API tools faq
paste
Advertisement
Guest User

SOHO CISCO ROUTER CONFIG TEMPLATE v0.1.2 - 2013.04.13 1400

a guest
Apr 13th, 2013
316
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 8.83 KB | None | 0 0
raw download clone embed print report diff
  1. !
  2. !   SOHO CISCO ROUTER CONFIG TEMPLATE v0.1.2 - 2013.04.13 1400 CET
  3. !
  4. !   by Crok
  5. !
  6. !   Change the default username mgmt; password mgmt; enable mgmt
  7. !
  8.     username mgmt privilege 15 secret mgmt
  9.     enable secret mgmt
  10. !
  11. !
  12. !   Features:
  13. !
  14. ! +ZBFW - quite default
  15. ! +LAN DHCP (DNS=Google) + ARP hardening (after router restart clients must renegotiate IP address via DHCP!)
  16. ! +ControlPlane policing
  17. ! +Only incoming SSHv2 allowed
  18. ! +IP SLA + tracker + Event Manager Applets monitor Internet connection (generate SYSLOG message if fail)
  19. ! +NTP sync for proper SYSLOG message timestamps
  20. ! +To check the traffic flow on the router:
  21. !  -Netflow configured with top talkers
  22. !  -IP accounting configured
  23. !  -IP MAC accounting configured
  24. !  -IP NBAR protocol discovery configured
  25. !
  26. ! Network:
  27. ! defgw 172.16.0.1--172.16.0.100[Fa0/0-NAT_OUT[ROUTER]NAT_IN-Fa0/1]10.10.10.1--HOSTS[DHCP:10.10.10.100-254]
  28. !
  29. ! Copy from the top, including the username and enable config
  30. crypto key generate rsa label SSH modulus 2048
  31. service timestamps debug datetime msec
  32. service timestamps log datetime msec
  33. service password-encryption
  34. hostname SOHOROUTER
  35. boot-start-marker
  36. boot-end-marker
  37. logging buffered 512000
  38. aaa new-model
  39. aaa authentication login default local-case enable
  40. aaa authentication login console line enable none
  41. aaa authentication enable default enable
  42. aaa authorization exec default local
  43. aaa session-id common
  44. memory-size iomem 5
  45. no ip icmp rate-limit unreachable
  46. ip cef
  47. no ip dhcp use vrf connected
  48. ip dhcp excluded-address 10.10.10.1 10.10.10.99
  49. ip dhcp pool LAN
  50.    network 10.10.10.0 255.255.255.0
  51.    default-router 10.10.10.1
  52.    dns-server 8.8.8.8
  53.    lease 0 1
  54.    update arp
  55. ip name-server 8.8.8.8
  56. login block-for 300 attempts 3 within 60
  57. multilink bundle-name authenticated
  58. parameter-map type inspect AGAINST_DOS
  59.  max-incomplete low  2500
  60.  max-incomplete high 3000
  61.  one-minute low 5000
  62.  one-minute high 5000
  63.  tcp max-incomplete host 300 block-time 0
  64.  sessions maximum 20000
  65. ip tcp synwait-time 5
  66. ip ssh time-out 60
  67. ip ssh authentication-retries 2
  68. ip ssh version 2
  69. !
  70. ! and stop here - then paste to the router
  71. ! ----------------------------------------
  72. ! Copy from here
  73. track 1 rtr 1
  74. track 2 rtr 2
  75. class-map type inspect match-any inspect-LAN-to-PUBLIC
  76.  match protocol http
  77.  match protocol bittorrent
  78.  match protocol ddns-v3
  79.  match protocol directconnect
  80.  match protocol edonkey
  81.  match protocol ftps
  82.  match protocol ftp
  83.  match protocol gnutella
  84.  match protocol https
  85.  match protocol ica
  86.  match protocol icabrowser
  87.  match protocol icmp
  88.  match protocol ipsec-msft
  89.  match protocol irc
  90.  match protocol ircs
  91.  match protocol isakmp
  92.  match protocol kazaa2
  93.  match protocol kerberos
  94.  match protocol l2tp
  95.  match protocol login
  96.  match protocol mgcp
  97.  match protocol ms-sql
  98.  match protocol ms-sna
  99.  match protocol ms-sql-m
  100.  match protocol mysql
  101.  match protocol netshow
  102.  match protocol netstat
  103.  match protocol nfs
  104.  match protocol ntp
  105.  match protocol oracle
  106.  match protocol oracle-em-vp
  107.  match protocol oraclenames
  108.  match protocol rtsp
  109.  match protocol shell
  110.  match protocol cuseeme
  111.  match protocol h323
  112.  match protocol shell
  113.  match protocol realmedia
  114.  match protocol rtsp
  115.  match protocol sql-net
  116.  match protocol streamworks
  117.  match protocol tftp
  118.  match protocol tcp
  119.  match protocol udp
  120.  match protocol vdolive
  121.  match protocol icmp
  122.  match protocol dns
  123.  match protocol imap
  124.  match protocol imap3
  125.  match protocol isakmp
  126.  match protocol pop3
  127.  match protocol sip
  128.  match protocol sip-tls
  129.  match protocol skinny
  130.  match protocol ssh
  131.  match protocol telnet
  132.  match protocol pptp
  133.  match protocol smtp
  134.  match protocol snmp
  135.  match protocol snmptrap
  136.  match protocol sql-net
  137.  match protocol sqlserv
  138.  match protocol sqlsrv
  139.  match protocol sshell
  140.  match protocol socks
  141.  match protocol stun
  142.  match protocol uucp
  143.  match protocol syslog
  144.  match protocol syslog-conn
  145.  match protocol telnets
  146.  match protocol telnet
  147.  match protocol x11
  148.  match protocol ymsgr
  149.  match access-group name LAN
  150. class-map match-all CoPP_traffic
  151.  match access-group name CoPP_traffic
  152. class-map type inspect match-any PUBLIC-to-LAN
  153.  match access-group name WAN_hardening
  154. class-map type inspect match-any LAN-to-PUBLIC
  155.  match access-group name LAN
  156. policy-map type inspect LAN-to-PUBLIC
  157.  class type inspect inspect-LAN-to-PUBLIC
  158.   inspect AGAINST_DOS
  159.  class class-default
  160.   drop
  161. policy-map type inspect PUBLIC-to-LAN
  162.  class type inspect PUBLIC-to-LAN
  163.   pass
  164.  class class-default
  165.   drop
  166. !
  167. ! and stop here - then paste to the router
  168. ! ----------------------------------------
  169. ! Copy from here
  170. policy-map CoPP_policy
  171.  class CoPP_traffic
  172.    police cir 32000
  173.      conform-action transmit
  174.      exceed-action drop
  175. zone security LAN
  176.  description LAN
  177. zone security PUBLIC
  178.  description PUBLIC
  179. zone-pair security LAN-to-PUBLIC source LAN destination PUBLIC
  180.  description source LAN destination PUBLIC
  181.  service-policy type inspect LAN-to-PUBLIC
  182. zone-pair security PUBLIC-to-LAN source PUBLIC destination LAN
  183.  description source PUBLIC destination LAN
  184.  service-policy type inspect PUBLIC-to-LAN
  185. interface FastEthernet0/0
  186.  description WAN
  187.  ip address 172.16.0.100 255.255.255.0
  188.  ip access-group no_LAN_IP_from_WAN in
  189.  no ip redirects
  190.  no ip unreachables
  191.  no ip proxy-arp
  192.  ip accounting output-packets
  193.  ip accounting mac-address input
  194.  ip accounting mac-address output
  195.  ip nbar protocol-discovery
  196.  ip nat outside
  197.  ip virtual-reassembly
  198.  zone-member security PUBLIC
  199.  ip route-cache flow
  200.  duplex auto
  201.  speed auto
  202.  no shut
  203. interface FastEthernet0/1
  204.  description LAN
  205.  ip address 10.10.10.1 255.255.255.0
  206.  ip access-group LAN in
  207.  no ip redirects
  208.  no ip unreachables
  209.  no ip proxy-arp
  210.  ip accounting output-packets
  211.  ip accounting mac-address input
  212.  ip accounting mac-address output
  213.  ip nbar protocol-discovery
  214.  ip nat inside
  215.  ip virtual-reassembly
  216.  zone-member security LAN
  217.  ip route-cache flow
  218.  duplex auto
  219.  speed auto
  220.  arp probe interval 10 count 3
  221.  arp authorized
  222.  arp timeout 3600
  223.  no shut
  224. ip forward-protocol nd
  225. ip route 0.0.0.0 0.0.0.0 172.16.0.1
  226. ip flow-top-talkers
  227.  top 20
  228.  sort-by bytes
  229.  cache-timeout 3600000
  230. no ip http server
  231. no ip http secure-server
  232. ip nat inside source list LAN interface FastEthernet0/0 overload
  233. ip access-list extended CoPP_traffic
  234.  permit tcp any any eq telnet
  235.  permit tcp any any eq 22
  236.  permit icmp any any
  237. ip access-list extended LAN
  238.  remark LAN addresses allowed
  239.  permit ip 10.10.10.0 0.0.0.255 any
  240.  remark DHCP requests allowed
  241.  permit udp host 0.0.0.0 host 255.255.255.255 range bootps bootpc
  242. !
