Hello Everyone,
I am brand to to Cisco routers. My experience has been with consumer, home grade routers such at a Netgear RP614 that has been unreliable. The power is constantly having to be reset to wake it up. We are replacing with a Cisco 871.
We have a donated space and donated ISP by a local church. On the Netgear, I simply specify the churches router as our internet gateway. They also alow us to use one of their external ips. Below is our config. I've substituted a bogus ip for security. Please help. This is an ethernet to ethernet application.
----------------------
Building configuration...
Current configuration : 7760 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname sh_router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
clock timezone EDT -4
ip subnet-zero
ip cef
!
!
ip inspect log drop-pkt
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
ip domain name shepherdshope.local
ip name-server 192.168.1.110
ip name-server 66.255.85.9
ip name-server 199.72.1.1
ip name-server 207.59.1.1
ip name-server 66.255.85.88
!
appfw policy-name SDM_HIGH
application im aol
service default action reset alarm
service text-chat action reset alarm
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action reset alarm
service text-chat action reset alarm
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.com
server deny name webmessenger.msn.com
audit-trail on
application http
strict-http action reset alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action reset alarm
application im yahoo
service default action reset alarm
service text-chat action reset alarm
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yahoo.com
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo.com
server deny name edit.messenger.yahoo.com
server deny name messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
audit-trail on
!
!
crypto pki trustpoint TP-self-signed-2518869560
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2518869560
revocation-check none
rsakeypair TP-self-signed-2518869560
!
!
crypto pki certificate chain TP-self-signed-2518869560
certificate self-signed 01
30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32353138 38363935 3630301E 170D3036 30353131 31373532
31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35313838
36393536 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BB1E F86FFAD2 781C15AC BEF039E2 FAD84D12 92722411 F9C816C2 2350C54E
0A41B666 B4001C06 82F36055 2E9D5FC4 C9462AE6 2A777281 EF1B3133 6233544C
F5025FB3 F20901D9 1D0BD306 DD56CE51 9183D709 E7916A44 9E2F2653 093E17DD
D14209C1 A1A034DC 2987F14E EDB8AF2F 7996C794 81D638D2 2B1BB601 CF6F733A
73970203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603
551D1104 1C301A82 1873685F 726F7574 65722E79 6F757264 6F6D6169 6E2E636F
6D301F06 03551D23 04183016 80142B21 A8D5C3D7 0AFD971B EED242CC 14CDF630
6E4D301D 0603551D 0E041604 142B21A8 D5C3D70A FD971BEE D242CC14 CDF6306E
4D300D06 092A8648 86F70D01 01040500 03818100 6975AAA6 065850BA D17F2309
9CDBC488 C2FFA0DB F3B55478 7F27E735 0582997E A0A5E49D C9A34619 4A7539AB
D02BD06B FB08F124 BD55F9C4 435A58B0 E74C9968 6DB4FF73 8EFDAB59 EC34799C
E9F55CA3 43FFA0EF 3F8896ED B5BC2742 4921079B 554759CE 5738C3F6 72C71DE8
F1A77F93 03995E30 B9A90316 F1A6C2F3 D9124AB5
quit
username shepherd privilege 15 secret 5 $1$Z5F5$ZwTI5QyHHy6w9cYVOWvuL0
username finance privilege 15 secret 5 $1$DoZ/$D6d6INGhnxnejeHod54yy0
!
!
!
!
!
interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$$FW_OUTSIDE$
ip address 999.99.99.14 255.255.255.0
ip access-group 101 in
ip verify unicast reverse-path
ip inspect SDM_HIGH out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 192.168.1.2 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip default-gateway 999.99.99.1
ip classless
ip route 0.0.0.0 0.0.0.0 999.99.99.1 permanent
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 2 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.110 21 999.99.99.14 21 extendable
ip nat inside source static tcp 192.168.1.110 25 999.99.99.14 25 extendable
ip nat inside source static tcp 192.168.1.110 80 999.99.99.14 80 extendable
ip nat inside source static tcp 192.168.1.110 443 999.99.99.14 443 extendable
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 216.48.57.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any host 999.99.99.14 eq 443
access-list 101 permit tcp any host 999.99.99.14 eq www
access-list 101 permit tcp any host 999.99.99.14 eq smtp
access-list 101 permit tcp any host 999.99.99.14 eq ftp
access-list 101 permit udp host 207.59.1.1 eq domain host 999.99.99.14
access-list 101 permit udp host 199.72.1.1 eq domain host 999.99.99.14
access-list 101 permit udp host 66.255.85.9 eq domain host 999.99.99.14
access-list 101 permit udp host 66.255.85.88 eq domain host 999.99.99.14
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host 999.99.99.14 echo-reply
access-list 101 permit icmp any host 999.99.99.14 time-exceeded
access-list 101 permit icmp any host 999.99.99.14 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
no cdp run
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Shepherd's Hope, Inc
Authorized Persons Only
-----------------------------------------------------------------------
^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
-------------------------
Bryan See
Shepherd's Hope, Inc.
finance@shepherdshope.org
I am brand to to Cisco routers. My experience has been with consumer, home grade routers such at a Netgear RP614 that has been unreliable. The power is constantly having to be reset to wake it up. We are replacing with a Cisco 871.
