Microsoft
Software
Hardware
Network
Question : Problem: Can the script for Cisco 827-4V router be changed to allow all traffic through
I wish to reconfigure my Cisco 827-4V router so as to allow all traffic through to my computer that is running Microsoft Small Business Server 2000 and then let ISA do all the security.
The current configuration was used when the router was connected directly to the switch on the internal LAN. The router is now connected to the (new) second NIC of the SBS server for external traffic. The other NIC handles the internal LAN.
Unsolicited Inbound traffic will consist of mail, FTP, and VPN type.
Follows is my current router script. Could this be rewritten to allow all traffic through to the following addresses:
Router External ip address = 215.215.215.215 (say)
Router Internal ip address = 192.168.0.1
ISA ip address = 192.168.0.2
Also could you please confirm the procedure to erase the current configuration and install and save the new configuration.
Thanks
Current configuration:
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname
!
enable secret 5 12345678901234567890123456
7890
!
!
!
!
!
clock timezone NZST 12
clock summer-time NZST recurring 1 Sun Oct 2:00 3 Sun Mar 2:00
ip subnet-zero
!
!
!
!
interface Ethernet0
ip address
S> 255.255.255.0
ip access-group 150 in
no ip directed-broadcast
no ip proxy-arp
ip nat inside
no cdp enable
!
interface ATM0
no ip address
no ip directed-broadcast
no atm ilmi-keepalive
pvc 0/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
bundle-enable
hold-queue 224 in
!
interface Dialer0
ip address negotiated
ip access-group 100 in
no ip directed-broadcast
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp pap sent-username
password 7 123456789012345678901234
77
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp
110
110 extendable
ip nat inside source static tcp
25
25 extendable
ip nat inside source static tcp
DRESS> 20
20 extendable
ip nat inside source static tcp
DRESS> 21
21 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
access-list 1 permit 192.168.???.0 0.0.0.255
access-list 100 permit tcp any host
eq pop3
access-list 100 permit tcp any host
eq smtp
access-list 100 permit tcp host
host
eq ftp
access-list 100 permit tcp host
host
eq ftp-data
access-list 100 permit tcp host
NER> host
eq ftp
access-list 100 permit tcp host
NER> host
eq ftp-data
access-list 100 permit udp any gt 1023 any eq domain
access-list 100 permit udp any eq domain any gt 1023
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any traceroute
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any any established
access-list 100 deny ip 192.168.???.0 0.0.0.255 any
access-list 100 permit tcp any host
eq ftp
access-list 100 permit tcp any host
eq ftp-data
access-list 150 permit ip host
any
access-list 150 permit tcp any any eq smtp
access-list 150 permit ip host
DRESS> any
dialer-list 1 protocol ip permit
no cdp run
banner motd ^C
**************************
**********
**********
**********
**
**** Unauthorized Access To This System Is Prohibited ****
**************************
**********
**********
**********
**^C
!
line con 0
transport input none
stopbits 1
line vty 0 4
access-class 1 in
password 7 12345678901234567890123456
login
!
scheduler max-task-time 5000
end
Answer : Problem: Can the script for Cisco 827-4V router be changed to allow all traffic through
>It seems to require me to register
Yes, CCO requires you to have a valid maint contract (SmartNet) and a CCO login to download the software.
However, If you are passing the PPTP connection to an internal host (ISA server), then you do not need the upgrade.
Make it simple and setup a single static NAT over to the ISA and let it be your firewall and proxy:
Erase the current config:
Router# write erase
(confirm)
Router# reload
(If prompted to save, say No)
When the router reboots, you will have an opportunity to run an initial setup dialog. I would say No at the prompt.
Then you will have a brand-new blank config to start from scratch
Objectives will be to keep it simple and make it work
> and then let ISA do all the security
service timestamps debug datetime
service timestamps log datetime
service password-encryption
!
hostname
!
enable
!
!
!
!
!
clock timezone NZST 12
clock summer-time NZST recurring 1 Sun Oct 2:00 3 Sun Mar 2:00
ip subnet-zero
!
!
!
!
interface Ethernet0
ip address 192.168.0.1 255.255.255.0
no ip directed-broadcast
no ip proxy-arp
ip nat inside
no cdp enable
!
interface ATM0
no ip address
no ip directed-broadcast
no atm ilmi-keepalive
pvc 0/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
bundle-enable
hold-queue 224 in
!
interface Dialer0
ip address 215.215.215.215 255.255.255.248 <--whatever is appropriate (or 'negotiated')
no ip directed-broadcast
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp pap sent-username
password
!
! # make a single static NAT map to the ISA server
ip nat inside source static 192.168.0.2 215.215.215.215
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
! # The only access-list is to trigger the dialer
access-list 1 permit 192.168.0.2
banner motd ^C
**************************
**********
**********
**********
**
**** Unauthorized Access To This System Is Prohibited ****
**************************
**********
**********
**********
**
^C
!
line vty 0 4
password
!
end
Random Solutions
Problem: Using Cisco 3560\3750 SFP port for Tape Library
Problem: How do I create a recovery partition like the ones that come with pre built systems?
Problem: HP Printer not compatible with Vista?
Problem: Acer 300F Drivers needed
Problem: Drivers
Problem: print spooler
Problem: Change mac osx RSA key log for a specific host.
Problem: Win-XP, Win-2000 setup hangs during "file copy" phase.
Problem: which ram is better?
Problem: mini mac seems to reboot.
