Cisco 1921 router configuration

Kei · 9 Nov 2014 at 18:42

Having some fun setting up my new 1921 router. Currently, I've managed to get it up and running so that the dhcp server works and basic NAT for internet access works.

The configuration is as follows:

Code:

Cisco-1921#show startup-config
Using 3630 out of 262136 bytes
!
! Last configuration change at 22:41:23 UTC Sat Nov 8 2014
version 15.2
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco-1921
!
boot-start-marker
warm-reboot
boot-end-marker
!
!
enable secret 5 .
enable password 7 
!
no aaa new-model
!
ip cef
!
!
!
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.0.50 192.168.0.51
!
ip dhcp pool main_dhcp_pool
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.1 
 dns-server 194.72.0.114 213.120.234.46 8.8.8.8 
!
ip dhcp pool Kei-PC
 host 192.168.0.2 255.255.255.0
 client-identifier 01bc.ee7b.98e8.1e
 client-name Kei-PC
!
ip dhcp pool Humax
 host 192.168.0.4 255.255.255.0
 client-identifier 01dc.d321.8169.a2
 client-name Humax
!
ip dhcp pool Kei-NAS
 host 192.168.0.3 255.255.255.0
 hardware-address 0024.1d7d.1ef9
 client-name Kei-NAS
!
!
!
ip domain name WesNet
ip name-server 8.8.8.8
ip name-server 194.72.0.114
no ipv6 cef
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FCZ1810C0V2
!
!
!
!         
!         
!         
!         
!         
interface Embedded-Service-Engine0/0
 no ip address
 shutdown 
!         
interface GigabitEthernet0/0
 no ip address
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!         
interface GigabitEthernet0/1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1350
 duplex auto
 speed auto
 no mop enabled
!         
interface Dialer1
 ip address negotiated
 ip access-group 101 in
 no ip unreachables
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 ppp chap hostname [email protected]
 ppp chap password 7 1415060303092F23312A1337361115190205545856571A0D0C15
 ppp pap sent-username [email protected] password 7 0111120C54060307344E6E0B0D07051D0A08062B252066303A2F
!         
ip forward-protocol nd
!         
ip http server
no ip http secure-server
!         
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.0.0 255.255.255.0 GigabitEthernet0/1
!         
access-list 1 remark INTERNET-ACCESS
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 255.0.0.0 0.255.255.255 any
access-list 101 deny   ip 248.0.0.0 7.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   udp any any range 33400 34400
access-list 101 permit icmp any any net-unreachable
access-list 101 permit icmp any any host-unreachable
access-list 101 permit icmp any any port-unreachable
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any ttl-exceeded
access-list 101 permit icmp any any echo-reply
access-list 101 permit tcp any any established
access-list 101 permit udp any any
!         
!         
snmp-server community WesNet RO
snmp-server enable traps entity-sensor threshold
!         
control-plane
!         
!         
!         
line con 0
line aux 0
line 2    
 no activation-character
 no exec  
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 password 7 
 login    
 transport input all
!         
scheduler allocate 20000 1000
!         
end

Access List is configured like so:

Code:

Standard IP access list 1
    10 permit 192.168.0.0, wildcard bits 0.0.0.255 (44947 matches)
Extended IP access list 101
    10 deny ip 192.168.0.0 0.0.255.255 any
    20 deny ip 172.16.0.0 0.15.255.255 any
    30 deny ip 10.0.0.0 0.255.255.255 any
    40 deny ip 127.0.0.0 0.255.255.255 any
    50 deny ip 255.0.0.0 0.255.255.255 any
    60 deny ip 248.0.0.0 7.255.255.255 any
    70 deny ip host 0.0.0.0 any (766 matches)
    80 deny ip host 255.255.255.255 any
    90 deny udp any any range 33400 34400 (581 matches)
    100 permit icmp any any net-unreachable
    110 permit icmp any any host-unreachable (1 match)
    120 permit icmp any any port-unreachable (40 matches)
    130 permit icmp any any packet-too-big
    140 permit icmp any any administratively-prohibited (1 match)
    150 permit icmp any any source-quench
    160 permit icmp any any ttl-exceeded (3 matches)
    170 permit icmp any any echo-reply
    180 permit tcp any any established (7603709 matches)
    190 permit udp any any (29002 matches)

I'm not really experienced in the art of configuring a cisco IOS device so forgive the slightly daft questions I may ask.

The problem I've run into regards static NAT/PAT. As it stands, I understand that since my public IP is dynamic i will need to specify the interface dialer1 rather than the WAN IP as the external source. On the internal side I assume that for specific machines with fixed addresses I can simply list that ip address. i.e. if i want my server to have FTP and SSH access I'd put:

Code:

ip nat inside source static tcp 192.168.0.3 21 interface Dialer1 21
ip nat inside source static tcp 192.168.0.3 22 interface Dialer1 22

The same would apply for SSH using port 22 instead of 21 going to the same server address.

For steam or similar software that any machine may need access to, I'm not sure if it is possible to do interface to interface nat. I assume the only way to get it to allow the ports is to just open them in the ACL like so:

Code:

access-list 101 permit tcp any eq 21

or more specific (not sure on wildcard):

Code:

access-list 101 permit tcp any range 21 22 192.168.0.3

Kei · 10 Nov 2014 at 18:41

Thinking out loud:
Presumably if a connection to my public ip on a particular port is initiated from outside, a static nat route to forward this on to an internal host is needed else the router won't know where to route it. I'm assuming that in the case of games, the established outgoing connections will deal with the incoming, provided the ports are open in the ACL. (although that would suggest that the established rule already in my ACL should work for games) I assume that i can also add specific denials in for known host ip addresses that i don't want these ports being open for.

I think I need to do some tests with games to see what does and doesn't work. I know that ftp, ssh and teamspeak inbound are not going to work until i create static nat routes and permissions in the ACL. This isn't a problem as they are all going to point at the same machine with a static ip.

Sort of figured out the wildcard bit now. Not sure if i can denote a very specific ip range using just the wildcard due to the binary octet matching.

Code:

192.168.0.2	11000000.10101000.00000000.00000010
0.0.0.10	00000000.00000000.00000000.00001010

Also, I believe that the last entry in my ACL should be deny ip any any to catch anything that may have been missed further up.

Xez · 10 Nov 2014 at 19:34

I'm on my tablet but ill try my best to help out a bit...

It is good practice to put a deny rule at the end of access lists yes although Cisco ACL's auto deny at the end of an access list. If it's not on the list it will automatically deny.

Typically on our Dialer1 interfaces we have a reflex access list with a timeout period on the outbound access list.

With the NAT rules you are correct, you would only change this if you have more than one public IP address really. As you do not have an access list applying to the inside network (van 1/Gi0/1) like you have said you simply need to change the ACL to allow any traffic to whatever IP address.

Your first access list: access-list 101 permit tcp any eq 21 is correct as the NAT will route it to the IP in the NAT rule.

If you have specific devices on the LAN it is good practice to create object groups, this way you can create access lists with more friendly names for instance

Object-group network Media-Server
Description Media-Server
Host 192.168.0.3

From the above you can also create object groups with ranges or addresses etc so if you only wanted x, y and z to access FTP and block everyone else you can do that.

You may want to start creating username and passwords to login to the router.

Username ciscouser privilege 15 secret thisismysecurepassword

Privilege 15 is the highest, use the below command to securely encrypt passwords at passwords with the 7 in front can easily be cracked so use a higher number if possible.

service password-encryption

Connecting via telnet isn't great and ssh is best. You will need to configure

IP domain name mydomain.com

Crypto key generate rsa

Use whatever size key you like I normally use 4096 and then remove the transport input type all. Change this to transport input type ssh version 2. Also add an output type for the same.

Also with the DHCP you can set the router to service DNS as you already have IP name-server configured etc, you can then update your DHCP pool: IP DNS SERVER
Hopefully this helps some what, anymore questions just ask

DJMK4 · 10 Nov 2014 at 22:01

Only skimmed the thread

But SSH config is usually

Domain

Crypto key generate

Ip ssh version 2

Create any local accounts you need specifying secret and priv

Line vty 0 4

Transport input SSH
Login local (which let's you use a local account you created above

Try and restrict this being accessabke from the outside, unless you need it

Your going to be nat overloading (patting) your traffic out using an access list containing your local subnet and then the nat statement with the acl, and overload it through your outbound interface

Kei · 11 Nov 2014 at 00:33

Cheers both, very helpful info. I'm assuming as i don't have an overload statement on the nat config for the outbound interface it's not being performed. How does this affect the network access to the internet?

Setting up users and object groups sounds like a very good idea as it'll simplify understanding the configuration. Can I export my current config as a txt file and edit it from there and upload it back via a usb pen? (I'm sure i read that this was possible to allow for the same config to be quickly replicated between routers though that may have been via ftp)

As to ssh, it's not access to the router via ssh that i'm after, but access to a linux server on the inside. (via the outside interface) I either use the console cable or telnet from an internal machine to configure the router. I don't see a need to configure it from outside. FTP access from the outside is to the same server.

Xez · 11 Nov 2014 at 12:16

Kei said:
Cheers both, very helpful info. I'm assuming as i don't have an overload statement on the nat config for the outbound interface it's not being performed. How does this affect the network access to the internet?

Setting up users and object groups sounds like a very good idea as it'll simplify understanding the configuration. Can I export my current config as a txt file and edit it from there and upload it back via a usb pen? (I'm sure i read that this was possible to allow for the same config to be quickly replicated between routers though that may have been via ftp)

As to ssh, it's not access to the router via ssh that i'm after, but access to a linux server on the inside. (via the outside interface) I either use the console cable or telnet from an internal machine to configure the router. I don't see a need to configure it from outside. FTP access from the outside is to the same server.

The overload statement is on the outside interface (Dialer1) by this statement: ip nat inside source list 1 interface Dialer1 overload

If you remove the above line then internal users will not be able to access the outside world. The same would apply if you were to put a deny rule or have the wrong subnet in the access list 1.

You can export your configuration via some methods. We have an automated backup policy on our routers via the archive command. This saves the configuration to an FTP server. You can also use TFTP to copy files to and from the device.

For inbound routing we normally use random port numbers to help with security for instance if we wanted to allow SSH for a Linux device then we would simply have a random port say 8122 that routes to the internal port 22 that the device is listening in on.

Kei · 11 Nov 2014 at 13:09

I made some changes based on the above (although done before you mentioned random ports on the outside being routed to 22 on the inside) If i try to connect via ssh, I get connection refused. (suggests that the access-list order is wrong) I've added the archiving bit which seems to work correctly.

Code:

Cisco-1921#show running-config
Building configuration...