  243. ! and stop here - then paste to the router
  244. ! ----------------------------------------
  245. ! Copy from here
  246. ip access-list extended WAN_hardening
  247.  permit gre any any
  248.  permit esp any any
  249.  permit udp any any eq isakmp
  250.  permit udp any any eq non500-isakmp
  251.  permit icmp any any unreachable
  252.  permit icmp any any echo-reply
  253.  permit icmp any any packet-too-big
  254.  permit icmp any any time-exceeded
  255.  permit icmp any any traceroute
  256.  permit icmp any any administratively-prohibited
  257.  permit udp any any eq bootpc
  258.  permit udp any eq domain any
  259.  deny   ip any any
  260. ip access-list extended no_LAN_IP_from_WAN
  261.  remark No LAN IPs from the WAN allowed
  262.  deny   ip 10.10.10.0 0.0.0.255 any
  263.  remark No private IPs from the WAN allowed
  264.  deny   ip 0.0.0.0 0.255.255.255 any
  265.  deny   ip 10.0.0.0 0.255.255.255 any
  266.  deny   ip 127.0.0.0 0.255.255.255 any
  267.  deny   ip 169.0.0.0 0.255.255.255 any
  268.  deny   ip 172.16.0.0 0.15.255.255 any
  269.  deny   ip 192.168.0.0 0.0.255.255 any
  270.  deny   ip 224.0.0.0 15.255.255.255 any
  271.  deny   ip host 255.255.255.255 any
  272.  remark The rest will be checked by Zone Based Firewall
  273.  permit ip any any
  274. ip sla 1
  275.  icmp-echo 8.8.8.8
  276.  frequency 30
  277. ip sla schedule 1 start-time now life forever
  278. ip sla 2
  279.  dns ntp.ubuntu.com name-server 8.8.8.8
  280.  frequency 30
  281. ip sla schedule 2 start-time now life forever
  282. no cdp run
  283. control-plane
  284.  service-policy input CoPP_policy
  285. line con 0
  286.  exec-timeout 0 0
  287.  privilege level 15
  288.  logging synchronous
  289. line aux 0
  290.  exec-timeout 0 0
  291.  privilege level 15
  292.  logging synchronous
  293. line vty 0 4
  294.  exec-timeout 5 0
  295.  transport input ssh
  296.  transport output all
  297. ntp clock-period 17179978
  298. ntp server 91.189.94.4
  299. event manager applet Internet_access_tracker_1_down
  300.  event track 1 state down
  301.  action 1.0 syslog msg "Possible Internet access outage or WAN link overload"
  302. event manager applet Internet_access_tracker_2_down
  303.  event track 2 state down
  304.  action 1.0 syslog msg "Possible Internet access outage or WAN link overload"
  305. event manager applet Internet_access_tracker_1_up
  306.  event track 1 state up
  307.  action 1.0 syslog msg "Internet access came back or utilisation fell back"
  308. event manager applet Internet_access_tracker_2_up
  309.  event track 2 state up
  310.  action 1.0 syslog msg "Internet access came back or utilisation fell back"
  311. end
  312. ! Save the configuration
  313. wr
  314. !
  315. ! and stop here - then paste to the router
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!