Cisco 2621XM config check please

ajf · 25 Feb 2011 at 17:20

Hi.
You might have seen my post regards this router and a few issues.
Anyway all seems to be OK. I have now configured the security options and added some voice config. Just three internal phones so far!

I would just like someone with a better knowledge to check over for any potential issues, either security wise or other problems.
I know that remote access to the console can be an issue but I think the firewall defaults resolve this?

http://www.ajf1976.pwp.blueyonder.co.uk/hh/full3.txt

Only potential issue I have found is internet access seems slow?

Next try and work out how to configure it to work with an external pstn line!

Thank you
Andrew

Skidilliplop · 3 Mar 2011 at 17:11

What spec is your router? Internet access may well be slow due to the huge amount of inspect entries in your config. Cisco kit does dramatically lose throughput once you start piling on ACLs etc. Every packet that hits the router has those rules applied, which puts load on the CPU and memory. Sometimes it's better if one interface is sitting on a LAN to apply security to the outbound interface such that general broadcast crap floating about the LAN and traffic not destined for the untrusted zone isn't subjected to processing.
Not an expert on the Voice side of things with Cisco kit but that to me looks to be ok.

ajf · 7 Mar 2011 at 18:04

Thank you.
It's an older 2621xm but it does have the max 256Mb RAM and 48Mb Flash.
I might look at the rules. They are all added when I chose the default firewall and lockdown options so possibly some can be removed for home use.
I thought better safe than sorry until I got used to how and what it does!

Andrew

Chief Wiggum · 7 Mar 2011 at 20:49

Hi ajf,

That config looks ok to me - the only thing I would suggest is that you decrease the amount of ephones and DN's from 48. Having that many 'available' consumes resource on the router as it sets it aside for potential use.

If you've only got a handful of phones use something like:
telephony-service
max-ephones 5
max-dn 5
exit

I'm not 100% sure if you've got DSP's that will allow you to do the external line - doing a 'show invent' will tell you for sure.

If you're only connecting to a bog-standard PSTN line, there are a couple of options for you. You can either get the router to answer the call and give secondary dial-tone where you can then dial an extension number, or get it to run a TCL script and play an auto message like ' dial 1001 for xxx'
Failing that you could use PLAR will will automatically push the call to an extension number of your choice (it's tied to one ext though).

Then you need to look at a dial plan for external calls to push a call out of a voice-port. It's been a while since I did CME, but I can always break the one out of storage on my shelf if you need any help.

Skidilliplop · 9 Mar 2011 at 11:44

ajf said:
Thank you.
It's an older 2621xm but it does have the max 256Mb RAM and 48Mb Flash.
I might look at the rules. They are all added when I chose the default firewall and lockdown options so possibly some can be removed for home use.
I thought better safe than sorry until I got used to how and what it does!

Andrew

Ahh I see. Did you use SDM? If so then you probably have lots of crap on there that isn't necessary.

ajf · 12 Mar 2011 at 02:06

Yes, I did use SDM for the security purely as it was not an area I knew enough to be sure it was secure.
It does look over the top but not sure what to remove at the moment.

Voice was the main priority for me as have no voip experience and it seems a skill more companies are after.
It's not in a 'live' environment currently so performance isn't a major issue but would like to look at it at some point as once I get the CME configured I might use it in the house so could just replace my existing router with the Cisco too.

One thing for sure, Cisco VOIP is certainly a challenge compared to some Windows based systems - I had a look at 3CX too.

Andrew

Skidilliplop · 14 Mar 2011 at 14:01

Assuming you've done the obvious like disabling telnet in favour of SSH, disabling HTTP and SNMP v1/2.
Just block everything except that you know you'll be using in a ACL. In essence make use of the implicit deny and just add statements for the traffic you wish to permit. This way if you aren't aware of it, it's not getting through.
Apply it to the LAN side interface, then that way you can always create a Debug ACL to apply to the WAN side interface to troubleshoot any blocked services later on.

On that router platform you can only ever really hope to achieve access control (because it's a router after all not a security appliance). Intrusion prevention and "proper" security should always be handled by a purpose built firewall.

There are plenty of online how to guides to achieve a widely accepted baseline for security.