Current configuration : 3993 bytes
!
! Last configuration change at 12:44:44 UTC Tue Nov 11 2014
version 15.2
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco-1921
!
boot-start-marker
warm-reboot
boot-end-marker
!
!
enable secret 5.
enable password 7 
!
no aaa new-model
!
ip cef
!
!
!
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.0.50 192.168.0.51
!
ip dhcp pool main_dhcp_pool
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.1
 dns-server 194.72.0.114 213.120.234.46 8.8.8.8
!
ip dhcp pool Kei-PC
 host 192.168.0.2 255.255.255.0
 client-identifier 01bc.ee7b.98e8.1e
 client-name Kei-PC
!
ip dhcp pool Humax
 host 192.168.0.4 255.255.255.0
 client-identifier 01dc.d321.8169.a2
 client-name Humax
!
ip dhcp pool Kei-NAS
 host 192.168.0.3 255.255.255.0
 hardware-address 0024.1d7d.1ef9
 client-name Kei-NAS
!
ip dhcp pool Server
 host 192.168.0.100 255.255.255.0
 hardware-address 0024.1d7d.1f09
!
!
!
ip domain name WesNet
ip name-server 8.8.8.8
ip name-server 194.72.0.114
no ipv6 cef
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FCZ1810C0V2
!
!
archive
 path ftp:/X:[email protected]
 write-memory
 time-period 10080
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 no ip address
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1350
 duplex auto
 speed auto
 no mop enabled
!
interface Dialer1
 ip address negotiated
 ip access-group 101 in
 no ip unreachables
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 ppp chap hostname [email protected]
 ppp chap password 7 1415060303092F23312A1337361115190205545856571A0D0C15
 ppp pap sent-username [email protected] password 7 0111120C54060307344E6E0B0D07051D0A08062B252066303A2F
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.3 21 interface Dialer1 21
ip nat inside source static tcp 192.168.0.3 22 interface Dialer1 22
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.0.0 255.255.255.0 GigabitEthernet0/1
!
access-list 1 remark INTERNET-ACCESS
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 255.0.0.0 0.255.255.255 any
access-list 101 deny   ip 248.0.0.0 7.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   udp any any range 33400 34400
access-list 101 permit icmp any any net-unreachable
access-list 101 permit icmp any any host-unreachable
access-list 101 permit icmp any any port-unreachable
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any ttl-exceeded
access-list 101 permit icmp any any echo-reply
access-list 101 permit tcp any any established
access-list 101 permit udp any any
access-list 101 permit tcp any range ftp 22 host 192.168.0.3
!
!
snmp-server community WesNet RO
snmp-server enable traps entity-sensor threshold
!
control-plane
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 password 7 
 login
 transport input all
!
scheduler allocate 20000 1000
!
end

Xez · 11 Nov 2014 at 16:54

Try this:

Code:

ip nat inside source static tcp 192.168.0.3 22 interface Dialer1 54022
access-list 101 permit tcp any any eq 54022

I've changed the outside facing port as it may be getting confused although it shouldn't as SSH isn't enabled on your router. Just to be sure you are accessing this remotely from a different public IP address?

Instead of connecting on port 22 just 54022 once you have entered the above.

If you want to secure it more it may be wise to create an access list for the internal network on Gi0/1. That way you can restrict outbound traffic as well as inbound.

Kei · 11 Nov 2014 at 20:07

Connection times out using either of the port methods. This is connecting via a different public ip from the outside. (via remote control)

Xez · 11 Nov 2014 at 21:22

I do my access lists slightly different, your NAT doesn't look fully correct and I would say you need a reflex ACL for the Dialer1 interface.

Kei · 11 Nov 2014 at 23:52

Don't think I'm experienced enough to spot where my nat settings are amiss. Also not really sure on how I'd even go about setting up a reflexive ACL. Is that part of the base license pack or park of the security license like stateful firewall?

Xez · 12 Nov 2014 at 17:51

This is the kind of configuration that I use. I know say/recommend to use access list numbers but I prefer to call them something more meaning full but it doesn't make any difference.

Code:

ip access-list extended D1-IN
 permit esp any any
 permit gre any any
 permit tcp any any eq www
 permit tcp any any eq smtp log
 permit tcp any any eq 443 log
 permit tcp any range ftp-data ftp any
 permit tcp any any range ftp-data ftp
 permit udp any eq domain any gt 1023
 permit udp any eq ntp any eq ntp
 permit tcp any any eq 1723
 evaluate D1-REFLEX
ip access-list extended D1-OUT
 permit gre any any
 permit esp any any
 permit ip any any reflect D1-REFLEX timeout 300
 deny   ip any any log

Int Dialer1
ip access-group D1-IN in
ip access-group D1-OUT out

ip access-list extended NAT
 permit ip 192.168.0.0 0.0.0.255 any

ip nat inside source list NAT interface Dialer1 overload
ip nat inside source static tcp 192.168.0.3 80 interface Dialer1 80
ip nat inside source static tcp 192.168.0.3 1723 interface Dialer1 1723
ip nat inside source static tcp 192.168.0.3 443 interface Dialer1 443

You can see that I have inbound rules in place for port 80, 443 and some more. I have changed/missed bits of configuration out so some bits may look a little odd but you get the general view of how I port forward successfully. The access list is purely just an example and may not be secure in the example above.

