API tools faq
paste
Advertisement
Guest User

SOHO CISCO ROUTER CONFIG TEMPLATE v0.1.1 - 2013.04.13 1200

a guest
Apr 13th, 2013
110
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 7.10 KB | None | 0 0
raw download clone embed print report diff
  1. !
  2. ! SOHO ROUTER CONFIG TEMPLATE v0.1.1 - 2013.04.13 12:30 CET
  3. !
  4. !   Change the default username mgmt; password mgmt; enable mgmt
  5. !
  6. ! Features:
  7. !
  8. ! +ZBFW - quite default
  9. ! +LAN DHCP (DNS=Google) + ARP hardening
  10. ! +ControlPlane policing
  11. ! +Only incoming SSHv2 allowed
  12. ! +IP SLA + tracker + Event Manager Applets monitor Internet connection (generate SYSLOG message if fail)
  13. ! +NTP sync for proper SYSLOG message timestamps
  14. ! +To check the traffic flow on the router:
  15. !  -Netflow configured with top talkers
  16. !  -IP accounting configured
  17. !  -IP MAC accounting configured
  18. !  -IP NBAR protocol discovery configured
  19. !
  20. ! Network:
  21. ! defgw 172.16.0.1--172.16.0.100[Fa0/0-NAT_OUT[ROUTER]NAT_IN-Fa0/1]10.10.10.1--HOSTS[DHCP:10.10.10.100-254]
  22. !
  23. service timestamps debug datetime msec
  24. service timestamps log datetime msec
  25. service password-encryption
  26. hostname SOHOROUTER
  27. boot-start-marker
  28. boot-end-marker
  29. logging buffered 512000
  30. enable secret 5 $1$vOvr$/GFbYa081OyyeaSFP0v/C0
  31. aaa new-model
  32. aaa authentication login default local-case enable
  33. aaa authentication login console line enable none
  34. aaa authentication enable default enable
  35. aaa authorization exec default local
  36. aaa session-id common
  37. memory-size iomem 5
  38. no ip icmp rate-limit unreachable
  39. ip cef
  40. no ip dhcp use vrf connected
  41. ip dhcp excluded-address 10.10.10.1 10.10.10.99
  42. ip dhcp pool LAN
  43.    network 10.10.10.0 255.255.255.0
  44.    default-router 10.10.10.1
  45.    dns-server 8.8.8.8
  46.    lease 0 1
  47.    update arp
  48. ip name-server 8.8.8.8
  49. login block-for 300 attempts 3 within 60
  50. multilink bundle-name authenticated
  51.  
  52. parameter-map type inspect AGAINST_DOS
  53.  max-incomplete low  2500
  54.  max-incomplete high 3000
  55.  one-minute low 5000
  56.  one-minute high 5000
  57.  tcp max-incomplete host 300 block-time 0
  58.  sessions maximum 20000
  59. username mgmt privilege 15 secret 5 $1$KWL7$PcIDMRcRXAemWgJZ/HTvS1
  60. archive
  61.  log config
  62.   hidekeys
  63. ip tcp synwait-time 5
  64. ip ssh time-out 60
  65. ip ssh authentication-retries 2
  66. ip ssh version 2
  67. track 1 rtr 1
  68. track 2 rtr 2
  69. class-map type inspect match-any inspect-LAN-to-PUBLIC
  70.  match protocol cuseeme
  71.  match protocol ftp
  72.  match protocol h323
  73.  match protocol netshow
  74.  match protocol shell
  75.  match protocol realmedia
  76.  match protocol rtsp
  77.  match protocol sql-net
  78.  match protocol streamworks
  79.  match protocol tftp
  80.  match protocol tcp
  81.  match protocol udp
  82.  match protocol vdolive
  83.  match protocol icmp
  84.  match protocol dns
  85.  match protocol imap
  86.  match protocol imap3
  87.  match protocol isakmp
  88.  match protocol pop3
  89.  match protocol sip
  90.  match protocol ssh
  91.  match protocol telnet
  92.  match protocol pptp
  93.  match protocol smtp
  94.  match access-group name LAN
  95. class-map match-all CoPP_traffic
  96.  match access-group name CoPP_traffic
  97. class-map type inspect match-any PUBLIC-to-LAN
  98.  match access-group name WAN_hardening
  99. class-map type inspect match-any LAN-to-PUBLIC
  100.  match access-group name LAN
  101. policy-map type inspect LAN-to-PUBLIC
  102.  class type inspect inspect-LAN-to-PUBLIC
  103.   inspect AGAINST_DOS
  104.  class class-default
  105.   drop
  106. policy-map type inspect PUBLIC-to-LAN
  107.  class type inspect PUBLIC-to-LAN
  108.   pass
  109.  class class-default
  110.   drop
  111. policy-map CoPP_policy
  112.  class CoPP_traffic
  113.    police cir 32000
  114.      conform-action transmit
  115.      exceed-action drop
  116. zone security LAN
  117.  description LAN
  118. zone security PUBLIC
  119.  description PUBLIC
  120. zone-pair security LAN-to-PUBLIC source LAN destination PUBLIC
  121.  description source LAN destination PUBLIC
  122.  service-policy type inspect LAN-to-PUBLIC
  123. zone-pair security PUBLIC-to-LAN source PUBLIC de
  124.  description source PUBLIC destination LAN
