SHOW:
|
|
- or go back to the newest paste.
1 | ! | |
2 | - | ! SOHO CISCO ROUTER CONFIG TEMPLATE v0.1.2 - 2013.04.13 1330 CET |
2 | + | ! SOHO CISCO ROUTER CONFIG TEMPLATE v0.1.2 - 2013.04.13 1400 CET |
3 | ! | |
4 | ! by Crok | |
5 | ! | |
6 | ! Change the default username mgmt; password mgmt; enable mgmt | |
7 | ! | |
8 | - | username mgmt privilege 15 secret 5 $1$KWL7$PcIDMRcRXAemWgJZ/HTvS1 |
8 | + | username mgmt privilege 15 secret mgmt |
9 | - | enable secret 5 $1$vOvr$/GFbYa081OyyeaSFP0v/C0 |
9 | + | enable secret mgmt |
10 | ! | |
11 | ! | |
12 | - | ! Features: |
12 | + | ! Features: |
13 | ! | |
14 | ! +ZBFW - quite default | |
15 | ! +LAN DHCP (DNS=Google) + ARP hardening (after router restart clients must renegotiate IP address via DHCP!) | |
16 | ! +ControlPlane policing | |
17 | ! +Only incoming SSHv2 allowed | |
18 | ! +IP SLA + tracker + Event Manager Applets monitor Internet connection (generate SYSLOG message if fail) | |
19 | ! +NTP sync for proper SYSLOG message timestamps | |
20 | ! +To check the traffic flow on the router: | |
21 | ! -Netflow configured with top talkers | |
22 | ! -IP accounting configured | |
23 | ! -IP MAC accounting configured | |
24 | ! -IP NBAR protocol discovery configured | |
25 | ! | |
26 | ! Network: | |
27 | ! defgw 172.16.0.1--172.16.0.100[Fa0/0-NAT_OUT[ROUTER]NAT_IN-Fa0/1]10.10.10.1--HOSTS[DHCP:10.10.10.100-254] | |
28 | ! | |
29 | ! Copy from the top, including the username and enable config | |
30 | crypto key generate rsa label SSH modulus 2048 | |
31 | service timestamps debug datetime msec | |
32 | service timestamps log datetime msec | |
33 | service password-encryption | |
34 | hostname SOHOROUTER | |
35 | boot-start-marker | |
36 | boot-end-marker | |
37 | logging buffered 512000 | |
38 | aaa new-model | |
39 | aaa authentication login default local-case enable | |
40 | aaa authentication login console line enable none | |
41 | aaa authentication enable default enable | |
42 | aaa authorization exec default local | |
43 | aaa session-id common | |
44 | memory-size iomem 5 | |
45 | no ip icmp rate-limit unreachable | |
46 | ip cef | |
47 | no ip dhcp use vrf connected | |
48 | ip dhcp excluded-address 10.10.10.1 10.10.10.99 | |
49 | ip dhcp pool LAN | |
50 | network 10.10.10.0 255.255.255.0 | |
51 | default-router 10.10.10.1 | |
52 | dns-server 8.8.8.8 | |
53 | lease 0 1 | |
54 | update arp | |
55 | ip name-server 8.8.8.8 | |
56 | login block-for 300 attempts 3 within 60 | |
57 | multilink bundle-name authenticated | |
58 | parameter-map type inspect AGAINST_DOS | |
59 | max-incomplete low 2500 | |
60 | max-incomplete high 3000 | |
61 | one-minute low 5000 | |
62 | one-minute high 5000 | |
63 | tcp max-incomplete host 300 block-time 0 | |
64 | sessions maximum 20000 | |
65 | - | archive |
65 | + | |
66 | - | log config |
66 | + | |
67 | - | hidekeys |
67 | + | |
68 | ip ssh version 2 | |
69 | ! | |
70 | ! and stop here - then paste to the router | |
71 | ! ---------------------------------------- | |
72 | ! Copy from here | |
73 | track 1 rtr 1 | |
74 | track 2 rtr 2 | |
75 | class-map type inspect match-any inspect-LAN-to-PUBLIC | |
76 | match protocol http | |
77 | match protocol bittorrent | |
78 | match protocol ddns-v3 | |
79 | match protocol directconnect | |
80 | match protocol edonkey | |
81 | match protocol ftps | |
82 | match protocol ftp | |
83 | match protocol gnutella | |
84 | match protocol https | |
85 | match protocol ica | |
86 | match protocol icabrowser | |
87 | match protocol icmp | |
88 | match protocol ipsec-msft | |
89 | match protocol irc | |
90 | match protocol ircs | |
91 | match protocol isakmp | |
92 | match protocol kazaa2 | |
93 | match protocol kerberos | |
94 | match protocol l2tp | |
95 | match protocol login | |
96 | match protocol mgcp | |
97 | match protocol ms-sql | |
98 | match protocol ms-sna | |
99 | match protocol ms-sql-m | |
100 | match protocol mysql | |