Kei · 13 Nov 2014 at 22:44

Gave the reflexive access list a go with some adjustments. Got connection refused rather than time out this time.

Code:

!
! Last configuration change at 12:44:44 UTC Tue Nov 11 2014
version 15.2
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco-1921
!
boot-start-marker
warm-reboot
boot-end-marker
!
!
enable secret 5.
enable password 7 
!
no aaa new-model
!
ip cef
!
!
!!!!!! Configuring the router as DHCP server
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.0.50 192.168.0.51
!
ip dhcp pool main_dhcp_pool
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.1
 dns-server 194.72.0.114 213.120.234.46 8.8.8.8
!
ip dhcp pool Kei-PC
 host 192.168.0.2 255.255.255.0
 client-identifier 01bc.ee7b.98e8.1e
 client-name Kei-PC
!
ip dhcp pool Humax
 host 192.168.0.4 255.255.255.0
 client-identifier 01dc.d321.8169.a2
 client-name Humax
!
ip dhcp pool Kei-NAS
 host 192.168.0.3 255.255.255.0
 hardware-address 0024.1d7d.1ef9
 client-name Kei-NAS
!
ip dhcp pool Server
 host 192.168.0.100 255.255.255.0
 hardware-address 0024.1d7d.1f09
!
!
!
ip domain name WesNet
ip name-server 8.8.8.8
ip name-server 194.72.0.114
no ipv6 cef
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FCZ1810C0V2
!
!
archive
 path ftp:/xxx/Cisco-1921
 write-memory
 time-period 10080
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
!
!!!!!! Note that Ge0/0 has no IP address
interface GigabitEthernet0/0
 no ip address
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
!
!!!!!! This is the LAN side
interface GigabitEthernet0/1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 no mop enabled
!
!!!!!! The ISP's given IP address will be configured via d1
interface Dialer1
 ip address negotiated
 ip access-group D1-inbound in
 ip access-group D1-outbound out
 no ip unreachables
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 ppp chap hostname [email protected]
 ppp chap password 7 1415060303092F23312A1337361115190205545856571A0D0C15
 ppp pap sent-username [email protected] password 7 0111120C54060307344E6E0B0D07051D0A08062B252066303A2F
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
!!!!!! This is the dynamic PAT between Dialer1 (WAN) interface IP address 
!!!!!! and local IP addresses within ACL 1
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.3 21 interface Dialer1 20 extendable
ip nat inside source static tcp 192.168.0.3 21 interface Dialer1 21 extendable
ip nat inside source static tcp 192.168.0.3 22 interface Dialer1 22 extendable
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.0.0 255.255.255.0 GigabitEthernet0/1
!
ip access-list extended D1-inbound
 permit esp any any
 permit gre any any
 permit tcp any any eq www
 permit tcp any any eq smtp log
 permit tcp any any eq 443 log
 permit tcp any range ftp-data ftp any
 permit tcp any any range ftp-data ftp
 permit udp any eq domain any gt 1023
 permit udp any eq ntp any eq ntp
 permit tcp any any eq 1723
 evaluate D1-REFLEX
!
!
ip access-list extended D1-outbound
 permit gre any any
 permit esp any any
 permit ip any any reflect D1-REFLEX timeout 300
 deny   ip any any log
access-list 1 remark INTERNET-ACCESS
access-list 1 permit 192.168.0.0 0.0.0.255
!
!
snmp-server community WesNet RO
snmp-server enable traps entity-sensor threshold
!
control-plane
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 password 7 
 login
 transport input all
!
scheduler allocate 20000 1000
!
end

With an updated version of my original setup I can get an FTP connection established along with the welcome message then an error could not connect to server after the USER message. SSH is odd as the putty window just sits there doing nowt. No error messages or anything other than a static cursor.

Code:

!
! Last configuration change at 12:44:44 UTC Tue Nov 11 2014
version 15.2
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco-1921
!
boot-start-marker
warm-reboot
boot-end-marker
!
!
enable secret 5.
enable password 7
!
no aaa new-model
!
ip cef
!
!
!!!!!!DHCP server config
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.0.50 192.168.0.51
!
ip dhcp pool main_dhcp_pool
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.1
 dns-server 194.72.0.114 213.120.234.46 8.8.8.8
!
ip dhcp pool Kei-PC
 host 192.168.0.2 255.255.255.0
 client-identifier 01bc.ee7b.98e8.1e
 client-name Kei-PC
!
ip dhcp pool Humax
 host 192.168.0.4 255.255.255.0
 client-identifier 01dc.d321.8169.a2
 client-name Humax
!
ip dhcp pool Kei-NAS
 host 192.168.0.3 255.255.255.0
 hardware-address 0024.1d7d.1ef9
 client-name Kei-NAS
!
ip dhcp pool Server
 host 192.168.0.100 255.255.255.0
 hardware-address 0024.1d7d.1f09
!
!
!
ip domain name WesNet
ip name-server 8.8.8.8
ip name-server 194.72.0.114
no ipv6 cef
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FCZ1810C0V2
!
!!!!!Archive every 7 days or on writing config
archive
 path ftp:/xxx/Cisco-1921
 write-memory
 time-period 10080
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
!
!!!!!! Note that Ge0/0 has no IP address
interface GigabitEthernet0/0
 no ip address
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
!
!!!!!! This is the LAN side
interface GigabitEthernet0/1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 no mop enabled
!
!!!!!! The ISP's given IP address will be configured via d1
interface Dialer1
 ip address negotiated
 ip access-group 101 in
 no ip unreachables
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 ppp chap hostname [email protected]
 ppp chap password 7 1415060303092F23312A1337361115190205545856571A0D0C15
 ppp pap sent-username [email protected] password 7 0111120C54060307344E6E0B0D07051D0A08062B252066303A2F
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
!!!!!! This is the dynamic PAT between Dialer1 (WAN) interface IP address 
!!!!!! and local IP addresses within ACL 1
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.3 20 interface Dialer1 20
ip nat inside source static tcp 192.168.0.3 21 interface Dialer1 21
ip nat inside source static tcp 192.168.0.3 22 interface Dialer1 22
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.0.0 255.255.255.0 GigabitEthernet0/1
!
access-list 1 remark INTERNET-ACCESS
access-list 1 permit 192.168.0.0 0.0.0.255
!
access-list 101 remark DENY FAKE IPs
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 255.0.0.0 0.255.255.255 any
access-list 101 deny   ip 248.0.0.0 7.255.255.255 any
access-list 101 deny   ip 224.0.0.0 7.255.255.255 any
!
access-list 101 remark DENY SPOOFING IPs
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip host 255.255.255.255 any
!
access-list 101 remark DENY VULNERABLE PORTS
access-list 101 deny tcp any any range 135 139 log-input
access-list 101 deny udp any any range 135 139 log-input
access-list 101 deny tcp any any eq 2000 log-input
access-list 101 deny tcp any any eq 2001 log-input
access-list 101 deny tcp any any eq 6000 log-input
access-list 101 deny tcp any any eq 6001 log-input
access-list 101 deny tcp any any range 5900 5910 log-input
access-list 101 deny tcp any any range 5800 5810 log-input
access-list 101 deny tcp any any eq finger log-input
!
access-list 101 remark DENY TRACEROUTE OUTSIDE
access-list 101 deny udp any any range 33400 34400 log-input
!
access-list 101 remark ALLOW ACCESS FOR SERVER FTP & SSH
access-list 101 permit tcp any any eq 20
access-list 101 permit tcp any any eq 21
access-list 101 permit tcp any any eq 22
!
access-list 101 permit udp any any eq ntp
!
access-list 101 permit icmp any any net-unreachable
access-list 101 permit icmp any any host-unreachable
access-list 101 permit icmp any any port-unreachable
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any ttl-exceeded
access-list 101 permit icmp any any echo-reply
access-list 101 deny icmp any any
access-list 101 permit tcp any any established
access-list 101 permit udp any any
!
!
!
!
snmp-server community WesNet RO
snmp-server enable traps entity-sensor threshold
!
control-plane
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 password 7 
 login
 transport input all
!
scheduler allocate 20000 1000
!
end

This is the output from show ip nat translation. (public ip has been changed from actual)

Code:

Cisco-1921>show ip nat translation
Pro Inside global         Inside local          Outside local         Outside global
tcp 78.53.134.234:49996  192.168.0.2:49996     173.194.78.189:443    173.194.78.189:443
tcp 78.53.134.234:50079  192.168.0.2:50079     64.233.167.188:443    64.233.167.188:443
tcp 78.53.134.234:50254  192.168.0.2:50254     74.125.230.229:443    74.125.230.229:443
tcp 78.53.134.234:50283  192.168.0.2:50283     173.194.78.101:443    173.194.78.101:443
tcp 78.53.134.234:50284  192.168.0.2:50284     74.125.230.149:443    74.125.230.149:443
tcp 78.53.134.234:50285  192.168.0.2:50285     74.125.230.143:443    74.125.230.143:443
tcp 78.53.134.234:50385  192.168.0.2:50385     74.125.230.154:443    74.125.230.154:443
tcp 78.53.134.234:20     192.168.0.3:20        ---                   ---
tcp 78.53.134.234:21     192.168.0.3:21        ---                   ---
tcp 78.53.134.234:22     192.168.0.3:22        ---                   ---
tcp 78.53.134.234:42240  192.168.0.3:42240     173.194.78.138:443    173.194.78.138:443
tcp 78.53.134.234:42241  192.168.0.3:42241     173.194.78.138:443    173.194.78.138:443
tcp 78.53.134.234:42910  192.168.0.3:42910     74.125.206.188:5228   74.125.206.188:5228
tcp 78.53.134.234:47758  192.168.0.3:47758     173.194.78.84:443     173.194.78.84:443
tcp 78.53.134.234:54760  192.168.0.15:54760    157.56.124.47:443     157.56.124.47:443
tcp 78.53.134.234:54770  192.168.0.15:54770    157.55.236.49:443     157.55.236.49:443
tcp 78.53.134.234:54772  192.168.0.15:54772    157.56.124.130:443    157.56.124.130:443
tcp 78.53.134.234:54822  192.168.0.15:54822    74.125.230.246:443    74.125.230.246:443
tcp 78.53.134.234:54823  192.168.0.15:54823    74.125.230.247:443    74.125.230.247:443
tcp 78.53.134.234:54825  192.168.0.15:54825    74.125.230.228:443    74.125.230.228:443
tcp 78.53.134.234:54835  192.168.0.15:54835    64.233.166.188:5228   64.233.166.188:5228
tcp 78.53.134.234:54995  192.168.0.15:54995    173.194.78.189:443    173.194.78.189:443
tcp 78.53.134.234:55004  192.168.0.15:55004    173.194.78.102:443    173.194.78.102:443
tcp 78.53.134.234:55039  192.168.0.15:55039    173.194.35.23:443     173.194.35.23:443
tcp 78.53.134.234:55040  192.168.0.15:55040    173.194.78.136:443    173.194.78.136:443
tcp 78.53.134.234:55041  192.168.0.15:55041    74.125.230.134:443    74.125.230.134:443

The access list suggests there have been matches for all permitted ports.

