Search this Blog

Sunday, February 9, 2014

How can we solve the issues with Config on 871?


Basically, we like to use a 871 as a bandwidth limiter.

We use a ISP modem-router with a 192.168.2.0/24 network and  like to enter 50Mbps Internet bandwidth in one port of the 871 and give one of the Fe port with speed 10 and a 192.168.0.0/24 network.  Furthermore, had installed an access point in that port and don't want those users to have access to the 192.168.2.0 network.  Below is the current config :

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MyRouter
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1
!
ip dhcp pool MyDhcp
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   dns-server 192.168.2.1
!
!
!
!
!
!
interface FastEthernet0
switchport access vlan 10
ip dhcp client hostname MyDhcp
speed 10
no cdp enable
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address dhcp
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 192.168.0.1 255.255.255.0
!
!
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
no ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
!
scheduler max-task-time 5000
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end


Here's the sh ip route:
Gateway of last resort is 192.168.2.1 to network 0.0.0.0


C    192.168.0.0/24 is directly connected, Vlan10
C    192.168.2.0/24 is directly connected, FastEthernet4
S*   0.0.0.0/0 [1/0] via 192.168.2.1


We are able to ping both google.ca and the pc (192.168.0.2) from the router, but from the PC can ping 192.168.0.1 but not 192.168.2.1.

Try it with NAT . 

access-list 1 permit 192.168.0.0 0.0.0.255
ip nat inside source list 1 interface FastEthernet4 overload

interface vlan10
ip nat inside

interface FastEthernet4
ip nat outside
no switchport

Since you have 2 different subnet and a router, LAN side needs to be translated into WAN side. You can make the network very secure by changing access list to extented list. 1-99 is for standard, 100 and over for extended access list. Below is an example, you can control which ports to open or closed


ip access-list extended INTERNET
deny tcp any any eq 5060 log
deny udp any any eq 5060 log
deny tcp any any eq 5060 log
deny udp any any eq 2427 log
deny tcp any any eq 2428 log
deny tcp any any range 1718 1720 log
deny tcp any any eq 1731 log
deny tcp any any eq 2000 log
deny tcp any any eq 3389
deny tcp any any eq 23
deny tcp any any eq ftp
deny tcp any any eq ftp-data
deny tcp any any eq 22
permit tcp any any eq www




ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
ip inspect name FIREWALL cuseeme
ip inspect name FIREWALL ftp
ip inspect name FIREWALL h323
ip inspect name FIREWALL realaudio
ip inspect name FIREWALL rtsp
ip inspect name FIREWALL pptp
ip inspect name FIREWALL sip
ip inspect name FIREWALL vdolive
ip inspect name FIREWALL streamworks
ip inspect name FIREWALL netshow
ip inspect name FIREWALL sqlnet
ip inspect name FIREWALL tftp
ip inspect name FIREWALL skinny
ip inspect name FIREWALL ntp
ip inspect name FIREWALL dns


interface FastEthernet4
ip nat outside
no switchport
ip access-group INTERNET in
ip inspect FIREWALL out


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

No comments :

Post a Comment

 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */