View difference between Paste ID: <a href="/mpf8wL72">mpf8wL72</a> and <a href="/rdCcqgFy">rdCcqgFy</a>

!
1		!
2	-	! SOHO CISCO ROUTER CONFIG TEMPLATE v0.1.2 - 2013.04.13 1330 CET
2	+	! SOHO CISCO ROUTER CONFIG TEMPLATE v0.1.2 - 2013.04.13 1400 CET
3		!
4		! by Crok
5		!
6		! Change the default username mgmt; password mgmt; enable mgmt
7		!
8	-	username mgmt privilege 15 secret 5 $1$KWL7$PcIDMRcRXAemWgJZ/HTvS1
8	+	username mgmt privilege 15 secret mgmt
9	-	enable secret 5 $1$vOvr$/GFbYa081OyyeaSFP0v/C0
9	+	enable secret mgmt
10		!
11		!
12	-	! Features:
12	+	! Features:
13		!
14		! +ZBFW - quite default
15		! +LAN DHCP (DNS=Google) + ARP hardening (after router restart clients must renegotiate IP address via DHCP!)
16		! +ControlPlane policing
17		! +Only incoming SSHv2 allowed
18		! +IP SLA + tracker + Event Manager Applets monitor Internet connection (generate SYSLOG message if fail)
19		! +NTP sync for proper SYSLOG message timestamps
20		! +To check the traffic flow on the router:
21		! -Netflow configured with top talkers
22		! -IP accounting configured
23		! -IP MAC accounting configured
24		! -IP NBAR protocol discovery configured
25		!
26		! Network:
27		! defgw 172.16.0.1--172.16.0.100[Fa0/0-NAT_OUT[ROUTER]NAT_IN-Fa0/1]10.10.10.1--HOSTS[DHCP:10.10.10.100-254]
28		!
29		! Copy from the top, including the username and enable config
30		crypto key generate rsa label SSH modulus 2048
31		service timestamps debug datetime msec
32		service timestamps log datetime msec
33		service password-encryption
34		hostname SOHOROUTER
35		boot-start-marker
36		boot-end-marker
37		logging buffered 512000
38		aaa new-model
39		aaa authentication login default local-case enable
40		aaa authentication login console line enable none
41		aaa authentication enable default enable
42		aaa authorization exec default local
43		aaa session-id common
44		memory-size iomem 5
45		no ip icmp rate-limit unreachable
46		ip cef
47		no ip dhcp use vrf connected
48		ip dhcp excluded-address 10.10.10.1 10.10.10.99
49		ip dhcp pool LAN
50		network 10.10.10.0 255.255.255.0
51		default-router 10.10.10.1
52		dns-server 8.8.8.8
53		lease 0 1
54		update arp
55		ip name-server 8.8.8.8
56		login block-for 300 attempts 3 within 60
57		multilink bundle-name authenticated
58		parameter-map type inspect AGAINST_DOS
59		max-incomplete low 2500
60		max-incomplete high 3000
61		one-minute low 5000
62		one-minute high 5000
63		tcp max-incomplete host 300 block-time 0
64		sessions maximum 20000
65	-	archive
65	+
66	-	log config
66	+
67	-	hidekeys
67	+
68		ip ssh version 2
69		!
70		! and stop here - then paste to the router
71		! ----------------------------------------
72		! Copy from here
73		track 1 rtr 1
74		track 2 rtr 2
75		class-map type inspect match-any inspect-LAN-to-PUBLIC
76		match protocol http
77		match protocol bittorrent
78		match protocol ddns-v3
79		match protocol directconnect
80		match protocol edonkey
81		match protocol ftps
82		match protocol ftp
83		match protocol gnutella
84		match protocol https
85		match protocol ica
86		match protocol icabrowser
87		match protocol icmp
88		match protocol ipsec-msft
89		match protocol irc
90		match protocol ircs
91		match protocol isakmp
92		match protocol kazaa2
93		match protocol kerberos
94		match protocol l2tp
95		match protocol login
96		match protocol mgcp
97		match protocol ms-sql
98		match protocol ms-sna
99		match protocol ms-sql-m
100		match protocol mysql
101		match protocol netshow
102		match protocol netstat
103		match protocol nfs
104		match protocol ntp
105		match protocol oracle
106		match protocol oracle-em-vp
107		match protocol oraclenames
108		match protocol rtsp
109		match protocol shell
110		match protocol cuseeme
111		match protocol h323
112		match protocol shell
113		match protocol realmedia
114		match protocol rtsp
115		match protocol sql-net
116		match protocol streamworks
117		match protocol tftp
118		match protocol tcp
119		match protocol udp
120		match protocol vdolive
121		match protocol icmp
122		match protocol dns
123		match protocol imap
124		match protocol imap3
125		match protocol isakmp
126		match protocol pop3
127		match protocol sip
128		match protocol sip-tls
129		match protocol skinny
130		match protocol ssh
131		match protocol telnet
132		match protocol pptp
133		match protocol smtp
134		match protocol snmp
135		match protocol snmptrap
136		match protocol sql-net
137		match protocol sqlserv
138		match protocol sqlsrv
139		match protocol sshell
140		match protocol socks
141		match protocol stun
142		match protocol uucp
143		match protocol syslog
144		match protocol syslog-conn
145		match protocol telnets
146		match protocol telnet
147		match protocol x11
148		match protocol ymsgr
149		match access-group name LAN
150		class-map match-all CoPP_traffic
151		match access-group name CoPP_traffic
152		class-map type inspect match-any PUBLIC-to-LAN
153		match access-group name WAN_hardening
154		class-map type inspect match-any LAN-to-PUBLIC
155		match access-group name LAN
156		policy-map type inspect LAN-to-PUBLIC
157		class type inspect inspect-LAN-to-PUBLIC
158		inspect AGAINST_DOS
159		class class-default
160		drop
161		policy-map type inspect PUBLIC-to-LAN
162		class type inspect PUBLIC-to-LAN
163		pass
164		class class-default
165		drop
166		!
