Cisco Routers for the Small Business

[ buy it at powells.com ]  

A Practical Guide for IT Professionals.

Cisco Routers for the Small Business provides in plain English a no-nonsense approach to setting up all the features of the Cisco IOS for a small business using broadband technologies. This book explains how to use a Cisco router to setup cable modems, DSL and PPPoE, and explains how to configure NAT, Access Control Lists, Firewalls, DMZs and an IPSec VPN between two sites using advanced encryption. The chapters are tutorial based and provide easy to follow, step-by-step instructions for all tasks that small businesses need to perform using a router. Easy-to-implement example configurations are included in the appendices.

Here are some additional tips and tricks:


After setting the clock on your router, use the following commands to ensure it records accurate date and time information about the events in its log.

Router> enable
Router# config t
Router(config)# service timestamps debug datetime msec
Router(config)# service timestamps log datetime localtime

 
Execute privileged EXEC commands from any router configuration mode by preceding the command with a "do" modifier. Here's an example:

Router> enable
Router# config t
Router(config)# do show run

 
If you want your router to maintain accurate time, even after a reset, all you have to do is synchronize it with an Internet time server.

Start by setting your local timezone information. Here's an example for Alaska which has a -9 hour offset from GMT.

Router> enable
Router# config t
Router(config)# clock timezone AKST -9
Router(config)# clock summer-time AKDT recurring


Next, modify your firewall ACL to allow the Network Time Protocol (NTP). You will want to add the following rule to the ACL that you have applied to you router's WAN interface. In Cisco Routers for the Small Business, this ACL is named IPFW-ACL.

permit udp any any eq ntp

Finally, configure either the Simple Network Time Protocol (SNTP) or the Network Time Protocol (NTP) to use an Internet time server (low end routers only support simple ntp). Also, you may want to use more than one time server for redundancy. Here's how to set your time server to "time.nist.gov."

Router(config)# sntp server time.nist.gov
Translating "time.nist.gov"...domain server (4.2.2.2) [OK]

Router(config)# do show run
!
sntp server 67.222.36.113

Router(config)# do show clock

11:34:09.096 AKST Sun Dec 14 2008


The Cisco IOS provides a UNIX grep like command. The command is "include" and it looks like this: show {command} | include {regular-expression}. Note: you must provide a space before and after the pipe (|) symbol.

Router# show run | include clock

clock timezone AKST -9
clock summer-time AKDT recurring

Check this out! Similar to the include command, you can also use a section command to see the entire section of code from your IOS configuration.

Router# show run | section include FastEthernet4

interface FastEthernet4
 description WAN Interface to ISPI network
 ip address 66.238.5.254 255.255.255.0
 ip access-group IPFW-ACL in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect IPFW out
 ip virtual-reassembly
 no ip mroute-cache
 duplex auto
 speed auto
 no cdp enable
 crypto map CORP-VPN

 
If you have ever wondered what the escape sequence is to abort a ping or traceroute command on a router, then you're not alone.

Here's the scenario: Let's say you're performing some tests on your network and you use an advanced ping, selecting one thousand packets instead of the default value of five, and you accidentally ping the wrong IP address. You will now have to wait thirty minutes for the command to finish due to 1000 timeouts that take 2 seconds each! Fortunately for us Cisco provides an escape sequence to abort the command and it's CTRL+SHIFT+6 (twice). You have to issue the sequence two times in a row on the router. Here's an example:

Router# ping
Protocol [ip]:
Target IP address: 192.168.1.56
Repeat count [5]: 1000
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 192.168.1.56, timeout is 2 seconds:
....... {CTRL-SHIFT+6 CTRL+SHIFT+6}
Success rate is 0 percent (0/7)

 
Keeping your Access Control Lists small is one the many goals you should have as a router administrator. This allows the necessary ACL rules to be processed as fast as possible, making your router run more efficiently.

Here's a tip to a more efficient way to allow outbound ping and traceroute from your router. First REMOVE this bit of code from your WAN port's inbound Access Control List (e.g. the ACL named IPFW-ACL used throughout the book):

ip access-list extended IPFW-ACL
   permit icmp any any administratively-prohibited
   permit icmp any any echo-reply
   permit icmp any any packet-too-big
   permit icmp any any time-exceeded
   permit icmp any any traceroute


And ADD this CBAC firewall code to your WAN intrface's existing firewall (e.g. the CBAC firewall named IPFW used throughout the book):


ip inspect name IPFW tcp router-traffic
ip inspect name IPFW udp router-traffic
ip inspect name IPFW icmp router-traffic


This code allows your CBAC firewall to track router sourced ICMP packets to the Internet and back in through the firewall on your WAN interface. The net affect of these commands is that the router will now inspect its own traffic.

Note: The firewall code should be placed outbound on your router's WAN interface, as in the following example for a Cisco 851 router:

Router> enable
Router# config t
Router(config)# interface fa4
Router(config-if) ip inspect IPFW out