Blog

Posts Tagged Cisco

Cisco IOS Port forward Range

Port forwarding on Cisco IOS devices can be a bit tricky but here is a easy way to do it.

192.168.59.10 is the server you want to port forward to. (You need to have this in twice for the NAT Pool)

ip nat pool POOL1 192.168.59.10 192.168.59.10 netmask 255.255.255.0 type rotary
ip nat inside destination list VOIP pool POOL1
!
ip access-list extended VOIP
permit tcp any any eq 5060
permit udp any any eq 5060
permit tcp any any range 10000 15000
permit udp any any range 10000 15000

Posted in: Blog

Leave a Comment (0) →

Cisco Router Secuirty

Cisco Routers are cool but i have been finding a few issues with DDOS attacks of late. Mainly DNS and NTP.

DNS DDOS

access-list 153 remark Block DOS DNS
access-list 153 permit ip host 202.62.147.50 any – Replace this with the DNS server your using
access-list 153 deny tcp any any eq domain
access-list 153 deny udp any any eq domain
access-list 153 permit ip any any

Then add

!
interface Dialer0 – your dialer interface
ip access-group 153 in

 

NTP DDOS

 

! Core NTP configuration
ntp update-calendar             ! update hardware clock (certain hardware only, i.e. 6509s)
ntp server 192.0.2.1            ! a time server you sync with
ntp peer   192.0.2.2            ! a time server you sync with and allow to sync to you
ntp source Loopback0            ! we recommend using a loopback interface for sending NTP messages if possible
!
! NTP access control
ntp access-group query-only 1   ! deny all NTP control queries
ntp access-group serve 1        ! deny all NTP time and control queries by default
ntp access-group peer 10        ! permit time sync to configured peer(s)/server(s) only
ntp access-group serve-only 20  ! permit NTP time sync requests from a select set of clients
!
! access control lists (ACLs)
access-list 1 remark utility ACL to block everything
access-list 1 deny any
!
access-list 10 remark NTP peers/servers we sync to/with
access-list 10 permit 192.0.2.1
access-list 10 permit 192.0.2.2
access-list 10 deny any
!
access-list 20 remark Hosts/Networks we allow to get time from us
access-list 20 permit 192.0.2.0 0.0.0.255
access-list 20 deny any

Taken from http://www.team-cymru.org/secure-ntp-template.html


                            

Posted in: Blog, Technical

Leave a Comment (0) →

Linksys / Cisco Dial Plans

Just a quick post. Put in a SRP527W for a customer that is using the AT for cordless phones.

To make the phone dial quicker i changed  the dial plan to

(*xxS0|000S0|<:03>[4689]xxxxxxxS0|13[1-9]xxx S0|1300xxxxxxS0|1800xxxxxxS0|0[2478]xxxxxxxxS0|0011xxxxxx.|09xxxxxxS0)

It also add’s a 03 for local numbers. (For the SIP providers that need it)

Posted in: Blog

Leave a Comment (0) →