We have a donated space and donated ISP by a local church. On the Netgear, I simply specify the churches router as our internet gateway. They also alow us to use one of their external ips. Below is our config. I've substituted a bogus ip for security. Please help. This is an ethernet to ethernet application.
----------------------
Building configuration...
Current configuration : 7760 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname sh_router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
clock timezone EDT -4
ip subnet-zero
ip cef
!
!
ip inspect log drop-pkt
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
ip domain name shepherdshope.local
ip name-server 192.168.1.110
ip name-server 66.255.85.9
ip name-server 199.72.1.1
ip name-server 207.59.1.1
ip name-server 66.255.85.88
!
appfw policy-name SDM_HIGH
application im aol
service default action reset alarm
service text-chat action reset alarm
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action reset alarm
service text-chat action reset alarm
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.com
server deny name webmessenger.msn.com
audit-trail on
application http
strict-http action reset alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action reset alarm
application im yahoo
service default action reset alarm
service text-chat action reset alarm
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yahoo.com
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo.com
server deny name edit.messenger.yahoo.com
server deny name messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
audit-trail on
!
!
crypto pki trustpoint TP-self-signed-2518869560
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2518869560
revocation-check none
rsakeypair TP-self-signed-2518869560
!
!
crypto pki certificate chain TP-self-signed-2518869560
certificate self-signed 01
30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32353138 38363935 3630301E 170D3036 30353131 31373532
31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35313838
36393536 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BB1E F86FFAD2 781C15AC BEF039E2 FAD84D12 92722411 F9C816C2 2350C54E
0A41B666 B4001C06 82F36055 2E9D5FC4 C9462AE6 2A777281 EF1B3133 6233544C
F5025FB3 F20901D9 1D0BD306 DD56CE51 9183D709 E7916A44 9E2F2653 093E17DD
D14209C1 A1A034DC 2987F14E EDB8AF2F 7996C794 81D638D2 2B1BB601 CF6F733A
73970203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603
551D1104 1C301A82 1873685F 726F7574 65722E79 6F757264 6F6D6169 6E2E636F
6D301F06 03551D23 04183016 80142B21 A8D5C3D7 0AFD971B EED242CC 14CDF630
6E4D301D 0603551D 0E041604 142B21A8 D5C3D70A FD971BEE D242CC14 CDF6306E
4D300D06 092A8648 86F70D01 01040500 03818100 6975AAA6 065850BA D17F2309
9CDBC488 C2FFA0DB F3B55478 7F27E735 0582997E A0A5E49D C9A34619 4A7539AB
D02BD06B FB08F124 BD55F9C4 435A58B0 E74C9968 6DB4FF73 8EFDAB59 EC34799C
E9F55CA3 43FFA0EF 3F8896ED B5BC2742 4921079B 554759CE 5738C3F6 72C71DE8
F1A77F93 03995E30 B9A90316 F1A6C2F3 D9124AB5
quit
username shepherd privilege 15 secret 5 $1$Z5F5$ZwTI5QyHHy6w9cYVOWvuL0
username finance privilege 15 secret 5 $1$DoZ/$D6d6INGhnxnejeHod54yy0
!
!
!
!
!
interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$$FW_OUTSIDE$
ip address 999.99.99.14 255.255.255.0
ip access-group 101 in
ip verify unicast reverse-path
ip inspect SDM_HIGH out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 192.168.1.2 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip default-gateway 999.99.99.1
ip classless
ip route 0.0.0.0 0.0.0.0 999.99.99.1 permanent
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 2 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.110 21 999.99.99.14 21 extendable
ip nat inside source static tcp 192.168.1.110 25 999.99.99.14 25 extendable
ip nat inside source static tcp 192.168.1.110 80 999.99.99.14 80 extendable
ip nat inside source static tcp 192.168.1.110 443 999.99.99.14 443 extendable
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 216.48.57.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any host 999.99.99.14 eq 443
access-list 101 permit tcp any host 999.99.99.14 eq www
access-list 101 permit tcp any host 999.99.99.14 eq smtp
access-list 101 permit tcp any host 999.99.99.14 eq ftp
access-list 101 permit udp host 207.59.1.1 eq domain host 999.99.99.14
access-list 101 permit udp host 199.72.1.1 eq domain host 999.99.99.14
access-list 101 permit udp host 66.255.85.9 eq domain host 999.99.99.14
access-list 101 permit udp host 66.255.85.88 eq domain host 999.99.99.14
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host 999.99.99.14 echo-reply
access-list 101 permit icmp any host 999.99.99.14 time-exceeded
access-list 101 permit icmp any host 999.99.99.14 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
no cdp run
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Shepherd's Hope, Inc
Authorized Persons Only
-----------------------------------------------------------------------
^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
-------------------------
Bryan See
Shepherd's Hope, Inc.
finance@shepherdshope.org
