replacing home cable router with 2610

[csross]

I'm replacing my home cable router with a 3620. I have nat working but I am unable to get to the net. Here is the config, any suggestions? I did see some misses on the nat translations.

Thanks

-----------------------------------------------------

Building configuration...

Current configuration : 1081 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 10router
!
boot system flash slot0:c3620-io3-mz.122-15.T12.bin
logging queue-limit 100
!
ip subnet-zero
!
!
ip name-server 192.246.69.2
ip name-server 192.246.69.173
ip name-server 66.88.81.177
ip dhcp excluded-address 10.1.1.1 10.1.1.100
ip dhcp excluded-address 10.1.1.254

ip dhcp pool 10network
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
domain-name pulver.com
dns-server 192.246.69.2 192.246.69.173 66.88.81.177
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
interface Ethernet0/0
ip address dhcp
ip nat outside
no ip route-cache
no ip mroute-cache
half-duplex
!
interface Ethernet0/1
ip address 10.1.1.1 255.255.255.0
ip nat inside
no ip route-cache
no ip mroute-cache

ip nat inside source list 1 interface Ethernet0/0 overload
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
!
!
!
access-list 1 permit 10.1.1.0 0.0.0.255
!
line con 0
line aux 0
line vty 0 4
login
!
!
end

 

[rburke]

Can yo ping anything from the router right now? Are you sure the Ethernet0/0 is getting a IP address via DHCP? Have you powercycled the system to see if you can force a DHCP address?

You can check the IP addresses assigned to each interface by using "router> show ip int br". If there is no address assigned to the Ethernet0/0 then it may be a problem with getting it from the DHCP server. When I had that problem I would powercycle the entire system *turn off everything including modem, then boot up in this order: modem, router, other network stuff) Make sure you wait until the modem is totally synced up before turning on the router. Then once it is up and you have a prompt check it again and see if there Ethernet0/0 address has been assigned.

Another suggestion that I've found helps performance is to find out what your gateway is for the Ethernet0/0 and then using that gateway IP in your default route instead of Ethernet0/0. Example:

ip route 0.0.0.0 0.0.0.0 Ethernet0/0
changes to
ip route 0.0.0.0 0.0.0.0 x.x.x.x
where x.x.x.x is the gateway IP provided by your ISP. The only problem is that if you ISP ever reorganizes their IP scheme then you would need to change that default route. You can find out the gateway IP after you have obtained a DHCP address from the ISP. It should be listed under "show ip dhcp lease" or "show dhcp lease" I can't remember the exact command but that should set you on the right track.

Let me know if there is anythig I can help with.

Burke

 

[csross]

When I started the router up the next day, it worked fine and I was ok.

The only problem I'm having now is that I need to put in an access-list because this is going to be my work route. I only want allow sessions established on the inside to come in. I put the following

access-list 101 permit tcp any any established

and applied it to my inbound e0/0 interface. I was not able to get out on most connections (ie) bring yahoo up worked but I couldn't click on anything and it was extremely slow. Also, I tried adding the same for "udp" but there wasn't an established parameter for that. Any suggestions cause I am new to this.

Thanks

 

[rburke]

As in the other post that you have up about the ACL if you are NAT'd behind your router then that should provide you with basic security. It would be difficult for an attacker to get through the NAT and directly to your PC since what you are looking for is basically performed by NAT. The reason UDP doesn't have an "established" is because it is a connectionless protocol.. each packet is its own entitiy and it is sent with a "best effort" kind of mentality. One of hte most important services tat uses UDP is DNS. DNS translates your URL to an IP address. That is probably why your system was going so slow. It had Yahoos IP in cache already but when you tried to go somewhere it was saiting for the IP of the site that would be provided through DNS.

For a basic anti-spoofing ACL inbound on Ethernet0/0 try this:

access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 224.0.0.0 31.255.255.255 any log
access-list 101 permit ip any any

Let me know if this helps.

Burke

 

[csross]

Thanks for the explanation. That would be applied to the inbound interface I assume.