101 | match protocol netshow | |
102 | match protocol netstat | |
103 | match protocol nfs | |
104 | match protocol ntp | |
105 | match protocol oracle | |
106 | match protocol oracle-em-vp | |
107 | match protocol oraclenames | |
108 | match protocol rtsp | |
109 | match protocol shell | |
110 | match protocol cuseeme | |
111 | match protocol h323 | |
112 | match protocol shell | |
113 | match protocol realmedia | |
114 | match protocol rtsp | |
115 | match protocol sql-net | |
116 | match protocol streamworks | |
117 | match protocol tftp | |
118 | match protocol tcp | |
119 | match protocol udp | |
120 | match protocol vdolive | |
121 | match protocol icmp | |
122 | match protocol dns | |
123 | match protocol imap | |
124 | match protocol imap3 | |
125 | match protocol isakmp | |
126 | match protocol pop3 | |
127 | match protocol sip | |
128 | match protocol sip-tls | |
129 | match protocol skinny | |
130 | match protocol ssh | |
131 | match protocol telnet | |
132 | match protocol pptp | |
133 | match protocol smtp | |
134 | match protocol snmp | |
135 | match protocol snmptrap | |
136 | match protocol sql-net | |
137 | match protocol sqlserv | |
138 | match protocol sqlsrv | |
139 | match protocol sshell | |
140 | match protocol socks | |
141 | match protocol stun | |
142 | match protocol uucp | |
143 | match protocol syslog | |
144 | match protocol syslog-conn | |
145 | match protocol telnets | |
146 | match protocol telnet | |
147 | match protocol x11 | |
148 | match protocol ymsgr | |
149 | match access-group name LAN | |
150 | class-map match-all CoPP_traffic | |
151 | match access-group name CoPP_traffic | |
152 | class-map type inspect match-any PUBLIC-to-LAN | |
153 | match access-group name WAN_hardening | |
154 | class-map type inspect match-any LAN-to-PUBLIC | |
155 | match access-group name LAN | |
156 | policy-map type inspect LAN-to-PUBLIC | |
157 | class type inspect inspect-LAN-to-PUBLIC | |
158 | inspect AGAINST_DOS | |
159 | class class-default | |
160 | drop | |
161 | policy-map type inspect PUBLIC-to-LAN | |
162 | class type inspect PUBLIC-to-LAN | |
163 | pass | |
164 | class class-default | |
165 | drop | |
166 | ! | |
167 | ! and stop here - then paste to the router | |
168 | ! ---------------------------------------- | |
169 | ! Copy from here | |
170 | policy-map CoPP_policy | |
171 | class CoPP_traffic | |
172 | police cir 32000 | |
173 | conform-action transmit | |
174 | exceed-action drop | |
175 | zone security LAN | |
176 | description LAN | |
177 | zone security PUBLIC | |
178 | description PUBLIC | |
179 | zone-pair security LAN-to-PUBLIC source LAN destination PUBLIC | |
180 | description source LAN destination PUBLIC | |
181 | service-policy type inspect LAN-to-PUBLIC | |
182 | zone-pair security PUBLIC-to-LAN source PUBLIC destination LAN | |
183 | description source PUBLIC destination LAN | |
184 | service-policy type inspect PUBLIC-to-LAN | |
185 | interface FastEthernet0/0 | |
186 | description WAN | |
187 | ip address 172.16.0.100 255.255.255.0 | |
188 | ip access-group no_LAN_IP_from_WAN in | |
189 | no ip redirects | |
190 | no ip unreachables | |
191 | no ip proxy-arp | |
192 | ip accounting output-packets | |
193 | ip accounting mac-address input | |
194 | ip accounting mac-address output | |
195 | ip nbar protocol-discovery | |
196 | ip nat outside | |
197 | ip virtual-reassembly | |
198 | zone-member security PUBLIC | |
199 | ip route-cache flow | |
200 | duplex auto | |
201 | speed auto | |
202 | no shut | |
203 | interface FastEthernet0/1 | |
204 | description LAN | |
205 | ip address 10.10.10.1 255.255.255.0 | |
206 | ip access-group LAN in | |
207 | no ip redirects | |
208 | no ip unreachables | |
209 | no ip proxy-arp | |
210 | ip accounting output-packets | |
211 | ip accounting mac-address input | |
212 | ip accounting mac-address output | |
213 | ip nbar protocol-discovery | |