167		! and stop here - then paste to the router
168		! ----------------------------------------
169		! Copy from here
170		policy-map CoPP_policy
171		class CoPP_traffic
172		police cir 32000
173		conform-action transmit
174		exceed-action drop
175		zone security LAN
176		description LAN
177		zone security PUBLIC
178		description PUBLIC
179		zone-pair security LAN-to-PUBLIC source LAN destination PUBLIC
180		description source LAN destination PUBLIC
181		service-policy type inspect LAN-to-PUBLIC
182		zone-pair security PUBLIC-to-LAN source PUBLIC destination LAN
183		description source PUBLIC destination LAN
184		service-policy type inspect PUBLIC-to-LAN
185		interface FastEthernet0/0
186		description WAN
187		ip address 172.16.0.100 255.255.255.0
188		ip access-group no_LAN_IP_from_WAN in
189		no ip redirects
190		no ip unreachables
191		no ip proxy-arp
192		ip accounting output-packets
193		ip accounting mac-address input
194		ip accounting mac-address output
195		ip nbar protocol-discovery
196		ip nat outside
197		ip virtual-reassembly
198		zone-member security PUBLIC
199		ip route-cache flow
200		duplex auto
201		speed auto
202		no shut
203		interface FastEthernet0/1
204		description LAN
205		ip address 10.10.10.1 255.255.255.0
206		ip access-group LAN in
207		no ip redirects
208		no ip unreachables
209		no ip proxy-arp
210		ip accounting output-packets
211		ip accounting mac-address input
212		ip accounting mac-address output
213		ip nbar protocol-discovery
214		ip nat inside
215		ip virtual-reassembly
216		zone-member security LAN
217		ip route-cache flow
218		duplex auto
219		speed auto
220		arp probe interval 10 count 3
221		arp authorized
222		arp timeout 3600
223		no shut
224		ip forward-protocol nd
225		ip route 0.0.0.0 0.0.0.0 172.16.0.1
226		ip flow-top-talkers
227		top 20
228		sort-by bytes
229		cache-timeout 3600000
230		no ip http server
231		no ip http secure-server
232		ip nat inside source list LAN interface FastEthernet0/0 overload
233		ip access-list extended CoPP_traffic
234		permit tcp any any eq telnet
235		permit tcp any any eq 22
236		permit icmp any any
237		ip access-list extended LAN
238		remark LAN addresses allowed
239		permit ip 10.10.10.0 0.0.0.255 any
240		remark DHCP requests allowed
241		permit udp host 0.0.0.0 host 255.255.255.255 range bootps bootpc
242		!
243		! and stop here - then paste to the router
244		! ----------------------------------------
245		! Copy from here
246		ip access-list extended WAN_hardening
247		permit gre any any
248		permit esp any any
249		permit udp any any eq isakmp
250		permit udp any any eq non500-isakmp
251		permit icmp any any unreachable
252		permit icmp any any echo-reply
253	-	end
253	+
254		permit icmp any any time-exceeded
255		permit icmp any any traceroute
256		permit icmp any any administratively-prohibited
257		permit udp any any eq bootpc
258		permit udp any eq domain any
259		deny ip any any
260		ip access-list extended no_LAN_IP_from_WAN
261		remark No LAN IPs from the WAN allowed
262		deny ip 10.10.10.0 0.0.0.255 any
263		remark No private IPs from the WAN allowed
264		deny ip 0.0.0.0 0.255.255.255 any
265		deny ip 10.0.0.0 0.255.255.255 any
266		deny ip 127.0.0.0 0.255.255.255 any
267		deny ip 169.0.0.0 0.255.255.255 any
268		deny ip 172.16.0.0 0.15.255.255 any
269		deny ip 192.168.0.0 0.0.255.255 any
270		deny ip 224.0.0.0 15.255.255.255 any
271		deny ip host 255.255.255.255 any
272		remark The rest will be checked by Zone Based Firewall
273		permit ip any any
274		ip sla 1
275		icmp-echo 8.8.8.8
276		frequency 30
277		ip sla schedule 1 start-time now life forever
278		ip sla 2
279		dns ntp.ubuntu.com name-server 8.8.8.8
280		frequency 30
281		ip sla schedule 2 start-time now life forever
282		no cdp run
283		control-plane
284		service-policy input CoPP_policy
285		line con 0
286		exec-timeout 0 0
287		privilege level 15
288		logging synchronous
289		line aux 0
290		exec-timeout 0 0
291		privilege level 15
292		logging synchronous
293		line vty 0 4
294		exec-timeout 5 0
295		transport input ssh
296		transport output all
297		ntp clock-period 17179978
298		ntp server 91.189.94.4
299		event manager applet Internet_access_tracker_1_down
300		event track 1 state down
301		action 1.0 syslog msg "Possible Internet access outage or WAN link overload"
302		event manager applet Internet_access_tracker_2_down
303		event track 2 state down
304		action 1.0 syslog msg "Possible Internet access outage or WAN link overload"
305		event manager applet Internet_access_tracker_1_up
306		event track 1 state up
307		action 1.0 syslog msg "Internet access came back or utilisation fell back"
308		event manager applet Internet_access_tracker_2_up
309		event track 2 state up
310		action 1.0 syslog msg "Internet access came back or utilisation fell back"
311		end
312		! Save the configuration
313		wr
314		!
315		! and stop here - then paste to the router