Access-lists are not just used on interfaces for filtering traffic. They are used to define traffic that will be processed in a certain way. In this configuration is is used to define the IP addresses that we will NAT when sending traffic out to the Internet.

It is used in the line

ip nat inside source list 100 interface FastEthernet0/1 overload

This allows all your LAN traffic to use the Internet, and the source address is translated to the IP address of the FastEthernet0/1 interface, which is the IP address you get from the Internet Service Provider.

I have a question about the router command you helped me with

!
access-list 100 permit ip 192.168.16.0 0.0.0.255 any
!

Why do i need to have this access list if it there is no interface attach to it … can you help me with this.

thanks

To harden the router you can try the following. I presume that the other site uses 192.168.14.0 so I added this to access list 1 to allow you to manage this router from there. If it is not right, or there are other subnets, add them to access list 1 in the same way as these others.

To harden the router you can try the following.

!
service tcp-keepalive-in
service tcp-keepalive-out
no ip source-route
no http server
!
access-list 1 permit 192.168.14.0 0.0.0.255
access-list 1 permit 192.168.15.0 0.0.0.255
access-list 1 permit 192.168.16.0 0.0.0.255
!
line vty 0 15
access-class 1 in
!
ip access-list extended Internet-In
deny ip any 192.168.0.0 0.0.255.255
deny ip 192.168.0.0 0.0.255.255 any
permit icmp any any echo-reply
deny icmp any any
permit ip any any
!
interface FastEthernet0/1
ip access-group Internet-In in
!

Now the above are no substitute for a firewall, but may help to mitigate some types of attack. They are probably good practice, and should not stop any legitimate traffic, but may prevent some unwanted stuff from the Internet. Of course, if you suddenly find things don’t work, undo the commands, by either adding ‘no’ or removing the ‘no’ if it has one already !

I hope this helps.

Here is what i have on the Cisco1841 Router
sh conf
Using 1440 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxx1841
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret
!
no aaa new-model
!
resource policy
!
clock timezone
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
no ip dhcp use vrf connected
!
no ip domain lookup
ip domain name xxxx
!
interface FastEthernet0/0
description xxxx Ave LAN
ip address 192.168.16.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
description ** Link to Cable Modem **
ip address dhcp
ip nat outside
duplex auto
speed auto
!
interface Serial0/0/0
description T1 to xxxx_host
ip address 192.168.15.2 255.255.255.0
!
router eigrp 10
network 192.168.15.0
network 192.168.16.0
no auto-summary
!
ip classless
!
ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 100 interface FastEthernet0/1 overload
!
access-list 100 permit ip 192.168.16.0 0.0.0.255 any
!
control-plane
!
line con 0
exec-timeout 5 0
password
login
line aux 0
line vty 0 4
password
login
transport input telnet
line vty 5 15
password
login
transport input telnet
!
end

Do the command

no ip http server

Don’t for get to save the config with a ‘wr’ command. You can also remove the config you posted so we could work on this issue !

You may want to change the IOS for the firewall version, although I think for about the same cost you can buy a ASA5505 which is a ‘real’ firewall ! Probably worth checking the prices local to you. There are other firewalls, and some do say that they do virus checks on the data passing through, how true that is I am not sure. Most will do a reasonable job, but one of the advantages of using NAT is that it hides your network from the Internet, as the router cannot allow connections to initiate from the Internet in, only from your network out.

You must make sure that all of the PCs have up to date virus checking software on them, and are running a personal firewall.

One thing you must also do is protect the router from login attempts from the Internet. You didn’t copy that part of the config, so I am not sure if this is in place already. You need to create an access list to only allow your local networks, and apply it as an access-class to the virtual terminal lines that are used for telnet.

access-list 1 permit 192.168.15.0 0.0.0.255
access-list 1 permit 192.168.16.0 0.0.0.255

line vty 0 4
access-class 1 in

That should give some food for thought. The main vulnerability are the PCs, if those have virus check, and the usual firewall, you are fairly well protected already. More layers of protection are good, as any attack has to overcome each one, and thereby lessens the possibility.

If you have any more questions on this, please again feel free to ask, either here or in a new question.

Best Regards,

Reg

You are a life savr. I did add the command you gave me and i didn’t have to add an ip route. It works great. The only concern i have is that internet is not firewalled. Do you recommend anything on that i can use to make sure that group don’t bring down anything unusual from the web.

Thanks a million, you are a GENIUS.

The commands above are in addition to those already there. Just add these and the nat will work. You still need the IP address command and the descripton, speed and duplex for the interface to work correctly, but you don’t need to do anything to keep these.

I hope that is clearer ?

description abc
ip address 192.168.16.x 255.255.255.0
duplex auto
speed auto

you mention to add this
interface FastEsthernet 0/0
ip nat inside

so i don’t need the ip address 192.168.16.x 255.255.255.0 anymore. please confirm

thanks