214 | ip nat inside | |
215 | ip virtual-reassembly | |
216 | zone-member security LAN | |
217 | ip route-cache flow | |
218 | duplex auto | |
219 | speed auto | |
220 | arp probe interval 10 count 3 | |
221 | arp authorized | |
222 | arp timeout 3600 | |
223 | no shut | |
224 | ip forward-protocol nd | |
225 | ip route 0.0.0.0 0.0.0.0 172.16.0.1 | |
226 | ip flow-top-talkers | |
227 | top 20 | |
228 | sort-by bytes | |
229 | cache-timeout 3600000 | |
230 | no ip http server | |
231 | no ip http secure-server | |
232 | ip nat inside source list LAN interface FastEthernet0/0 overload | |
233 | ip access-list extended CoPP_traffic | |
234 | permit tcp any any eq telnet | |
235 | permit tcp any any eq 22 | |
236 | permit icmp any any | |
237 | ip access-list extended LAN | |
238 | remark LAN addresses allowed | |
239 | permit ip 10.10.10.0 0.0.0.255 any | |
240 | remark DHCP requests allowed | |
241 | permit udp host 0.0.0.0 host 255.255.255.255 range bootps bootpc | |
242 | ! | |
243 | ! and stop here - then paste to the router | |
244 | ! ---------------------------------------- | |
245 | ! Copy from here | |
246 | ip access-list extended WAN_hardening | |
247 | permit gre any any | |
248 | permit esp any any | |
249 | permit udp any any eq isakmp | |
250 | permit udp any any eq non500-isakmp | |
251 | permit icmp any any unreachable | |
252 | permit icmp any any echo-reply | |
253 | - | end |
253 | + | |
254 | permit icmp any any time-exceeded | |
255 | permit icmp any any traceroute | |
256 | permit icmp any any administratively-prohibited | |
257 | permit udp any any eq bootpc | |
258 | permit udp any eq domain any | |
259 | deny ip any any | |
260 | ip access-list extended no_LAN_IP_from_WAN | |
261 | remark No LAN IPs from the WAN allowed | |
262 | deny ip 10.10.10.0 0.0.0.255 any | |
263 | remark No private IPs from the WAN allowed | |
264 | deny ip 0.0.0.0 0.255.255.255 any | |
265 | deny ip 10.0.0.0 0.255.255.255 any | |
266 | deny ip 127.0.0.0 0.255.255.255 any | |
267 | deny ip 169.0.0.0 0.255.255.255 any | |
268 | deny ip 172.16.0.0 0.15.255.255 any | |
269 | deny ip 192.168.0.0 0.0.255.255 any | |
270 | deny ip 224.0.0.0 15.255.255.255 any | |
271 | deny ip host 255.255.255.255 any | |
272 | remark The rest will be checked by Zone Based Firewall | |
273 | permit ip any any | |
274 | ip sla 1 | |
275 | icmp-echo 8.8.8.8 | |
276 | frequency 30 | |
277 | ip sla schedule 1 start-time now life forever | |
278 | ip sla 2 | |
279 | dns ntp.ubuntu.com name-server 8.8.8.8 | |
280 | frequency 30 | |
281 | ip sla schedule 2 start-time now life forever | |
282 | no cdp run | |
283 | control-plane | |
284 | service-policy input CoPP_policy | |
285 | line con 0 | |
286 | exec-timeout 0 0 | |
287 | privilege level 15 | |
288 | logging synchronous | |
289 | line aux 0 | |
290 | exec-timeout 0 0 | |
291 | privilege level 15 | |
292 | logging synchronous | |
293 | line vty 0 4 | |
294 | exec-timeout 5 0 | |
295 | transport input ssh | |
296 | transport output all | |
297 | ntp clock-period 17179978 | |
298 | ntp server 91.189.94.4 | |
299 | event manager applet Internet_access_tracker_1_down | |
300 | event track 1 state down | |
301 | action 1.0 syslog msg "Possible Internet access outage or WAN link overload" | |
302 | event manager applet Internet_access_tracker_2_down | |
303 | event track 2 state down | |
304 | action 1.0 syslog msg "Possible Internet access outage or WAN link overload" | |
305 | event manager applet Internet_access_tracker_1_up | |
306 | event track 1 state up | |
307 | action 1.0 syslog msg "Internet access came back or utilisation fell back" | |
308 | event manager applet Internet_access_tracker_2_up | |
309 | event track 2 state up | |
310 | action 1.0 syslog msg "Internet access came back or utilisation fell back" | |
311 | end | |
312 | ! Save the configuration | |
313 | wr | |
314 | ! | |
315 | ! and stop here - then paste to the router |