  125.  service-policy type inspect PUBLIC-to-LAN
  126. interface FastEthernet0/0
  127.  description WAN
  128.  ip address 172.16.0.100 255.255.255.0
  129.  ip access-group no_LAN_IP_from_WAN in
  130.  no ip redirects
  131.  no ip unreachables
  132.  no ip proxy-arp
  133.  ip accounting output-packets
  134.  ip accounting mac-address input
  135.  ip accounting mac-address output
  136.  ip nbar protocol-discovery
  137.  ip nat outside
  138.  ip virtual-reassembly
  139.  zone-member security PUBLIC
  140.  ip route-cache flow
  141.  duplex auto
  142.  speed auto
  143. interface FastEthernet0/1
  144.  description LAN
  145.  ip address 10.10.10.1 255.255.255.0
  146.  ip access-group LAN in
  147.  no ip redirects
  148.  no ip unreachables
  149.  no ip proxy-arp
  150.  ip accounting output-packets
  151.  ip accounting mac-address input
  152.  ip accounting mac-address output
  153.  ip nbar protocol-discovery
  154.  ip nat inside
  155.  ip virtual-reassembly
  156.  zone-member security LAN
  157.  ip route-cache flow
  158.  duplex auto
  159.  speed auto
  160.  arp probe interval 10 count 3
  161.  arp authorized
  162.  arp timeout 3600
  163. ip forward-protocol nd
  164. ip route 0.0.0.0 0.0.0.0 172.16.0.1
  165. ip flow-top-talkers
  166.  top 20
  167.  sort-by bytes
  168.  cache-timeout 3600000
  169. no ip http server
  170. no ip http secure-server
  171. ip nat inside source list LAN interface FastEthernet0/0 overload
  172. ip access-list extended CoPP_traffic
  173.  permit tcp any any eq telnet
  174.  permit tcp any any eq 22
  175.  permit icmp any any
  176. ip access-list extended LAN
  177.  remark LAN addresses allowed
  178.  permit ip 10.10.10.0 0.0.0.255 any
  179.  remark DHCP requests allowed
  180.  permit udp host 0.0.0.0 host 255.255.255.255 range bootps bootpc
  181. ip access-list extended WAN_hardening
  182.  permit gre any any
  183.  permit esp any any
  184.  permit udp any any eq isakmp
  185.  permit udp any any eq non500-isakmp
  186.  permit icmp any any unreachable
  187.  permit icmp any any echo-reply
  188.  permit icmp any any packet-too-big
  189.  permit icmp any any time-exceeded
  190.  permit icmp any any traceroute
  191.  permit icmp any any administratively-prohibited
  192.  permit udp any any eq bootpc
  193.  permit udp any eq domain any
  194.  deny   ip any any
  195. ip access-list extended no_LAN_IP_from_WAN
  196.  remark No LAN IPs from the WAN allowed
  197.  deny   ip 10.10.10.0 0.0.0.255 any
  198.  remark No private IPs from the WAN allowed
  199.  deny   ip 0.0.0.0 0.255.255.255 any
  200.  deny   ip 10.0.0.0 0.255.255.255 any
  201.  deny   ip 127.0.0.0 0.255.255.255 any
  202.  deny   ip 169.0.0.0 0.255.255.255 any
  203.  deny   ip 172.16.0.0 0.15.255.255 any
  204.  deny   ip 192.168.0.0 0.0.255.255 any
  205.  deny   ip 224.0.0.0 15.255.255.255 any
  206.  deny   ip host 255.255.255.255 any
  207.  remark The rest will be checked by Zone Based Firewall
  208.  permit ip any any
  209. ip sla 1
  210.  icmp-echo 8.8.8.8
  211.  frequency 30
  212. ip sla 2
  213.  dns ntp.ubuntu.com name-server 8.8.8.8
  214.  frequency 30
  215. no cdp run
  216. control-plane
  217.  service-policy input CoPP_policy
  218. line con 0
  219.  exec-timeout 0 0
  220.  privilege level 15
  221.  password 7 15050A1F007B797768
  222.  logging synchronous
  223. line aux 0
  224.  exec-timeout 0 0
  225.  privilege level 15
  226.  logging synchronous
  227. line vty 0 4
  228.  exec-timeout 5 0
  229.  password 7 15050A1F007B797768
  230.  transport input ssh
  231.  transport output all
  232. ntp clock-period 17179978
  233. ntp server 91.189.94.4
  234. event manager applet Internet_access_tracker_1_down
  235.  event track 1 state down
  236.  action 1.0 syslog msg "Possible Internet access outage or WAN link overload"
  237. event manager applet Internet_access_tracker_2_down
  238.  event track 2 state down
  239.  action 1.0 syslog msg "Possible Internet access outage or WAN link overload"
  240. event manager applet Internet_access_tracker_1_up
  241.  event track 1 state up
  242.  action 1.0 syslog msg "Internet access came back or utilisation fell back"
  243. event manager applet Internet_access_tracker_2_up
  244.  event track 2 state up
  245.  action 1.0 syslog msg "Internet access came back or utilisation fell back"
  246. end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!