Code:

Standard IP access list 1
    10 permit 192.168.0.0, wildcard bits 0.0.0.255 (82809 matches)
Extended IP access list 101
    10 deny ip 192.168.0.0 0.0.255.255 any
    20 deny ip 172.16.0.0 0.15.255.255 any
    30 deny ip 10.0.0.0 0.255.255.255 any
    40 deny ip 127.0.0.0 0.255.255.255 any
    50 deny ip 255.0.0.0 0.255.255.255 any
    60 deny ip 248.0.0.0 7.255.255.255 any
    70 deny ip 224.0.0.0 7.255.255.255 any
    80 deny ip host 0.0.0.0 any (39 matches)
    90 deny ip host 255.255.255.255 any
    100 deny tcp any any range 135 139 log-input
    110 deny udp any any range 135 netbios-ss log-input
    120 deny tcp any any eq 2000 log-input
    130 deny tcp any any eq 2001 log-input
    140 deny tcp any any eq 6000 log-input
    150 deny tcp any any eq 6001 log-input
    160 deny tcp any any range 5900 5910 log-input
    170 deny tcp any any range 5800 5810 log-input
    180 deny tcp any any eq finger log-input
    190 deny udp any any range 33400 34400 log-input (1 match)
    200 permit tcp any any eq ftp-data
    210 permit tcp any any eq ftp (32 matches)
    220 permit tcp any any eq 22 (6 matches)
    230 permit udp any any eq ntp (7 matches)
    240 permit icmp any any net-unreachable
    250 permit icmp any any host-unreachable
    260 permit icmp any any port-unreachable
    270 permit icmp any any packet-too-big
    280 permit icmp any any administratively-prohibited
    290 permit icmp any any source-quench
    300 permit icmp any any ttl-exceeded
    310 permit icmp any any echo-reply
    320 deny icmp any any (1 match)
    330 permit tcp any any established (58305 matches)
    340 permit udp any any (900 matches)

Xez · 13 Nov 2014 at 23:34

Make sure you have logging on and use the command in none configuration mode Term Mon or logging monitor if you are connected via console cable.

If you put a deny IP any any log at the end of your access list this may help you if its an ACL issue.

Try to connect again and it should log where its being blocked etc.

Kei · 14 Nov 2014 at 11:39

Seems that the issue was the firewall on the linux machine. Even though i had exceptions set for both ssh and ftp it wasn't allowing connections through. I shut it off this morning and just tried to connect from work and it connected ok but requires setting to active mode as it seems to default to passive. (which worked previously) SSH works properly too.

Presumably it may be wise to switch away from the actual common ports 20-22 to the random alternatives like you suggested earlier and let nat make the translation. I assume that the less well known ports for steam and teamspeak are less of an issue. Should I have bothered adding the NTP port access?

Xez · 14 Nov 2014 at 17:42

That's good to know it's finally resolved! I don't normally have NTP allowed inbound and as you have no internal outbound ACL then it can communicate to an NTP server externally unless you have any other specific requirements?

Kei · 15 Nov 2014 at 14:02

I've removed the ntp port rule as I don't need any inbound traffic as I don't host an ntp server. I'll increase the password encryption level like you originally suggested. I need to get a friend to help test the inbound rules for teamspeak and see if multplayer works on steam.

Anything obvious missing in my current ACL that should be permitted/denied? I may try to restore list 102 for outgoing rules if it's worthwhile.

Xez · 15 Nov 2014 at 23:40

Personally I have access lists for the Dialer interface and then another for internal traffic. Mainly to restrict outbound access so that only certain devices, servers for instance can send anything out port 25.

Kei · 16 Nov 2014 at 12:32

Presumably outgoing via port 25 would only be expected if you hosted email on a server. (which i do not) Ports below 1024 are the most likely to be used maliciously so securing them outbound too would make a lot of sense. This would be an access list placed on interface Ge0/1 as ip access-group 102 out?

Also, If I use sftp instead of plain old ftp I assume i can remove the forwarding and access list parts for plain ftp? I tested it out the other day and found that the performance was on par with plain ftp and it's obviously more secure as the password and data is encrypted.

Kei · 7 Dec 2014 at 16:48

Thoroughly tested this now and can say that it is good for online games via steam. Internet connection and network have both been perfect since without a single hiccup. Just over 3 weeks uptime now. I'd be lucky to manage a week with the old tp link.