Help with Cisco ADSL 837

[UKmedia]

Hey Guys,

I have a quick question,

We have some retail stores that we connect to our network via a secure VPN link. We use a Cisco 837 on a 2mb ADSL line VPN'ed into our head office. We had a cisco guy come in to hook up our very first store for us as we are not cisco people and I know enough now to get our company by but I don't really understand this confog file that we load onto the routers.

Here it is:

enable

conf terminal



service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname testrouter

!

enable secret 5 $1$p680$gF.TgDy2mtMR39fU2I3ck0

!

username administrator privilege 15 password 0 password

username euronet privilege 15 password 0 password

no aaa new-model

ip subnet-zero

ip domain name chocolate.co.uk

ip dhcp excluded-address 192.168.16.1 192.168.16.50

ip dhcp excluded-address 192.168.6.200 192.168.16.254

!

ip dhcp pool Kensignton

network 192.168.17.0 255.255.255.0

netbios-name-server 192.9.200.8

default-router 192.168.16.254

domain-name testrouter.chocolate.co.uk

dns-server 192.9.200.8

!

!

ip inspect audit-trail

ip inspect name fire tcp

ip inspect name fire udp

ip inspect name fire http

ip inspect name fire h323

ip inspect name fire sip

ip inspect name fire vdolive

ip inspect name fire tftp

ip inspect name fire smtp

ip inspect name fire sqlnet

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key 0 chocolate address 0.0.0.0

crypto isakmp key 0 chocolate address 0.0.0.0



!

!

crypto ipsec transform-set chocolate esp-3des esp-md5-hmac

!

crypto map chocvpn 10 ipsec-isakmp

set peer 0.0.0.0

set transform-set chocolate

match address 101

!

!

!

!

interface Ethernet0

no shut

ip address 192.168.16.254 255.255.255.0

ip nat inside

ip inspect fire in

hold-queue 100 out

!

interface ATM0

no shut

no ip address

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet1

no ip address

duplex auto

speed auto

!

interface FastEthernet2

no ip address

duplex auto

speed auto

!

interface FastEthernet3

no ip address

duplex auto

speed auto

!

interface FastEthernet4

no ip address

duplex auto

speed auto

!

interface Dialer1

no shut

ip address negotiated

ip access-group protect in

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname retail@yourdomain.co.uk

ppp chap password 0 XXXXXXXX

crypto map chocvpn

!

ip nat inside source route-map nat interface Dialer1 overload

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

ip http secure-server

!

ip access-list extended nonat

deny ip 192.168.16.0 0.0.0.255 192.9.200.0 0.0.0.255

deny ip 192.168.16.0 0.0.0.255 192.168.10.0 0.0.0.255

deny ip 192.168.16.0 0.0.0.255 192.168.200.0 0.0.0.255

deny ip 192.168.16.0 0.0.0.255 192.168.250.0 0.0.0.255

permit ip 192.168.16.0 0.0.0.255 any

!

ip access-list extended protect

permit tcp any any eq 22

permit tcp any any eq 25

permit tcp any any eq 2525

permit tcp any any eq 8443

permit tcp any any eq 8080

permit esp host 62.49.215.19 any

permit udp host 62.49.215.19 any eq isakmp

permit udp host 62.49.215.19 any eq non500-isakmp

permit esp host 194.159.181.66 any

permit udp host 194.159.181.66 any eq isakmp

permit udp host 194.159.181.66 any eq non500-isakmp

permit ip 192.9.200.0 0.0.0.255 any

permit ip 192.168.0.0 0.0.255.255 any

deny ip any any

!

access-list 101 permit ip 192.168.16.0 0.0.0.255 192.9.200.0 0.0.0.255

access-list 101 permit ip 192.168.16.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.255.255

dialer-list 1 protocol ip permit



route-map nat permit 10

match ip address nonat

!

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

login local

transport input telnet ssh




Now we need to open ports 25, 2525, 8080, 8443 I think from the above I have opened them but how can I checl this. Is there a cisco tool that I can use to test open/closed ports?

Cheers for any help.

UKmedia productions

http://www.uk-media.com

 

[KiscoKid]

Best way of checking if a port is open is to either telnet (telnet a.b.c.d 25) to it or download (from Google) a port scanner and run it against the router.

where a.b.c.d is one of your internal host IP addresses that is running port 25.

 

[UKmedia]

Do you know any good port scanners at all?

UKmedia productions

http://www.uk-media.com

 

[doublea1535]

UKmedia...

If you have access to server running NMAP that is located outside of your network, that is ideal.

http://www.insecure.org/nmap/

A couple of suggestions on your access-list "protect"

- the "deny ip any any" statement at the end is redundant, with Cisco there is always an implicit deny any at the end of every acl.

- you might want to tighten up your source/destination IP range(s). For example, do you have ports "25, 2525, 8080, 8443" running on all hosts in your LAN? Do you want to all any and all source hosts to be able to make connections on those ports?