Cisco 2600 Router setup

Master468 · Feb 25, 2016

I need a setup that will connect 2 subnets together but only have one port open (i.e. only talk on one port). All traffic on all other ports must be blocked. My running config keeps changing as I try new things so I didn't post it here but can make available of need be.

Ralston18 · Feb 25, 2016

It would be helpful if you post what you have tried or considered to date.

Just a simple list of action - result.

What is causing your running config to keep changing?

jfreggie2 · Feb 25, 2016

Look up information on Router on a stick

Master468 · Feb 25, 2016

Ralston18 :

Not a IOS user my any means but have been able to do simple setups routing 2 subnets. This I seem to have working. Have bridged the 2 networks but this is the config I am looking for. Currently looking at access-list. This is why the config is changing. I'm trying different things. Of course this also creates entries that many not be needed or desired

Here is my current running config:

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Tech_Lab_SW
!
enable secret 5 $1$rKmL$j68lYLedzJlK4DuDwnpQT/
enable password ############
!
!
!
!
!
ip subnet-zero
ip domain-name software
!
ip cef
ip audit notify log
ip audit po max-events 100
cns event-service server
!
!
!
!
!
process-max-time 200
!
interface FastEthernet0/0
ip address 10.222.51.235 255.255.252.0
no ip directed-broadcast
no ip mroute-cache
speed 100
full-duplex
no mop enabled
!
interface Serial0/0
no ip address
no ip directed-broadcast
no ip mroute-cache
shutdown
no fair-queue
!
interface FastEthernet0/1
ip address 10.222.52.254 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
speed 100
no mop enabled
!
router igrp 1
redistribute connected
network 10.0.0.0
!
ip classless
ip default-network 255.255.255.255
ip forward-protocol spanning-tree any-local-broadcast
ip forward-protocol turbo-flood
ip forward-protocol udp 47808
ip http server
!
access-list 101 permit udp 10.222.48.0 0.0.3.255 any eq 47808
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
bridge 1 protocol dec
bridge 1 address 0010.0222.0051 forward FastEthernet0/1
bridge 1 address 0010.0222.0053 forward FastEthernet0/1
!
line con 0
transport input none
line aux 0
line vty 0 4
password ############
login
!
!
end

warlord1312 · Feb 25, 2016

Why the bridge and not routing? I would route and have an access list on the interface to allow that traffic that you need to allow.

Ralston18 · Feb 25, 2016

Thank you.

Unfortunately going out of my realm but the detail you provided may draw the attention of someone who can help directly.

However, since I am curious about things in general, especially new things, I googled a bit about access lists and C2600's.

Found this link:

https://learningnetwork.cisco.com/thread/40165

No intention to insult your intelligence or skills. Hopefully just passing on some information that may be directly helpful. Or maybe lead to another train of thought..

Master468 · Feb 25, 2016

warlord1312 :

Like I said there are lines that are not needed. I initially set up the bridge to verify the subnets could talk. I've removed the bridge group from each interface but not the group itself. I'm just came across the access list a few days ago but as I only have a few moments a week to work on this I've decided to reach out to those more knowledgeable.

Does the access list look correct?

Master468 · Feb 25, 2016

Ralston18 :

Like I said I am not a IOS person at all so any help is appreciated. Will take a look at the link. thanks

bill001g · Feb 25, 2016

You have all kinds of junk in the config but your main problem is you did not apply the access list you defined to any interface so it does nothing.

Ralston18 · Feb 25, 2016

Would the "apply" be done with this command?

ip access-group {access-list-number | access-list-name} {in | out}

Ref:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-xe-3s-book/sec-create-ip-apply.html#GUID-40042BEC-FBDD-4B1D-8734-B12A95405026

Click the "Applying an Access List to an Interface".

Again, full disclosure, not my realm , but I try to follow through on things.

bill001g · Feb 25, 2016

yes that is the command.

warlord1312 · Feb 25, 2016

Is this a production network? If it is maybe you want to try it in GNS first (https://www.gns3.com/)? You can simulate it there instead of playing with a live network that may cause downtime.

I have used GNS myself when doing more complicated network designs and it has been very useful.

Master468 · Feb 26, 2016

warlord1312 :

This is in a test environment so I can configure at will without have to worry about downtime. I will still check out GNS. Thanks.

Master468 · Feb 26, 2016

bill001g :

Here is my current config. Should just allow UDP traffic on 47808. Investigating now as to if the return packets will be on the same port or not. Might need to open the responses to any port but one step at a time. I didn't state it earlier but broadcasts must not be passed. Please let me know which "junk" lines can be removed.

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Tech_Lab_SW
!
enable secret 5 $1$rKmL$j68lYLedzJlK4DuDwnpQT/
enable password ######
!
ip subnet-zero
ip domain-name software
!
ip cef
ip audit notify log
ip audit po max-events 100
cns event-service server
!
process-max-time 200
!
interface FastEthernet0/0
ip address 10.222.51.235 255.255.252.0
ip access-group allow47808 in
ip access-group allow47808 out
no ip directed-broadcast
no ip mroute-cache
speed 100
full-duplex
no mop enabled
!
interface Serial0/0
no ip address
no ip directed-broadcast
no ip mroute-cache
shutdown
no fair-queue
!
interface FastEthernet0/1
ip address 10.222.52.254 255.255.255.0
ip access-group allow47808 in
ip access-group allow47808 out
no ip directed-broadcast
no ip mroute-cache
speed 100
no mop enabled
!
router igrp 1
redistribute connected
network 10.0.0.0
!
ip classless
ip default-network 255.255.255.255
ip forward-protocol spanning-tree any-local-broadcast
ip forward-protocol turbo-flood
ip forward-protocol udp 47808
ip http server
!
!
ip access-list extended allow47808
permit udp any any eq 47808
deny ip any any
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
!
line con 0
transport input none
line aux 0
line vty 0 4
password ######
login
!
!
end

bill001g · Feb 26, 2016

Assuming you have no other interfaces and you do not want to block traffic to the router itself you can use a single access list applied to a single interface to accomplish what you want. It depends what port the devices actually use you are apply the port only to the destination address but you can apply it to both destination and source in a single statement if the port is the same on both.

I would do a erase nvram and reboot and put your config back in clean. There will be a little junk the router puts in and you can ignore that but I have no idea where you got the dialer list and forward protocol stuff.

Search

Cisco 2600 Router setup

Master468

Commendable

bill001g

Ralston18

Titan

jfreggie2

Honorable

Master468

Commendable

warlord1312

Distinguished

Ralston18

Titan

Master468

Commendable

Master468

Commendable

bill001g

Titan

Ralston18

Titan

bill001g

Titan

warlord1312

Distinguished

Master468

Commendable

Master468

Commendable

bill001g

Titan

TRENDING THREADS

Latest posts

Share this page