I do want to allow ssh in and port-forward that to a unix box, and possibly pc-anywhere type of application. They will ssh to the address of the router and forward over to whichever machine. Do you think these acls will allow that?

thanks very much

 

[rburke]

Those ACLs shouldn't block the remote access methods you described. The ACLs above are very basic and only protect you from a spoofing attack. When setting up your port forwarding you'll have to add additional NAT statements. Forwarding the Ethernet0/0 port to the internal IP port. It will look like this:

ip nat inside source static tcp <unix ip address> 22 interface Ethernet0/0 22

It will be similar for PCAnywhere, but it looks like the ports required to be open will depend on the version of PCAnywhere. Here is a link I found that tells what ports for each version:

http://www.nthelp.com/NT6/pcanywhere_ip_port_usage.htm

Also, as a secuirty precaution I would recommend adding to the access-list above "access-list 101 deny tcp any any eq 23 log". That will disable telnet directly to the router from the outside. Then if you ever wanted to directly access the router you would have to SSH into your Unix box and then telnet to the LAN gateway IP not the WAN. Of oyu could always setup SSH on the router, the 3600's can handle it. Sorry if I got carried away with the recommendations.. just experience talking.

Let me know if there is anything I can help with.

Burke

 

[csross]

you have been very helpful. I'll get back to you when I test this out.

Thanks.

 

[netadmin65]

On another note, if your ISP starts using "option 60"
on DHCP, and your IOS isn't 12.2(12)T or later, you'll
stop getting an address from your ISP. I'm not sure if
'ip address dhcp' is in normal builds these days or not,
so that is why I mentioned the "T" build above.

Hope this is not the case. Your config looks good.

 

[csross]

Thanks. I believe the ios is c3620-io3-mz.122-15.T12. Its at home (easier to test there).

 

[csross]

I followed the suggestions for the access list on on the inbound e 0/0 interface (the one connected to the internet) and the interface could not get an address. Once I removed it, I got an address. This is the access list. I only want to allow traffic that is established on the inside to come back in (with one exception of ssh traffic that I will port forward). I know I can say permit tcp established but what about udp established, I do not think I can say that.

Should I be putting this on the inbound interface connected to the internet or the other interfaces?

Extended IP access list 101
10 deny tcp any any eq ftp-data log
20 deny tcp any any eq ftp log
30 deny tcp any any eq telnet log
40 deny ip 192.168.0.0 0.0.255.255 any log
50 deny ip 10.0.0.0 0.255.255.255 any log (103 matches)
60 deny ip 172.16.0.0 0.15.255.255 any log
70 deny ip 224.0.0.0 31.255.255.255 any log
80 permit ip any any (6 matches)

** these lines were added to try make it work, it did nothing

90 permit udp any any
100 permit tcp any any

Thanks

 

[csross]

I tried to test which lines were causing the router not to get an address. So I deleted the access list and just added the deny ip 192.168, and I got an address. Then I added the deny ip 172 and 224 lines and still got an address. When I added the deny 10 line, I didn't get and address and got a log message at 10.22.64.1(67) was denied. This router is directly connected to the cable modem. I don't know what that address is.

Any suggestions?

 

[rburke]

I can't explain it totally, so this is more or less an educated guess. Maybe someone else can shed some light...

From my observations it appears that when a cable modem initially connects to the ISP network it is given a temporary private address like a 192.168/16, 172.16/12, or 10/8. Then, usually moments later an actual public DHCP address is assigned to the modem. So in your case if you could not get the temporary 10.x.x.x address then it was not possible to get a public address from the DHCP server.

In regards to "I know I can say permit tcp established but what about udp established, I do not think I can say that".

There is no such thing as UDP established, its an oxymoron. UDP is be definition connectionless meaning that no sequence information is stored in the Header of the packet. All the connection/relaibility/sequencing is performed at the application level instead of the Transport level. So as far as the router is concerned every UDP packet is its own entity without affiliations to other packets that have gone through.

Burke