applies the ACL and inspection rule to the inside interface in an inward direction
    ! (remember "inward" direction is with respect to the interface). In effect, this
    ! will inspect all outbound traffic (from a security level perspective)
    ! Your (now) stateful packet inspection firewall will only allow packets in to your network
    ! that match up as "replies" to the traffic that was allowed out.
    !
    ! This is your Bridge Virtual Interface which comprises your WLAN and LAN interfaces:
    interface BVI1
    ip inspect OUTBOUND in
    ip access-group 101 in
    !
    !
    !
    !
    ! Now you have an SPI firewall. It will block all unsolicited inbound packets, while allowing
    ! you to browse the Internet from any inside host.
     
Thread Status:
Not open for further replies.

Share This Page