Help on 1605R configure for cable 1

[Hungster]

for some reason, i can't get out to the internet using the 1605R on ios 122-12a

could any one give me some hints please
i managed to get an external ip using dhcp

interface Ethernet0
description internet interface
ip address dhcp
ip access-group 101 in
ip nat outside

access-list 101 permit udp any any eq bootpc
access-list 101 permit udp any any eq bootps
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any eq telnet any

i can't ping out
thanks

 

[pc2mike]

Post the rest of your config and we can help a little more.
Also, tell us what you are connecting to on the WAN (Internet)side.
There's a little missing in the NAT config and I can't see
if you have any default routes to the Internet.

One thing about your access-list 101... there is a given blanket deny statement on the bottom of the list if you don't state otherwise.

That alone might help.

 

[Hungster]

Sorry,

here is my complete config

!
version 12.2
no parser cache
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname cr234567-a
!
logging buffered 4096 debugging
enable password 7 123421303E5359567A
!
ip subnet-zero
no ip domain-lookup
ip name-server 24.153.22.67
ip name-server 24.153.22.195
!
ip dhcp-client network-discovery informs 2 discovers 2 period 4
!
!
!
interface Ethernet0
description internet interface
ip address dhcp
ip access-group 101 in
ip nat outside
!
interface Ethernet1
description connected to EthernetLAN
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
!
ip nat inside source list 1 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 24.43.98.1
no ip http server
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 98 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip any any
access-list 101 permit udp any any eq bootpc
access-list 101 permit udp any any eq bootps
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any eq telnet any
snmp-server community public RO
snmp-server enable traps tty
!
line con 0
exec-timeout 0 0
password 7 153F2F2B28727E7678
logging synchronous
login
line vty 0 4
access-class 98 in
password 7 03297F2C2A57741E1E
logging synchronous
login
!
end

i did a cycle the modem in order to get an external ip thru dhcp when i did a sh int e0, the ip shows up, and trying to ping a external ip, and it just won't work

thanks for your help

 

[wybnormal]

If I have it right :

inbound IP traffic is filtered by ACL101:
access-list 101 permit udp any any eq bootpc
access-list 101 permit udp any any eq bootps
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any eq telnet any

This blocks EVERYTHING except that you have listed which is

bootp, bootps, and telnet... everything else is blocked by default which includes HTTP, DNS and other useful trafffic.

On the LAN side, you have as inbound IP any any which is fine to start.

To troubleshoot this, dump the ACL on the outside interface and I personally would dump the inside for now also.. just for troubleshooting. Once you get the connection working, you can start adding ACLs back into the mix. At least then you know where to troubleshoot any problem.

MikeS
Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu

 

[Hungster]

Oh ok MikeS
i will try that first and update you when i have this going

thanks

 

[Hungster]

Mike,

What should i deny or block common hacking port for cable, as you know, cable are most hackable ISP

 

[wybnormal]

It's not really a question of denying with an ACL.. it's possible but a better bet is to get the firewall IOS code. that way you can *inspect* traffic and deny things like SYN attacks and the like.

A basic list would look something like this..

Extended IP access list 107
deny ip 211.0.0.0 0.255.255.255 any log
deny ip 210.0.0.0 0.255.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.0.0.0 0.255.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 255.0.0.0 0.255.255.255 any log
deny ip 224.0.0.0 0.255.255.255 any log
deny ip 192.168.50.0 0.0.0.255 any log
deny icmp any any echo log
deny tcp any any eq finger
permit udp any any eq syslog
permit tcp host 192.168.1.10 any log
permit ip any any

It's a bit messy but lets walk through it.. the first several entries are denying in WHOLE IP blocks from places like Korea since alot of spam and hack attempts have been tracked from there. The deny icmp is a way to trash the ping but not send back a notice that you did trash it. Syslog is permited as is a specific host for tracking. The last line enables any IP protocol.

I also run a real firewall.. I dont use the router as the firewall except as a *last resort* type of firewall.

there is alot more to it then just this.. I'm thinking maybe a new FAQ on access lists?

MikeS
Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu

 

[Hungster]

Yes Mike

on my personal one, my 1605R has enough memory to load the firewall IOS on, but for this router, it only has 4MB of memory, so i can't really load the firewall on

Thanks for all the info on those listing ips

 

[wybnormal]

I should add that the listings of 10.x.x.x 172.16.x.x will block any packets that are set a source of a *private IP*.. they should not be on the internet anyways and I sure dont want them coming into my network. The 127 is the loopback Ip, the 192.168.50.0 block is to prevent packets arriving TO the router's outside port looking like they were gen'ed by my LAN.

I really do need to put a FAQ up on this.. in my spare time

MikeS
Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu

 

[Hungster]

Hi Mike

what is permit tcp host 192.168.1.10 any log for ?

 

[wybnormal]

I have a public terminal server sitting there at dot 10 and I log all activity to and from it. The permit is not needed for the function but with it and logging gives me a cheap way to watch the traffic

MikeS Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu