Review my first Cisco 892 router config

[triden55]

This is the first router config that I have done, and I used CLI to program a Cisco model 892. There are about 10 users behind this router connected to a series SG300 switch. This router will provide DHCP, VLANs, and NAT access to the internet (via cable modem). The lan port is FE0 and the WAN port is FE8 to the internet. There are 4 Cisco WAP321 connected with two SSID's. The guest SSID (internet access only) uses VLAN2 and the normal SSID uses VLAN1. I figured there were some Cisco gurus lurking around here, so I thought I would give it a shot. Please let me know if there are security or efficiency improvements that I can add to this. Thanks!

!
! Last configuration change at 20:04:03 PST Mon Dec 22 2014
! NVRAM config last updated at 15:10:16 PST Mon Dec 22 2014
! NVRAM config last updated at 15:10:16 PST Mon Dec 22 2014
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname gateway
!
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
!
!
!
no aaa new-model
clock timezone PST -8 0
!
!
ip cef
!
!
!
!


!
ip dhcp excluded-address 192.168.10.1 192.168.10.99
ip dhcp excluded-address 192.168.8.1 192.168.8.99
!
ip dhcp pool data
 import all
 network 192.168.8.0 255.255.255.0
 default-router 192.168.8.1 
 dns-server 192.168.8.60 
 domain-name summmitdrive.local
!
ip dhcp pool guest_wifi
 import all
 network 192.168.10.0 255.255.255.0
 default-router 192.168.10.1 
 dns-server 64.59.168.13 64.59.168.15 
!
!
!
no ip domain lookup
ip domain name summitdrive.local
ip host gateway 192.168.0.1
ip host fs1 192.168.8.60
ip name-server 64.59.168.13
ip name-server 64.59.168.15
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid CISCO892-K9 sn FCZ1714C2ZD
!
!
username sdcadmin privilege 15 secret 4 zsc1w55wVxL1behpFMAW8XrxKcVujVnNHLpMKP.ZgXk
!
redundancy
!
!
!
!
!
ip ssh version 2
! 
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.0.1 255.255.255.0
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface FastEthernet0
 switchport mode trunk
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 no ip address
!
interface FastEthernet5
 no ip address
!
interface FastEthernet6
 no ip address
!
interface FastEthernet7
 no ip address
!
interface FastEthernet8
 ip address 184.71.128.156 255.255.255.252
 ip access-group INBOUND_INTERNET in
 ip nat outside
 ip virtual-reassembly in
 load-interval 30
 duplex auto
 speed auto
!
interface GigabitEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Vlan1
 description data_vlan
 ip address 192.168.8.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan2
 description guest_vlan
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list NAT interface FastEthernet8 overload
ip route 0.0.0.0 0.0.0.0 184.71.128.154
!
ip access-list extended INBOUND_INTERNET
 permit icmp any host 184.71.125.118 echo-reply
 permit icmp any host 184.71.125.118 time-exceeded
 permit icmp any host 184.71.125.118 unreachable
 deny   ip any any log
ip access-list extended NAT
 permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended SSH
 permit ip 192.168.8.0 0.0.0.255 any
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 access-class SSH in
 exec-timeout 5 0
 login local
 transport input ssh
!
ntp server 1.ca.pool.ntp.org
ntp server 0.ca.pool.ntp.org
!
end

 

[drebo]

You need "login local" under "line con 0".

Also, even though you don't have more than one IP available (as a business, this is something I'd recommend changing even if you don't need it now,) I'd recommend setting the dynamic NAT up with a route-map from the get-go. It's much more flexible, particularly if you add things like IPSec tunnels and additional static NATs. It makes it much simpler to exclude things from that NAT.

Additionally, you need to enable stateful packet inspection. Right now, you're not using any. There are two methods you can use: ZBF and ip inspect.

ZBF is newer, but it's a huge pain in the ass to configure because Cisco's config syntax isn't conducive to context-based configuration, which is what they tried to emulate with ZBF. You can read about it here: http://packetlife.net/blog/2012/jan/30/ios-zone-based-firewall/

The other, older, option is ip inspect...otherwise known as CBAC. This is simpler to configure. Look at a sample config here: http://www.dslreports.com/faq/13435. The important bits are the "ip inspect" commands and the "ip inspect OUTBOUND out" under the outside interface configuration.

Basically, SPI allows you to make sure that the traffic going in and out is the right kind of traffic for the flow that was initially created. You want this.

 

[triden55]

Those are great suggestions.

I want to qualify your comment about dynamic NAT with a route-map. I'm pretty new at this so you have lost me. Currently, yes, there is only one available static WAN IP. Can you send me to a link to get me going with this dynamic NAT setup? If it'll make life easier in the future, I am all for it. I also plan to have an IPSEC VPN tunnel configured soon.

I'm looking into CBAC as we speak!

Thanks.

 

[louisjamesreeve]

I wanted to say thank you for posting this up. I would never have gotten my 892 working with Internet without seeing your post. !!!! 1 Million Thank you's !!!