Cisco 801 simple questions on simple setup 1

[DanielUK]

Hi, wondering if anyone can give me a couple of pointers? I have complete brain fade today so apologise if these questions are blindingly obvious!

I have installed a Cisco 801 ISDN router onto our Win2k server (Dell) which services a handful of win2k Professional client. It's physically connected to the com port (using the blue cable) as for some reason it couldn't detect it just by plugging into the 3com OfficeConnect hub we have. Anyway....

I've use FastStep installed on the server to find the router and successfully dial up to our ISP, so far so good. It's the next bit that's confusing me.

Under "LAN Address and Mask" I'm ok with the subnet mask (255.255.255.0) and the fact I want to leave the server to take care of DHCP. But, I'm not sure of the "IP Address for your LAN connection". Is it the IP for the router, the server or LAN itself? Either option is confusing me as when I look at the scope properties in DHCP on the server, the IP range is 192.168.0.2 - 192.168.0.15, the server is fixed at 192.168.0.13 and the scope is down as 192.168.0.0. Which IP am I meant to stick in and where am I meant to find it?

Lastly, once I do get the addressing configured, what is the basic process to change the clients from dialling using their internal modem to using the router?

Thanks in advance for any pointers. As you can see I don't do an awful lot of network administration!!

Dan

 

[DanielUK]

Thanks Lui, I'll check that out later today. The more concerning thing is the open ports when using the router even though they are closed off according to my server (see my last two messages).

Thanks

Dan

 

[DanielUK]

OK, can anyone help me with this, I'm putting the "non-disconnecting" ISDN problem to the side until I get this firewall thing sorted first! I have managed to do some reading up on the IOS and I tried to stop outside access coming in to Port 23 following the examples in the documentation but Port 23 is still deemed open after a probe by GRC.com. Here's what I did.

1. Telnet to router
2. type enable to become priveleged EXEC mode
3. type configure to go into Global configuration
4. using example in documentation, type:
access-list 100 deny tcp 192.168.0.1 0.0.0.0 eq 23
5. type interface BRI1 to enter interface config mode
6. type ip access-group 100 in to activate access list 100

Am I doing the right thing here? Ultimately I want to block off the open port 23 and port 80 so that they're closed.

On that note, I've been reading that I should be creating an access list that denies everthing and permits only certain ports. Basically I want the clients to be able to browse the net and also receive their email into Outlook Express -anyone have such an access list they could show me?

Thanks once again, as you can see I'm having difficulty grasping this!

Dan

 

[ROUTERKID1]

R1
hostname R1
!
interface ethernet0
ip access-group 102 in
!
access-list 102 deny tcp any any eq 23
access-list 102 permit ip any any


Try This

 

[DanielUK]

Thanks Routerkid1, where does that actually go? Looking at my running config I've got this set of lines already:

!
map-class dialer DialClass
access-list 18 permit 192.168.0.0 0.0.0.255
access-list 121 deny udp any eq netbios-dgm any
access-list 121 deny udp any eq netbios-ns any
access-list 121 deny udp any eq netbios-ss any
access-list 121 deny tcp any eq 137 any
access-list 121 deny tcp any eq 138 any
access-list 121 deny tcp any eq 139 any
access-list 121 permit ip any any time-range TIME
dialer-list 1 protocol ip permit
!

Can I plonk access-list 121 deny tcp any any eq 23 in there and restart the router?

Thanks again,

Dan

 

[ROUTERKID1]

The router tests addresses against the conditions in the ACL one at a time. The first match determines whether the Cisco IOS software accepts or rejects the address. Because the Cisco IOS software stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the router rejects the address, due to an implicit deny all clause. That looks fine you just want to add it as close as possible to the source.