1. Home
  2. Cisco Systems
  3. bare basic setup of 1700

bare basic setup of 1700

If all I need is a bare basic setup on a 1700 that will have another VPN firewall behind it on 1.2.3.5, will the following setup work? Should I add any ALCs to this at all?

Thanks... Brian

version 12.3 service timestamps debug uptime service timestamps log uptime service password-encryption service udp-small-servers service tcp-small-servers ! hostname router ! boot-start-marker boot-end-marker ! no logging console enable password 7 XXXXXXXXXXXXXXXXXXXXXXX ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 no aaa new-model ip subnet-zero ip cef ! ! ! no ftp-server write-enable ! ! ! ! interface FastEthernet0/0 ip address 1.2.3.4 255.255.255.248 speed 100 full-duplex ! interface Serial0/0 ip address 5.6.7.8 255.255.255.252 encapsulation frame-relay IETF no ip mroute-cache no fair-queue service-module t1 timeslots 1-24 ! interface Serial1/0 no ip address shutdown ! ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0 no ip http server ! ! line con 0 exec-timeout 0 0 password 7 XXXXXXXXXXXXXXXXXXXXXXX line aux 0 login transport input all line vty 0 4 password 7 XXXXXXXXXXXXXXXXXXXXXXX login line vty 5 15 password 7 XXXXXXXXXXXXXXXXXXXXXXX login ! ! end

Reply to
Brian
Loading thread data ...

Only thing to watch is whether or not you need NAT. If your 1.2.3.4 subnet is public, this should work fine, and I don't see any reason for ACLs unless the firewall device has a mgmt port that you want to disable from the outside world. Base ACLs are also a good idea to block the private IP address ranges from the internet to hedge spoofing attacks (192.168.x, 10.x, 172.16.x, etc).

If 1.2.3.4 is not public, then you'll have to NAT it if you have any desire for the internet to reach the vpn/firewall and whatever is sitting behind it (definitely NAT behind that I would guess).

Reply to
Trendkill

Trendkill wrote:

|On Mar 21, 4:34 pm, Brian wrote: |> If all I need is a bare basic setup on a 1700 that will have another VPN |> firewall behind it on 1.2.3.5, will the following setup work?  Should I add any |> ALCs to this at all? |>

|> Thanks... |> Brian |>

|> version 12.3 |> service timestamps debug uptime |> service timestamps log uptime |> service password-encryption |> service udp-small-servers |> service tcp-small-servers |> ! |> hostname router |> ! |> boot-start-marker |> boot-end-marker |> ! |> no logging console |> enable password 7 XXXXXXXXXXXXXXXXXXXXXXX |> ! |> mmi polling-interval 60 |> no mmi auto-configure |> no mmi pvc |> mmi snmp-timeout 180 |> no aaa new-model |> ip subnet-zero |> ip cef |> ! |> ! |> ! |> no ftp-server write-enable |> ! |> ! |> ! |> ! |> interface FastEthernet0/0 |>  ip address 1.2.3.4 255.255.255.248 |>  speed 100 |>  full-duplex |> ! |> interface Serial0/0 |>  ip address 5.6.7.8 255.255.255.252 |>  encapsulation frame-relay IETF |>  no ip mroute-cache |>  no fair-queue |>  service-module t1 timeslots 1-24 |> ! |> interface Serial1/0 |>  no ip address |>  shutdown |> ! |> ip classless |> ip route 0.0.0.0 0.0.0.0 Serial0/0 |> no ip http server |> ! |> ! |> line con 0 |>  exec-timeout 0 0 |>  password 7 XXXXXXXXXXXXXXXXXXXXXXX |> line aux 0 |>  login |>  transport input all |> line vty 0 4 |>  password 7 XXXXXXXXXXXXXXXXXXXXXXX |>  login |> line vty 5 15 |>  password 7 XXXXXXXXXXXXXXXXXXXXXXX |>  login |> ! |> ! |> end | |Only thing to watch is whether or not you need NAT. If your 1.2.3.4 |subnet is public, this should work fine, and I don't see any reason |for ACLs unless the firewall device has a mgmt port that you want to |disable from the outside world. Base ACLs are also a good idea to |block the private IP address ranges from the internet to hedge |spoofing attacks (192.168.x, 10.x, 172.16.x, etc). | |If 1.2.3.4 is not public, then you'll have to NAT it if you have any |desire for the internet to reach the vpn/firewall and whatever is |sitting behind it (definitely NAT behind that I would guess).

Yes, 1.2.3.4 is a public IP.

Thanks...

Reply to
Brian

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.