Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- !
- ! SOHO CISCO ROUTER CONFIG TEMPLATE v0.1.2 - 2013.04.13 1400 CET
- !
- ! by Crok
- !
- ! Change the default username mgmt; password mgmt; enable mgmt
- !
- username mgmt privilege 15 secret mgmt
- enable secret mgmt
- !
- !
- ! Features:
- !
- ! +ZBFW - quite default
- ! +LAN DHCP (DNS=Google) + ARP hardening (after router restart clients must renegotiate IP address via DHCP!)
- ! +ControlPlane policing
- ! +Only incoming SSHv2 allowed
- ! +IP SLA + tracker + Event Manager Applets monitor Internet connection (generate SYSLOG message if fail)
- ! +NTP sync for proper SYSLOG message timestamps
- ! +To check the traffic flow on the router:
- ! -Netflow configured with top talkers
- ! -IP accounting configured
- ! -IP MAC accounting configured
- ! -IP NBAR protocol discovery configured
- !
- ! Network:
- ! defgw 172.16.0.1--172.16.0.100[Fa0/0-NAT_OUT[ROUTER]NAT_IN-Fa0/1]10.10.10.1--HOSTS[DHCP:10.10.10.100-254]
- !
- ! Copy from the top, including the username and enable config
- crypto key generate rsa label SSH modulus 2048
- service timestamps debug datetime msec
- service timestamps log datetime msec
- service password-encryption
- hostname SOHOROUTER
- boot-start-marker
- boot-end-marker
- logging buffered 512000
- aaa new-model
- aaa authentication login default local-case enable
- aaa authentication login console line enable none
- aaa authentication enable default enable
- aaa authorization exec default local
- aaa session-id common
- memory-size iomem 5
- no ip icmp rate-limit unreachable
- ip cef
- no ip dhcp use vrf connected
- ip dhcp excluded-address 10.10.10.1 10.10.10.99
- ip dhcp pool LAN
- network 10.10.10.0 255.255.255.0
- default-router 10.10.10.1
- dns-server 8.8.8.8
- lease 0 1
- update arp
- ip name-server 8.8.8.8
- login block-for 300 attempts 3 within 60
- multilink bundle-name authenticated
- parameter-map type inspect AGAINST_DOS
- max-incomplete low 2500
- max-incomplete high 3000
- one-minute low 5000
- one-minute high 5000
- tcp max-incomplete host 300 block-time 0
- sessions maximum 20000
- ip tcp synwait-time 5
- ip ssh time-out 60
- ip ssh authentication-retries 2
- ip ssh version 2
- !
- ! and stop here - then paste to the router
- ! ----------------------------------------
- ! Copy from here
- track 1 rtr 1
- track 2 rtr 2
- class-map type inspect match-any inspect-LAN-to-PUBLIC
- match protocol http
- match protocol bittorrent
- match protocol ddns-v3
- match protocol directconnect
- match protocol edonkey
- match protocol ftps
- match protocol ftp
- match protocol gnutella
- match protocol https
- match protocol ica
- match protocol icabrowser
- match protocol icmp
- match protocol ipsec-msft
- match protocol irc
- match protocol ircs
- match protocol isakmp
- match protocol kazaa2
- match protocol kerberos
- match protocol l2tp
- match protocol login
- match protocol mgcp
- match protocol ms-sql
- match protocol ms-sna
- match protocol ms-sql-m
- match protocol mysql
- match protocol netshow
- match protocol netstat
- match protocol nfs
- match protocol ntp
- match protocol oracle
- match protocol oracle-em-vp
- match protocol oraclenames
- match protocol rtsp
- match protocol shell
- match protocol cuseeme
- match protocol h323
- match protocol shell
- match protocol realmedia
- match protocol rtsp
- match protocol sql-net
- match protocol streamworks
- match protocol tftp
- match protocol tcp
- match protocol udp
- match protocol vdolive
- match protocol icmp
- match protocol dns
- match protocol imap
- match protocol imap3
- match protocol isakmp
- match protocol pop3
- match protocol sip
- match protocol sip-tls
- match protocol skinny
- match protocol ssh
- match protocol telnet
- match protocol pptp
- match protocol smtp
- match protocol snmp
- match protocol snmptrap
- match protocol sql-net
- match protocol sqlserv
- match protocol sqlsrv
- match protocol sshell
- match protocol socks
- match protocol stun
- match protocol uucp
- match protocol syslog
- match protocol syslog-conn
- match protocol telnets
- match protocol telnet
- match protocol x11
- match protocol ymsgr
- match access-group name LAN
- class-map match-all CoPP_traffic
- match access-group name CoPP_traffic
- class-map type inspect match-any PUBLIC-to-LAN
- match access-group name WAN_hardening
- class-map type inspect match-any LAN-to-PUBLIC
- match access-group name LAN
- policy-map type inspect LAN-to-PUBLIC
- class type inspect inspect-LAN-to-PUBLIC
- inspect AGAINST_DOS
- class class-default
- drop
- policy-map type inspect PUBLIC-to-LAN
- class type inspect PUBLIC-to-LAN
- pass
- class class-default
- drop
- !
- ! and stop here - then paste to the router
- ! ----------------------------------------
- ! Copy from here
- policy-map CoPP_policy
- class CoPP_traffic
- police cir 32000
- conform-action transmit
- exceed-action drop
- zone security LAN
- description LAN
- zone security PUBLIC
- description PUBLIC
- zone-pair security LAN-to-PUBLIC source LAN destination PUBLIC
- description source LAN destination PUBLIC
- service-policy type inspect LAN-to-PUBLIC
- zone-pair security PUBLIC-to-LAN source PUBLIC destination LAN
- description source PUBLIC destination LAN
- service-policy type inspect PUBLIC-to-LAN
- interface FastEthernet0/0
- description WAN
- ip address 172.16.0.100 255.255.255.0
- ip access-group no_LAN_IP_from_WAN in
- no ip redirects
- no ip unreachables
- no ip proxy-arp
- ip accounting output-packets
- ip accounting mac-address input
- ip accounting mac-address output
- ip nbar protocol-discovery
- ip nat outside
- ip virtual-reassembly
- zone-member security PUBLIC
- ip route-cache flow
- duplex auto
- speed auto
- no shut
- interface FastEthernet0/1
- description LAN
- ip address 10.10.10.1 255.255.255.0
- ip access-group LAN in
- no ip redirects
- no ip unreachables
- no ip proxy-arp
- ip accounting output-packets
- ip accounting mac-address input
- ip accounting mac-address output
- ip nbar protocol-discovery
- ip nat inside
- ip virtual-reassembly
- zone-member security LAN
- ip route-cache flow
- duplex auto
- speed auto
- arp probe interval 10 count 3
- arp authorized
- arp timeout 3600
- no shut
- ip forward-protocol nd
- ip route 0.0.0.0 0.0.0.0 172.16.0.1
- ip flow-top-talkers
- top 20
- sort-by bytes
- cache-timeout 3600000
- no ip http server
- no ip http secure-server
- ip nat inside source list LAN interface FastEthernet0/0 overload
- ip access-list extended CoPP_traffic
- permit tcp any any eq telnet
- permit tcp any any eq 22
- permit icmp any any
- ip access-list extended LAN
- remark LAN addresses allowed
- permit ip 10.10.10.0 0.0.0.255 any
- remark DHCP requests allowed
- permit udp host 0.0.0.0 host 255.255.255.255 range bootps bootpc
- !
- ! and stop here - then paste to the router
- ! ----------------------------------------
- ! Copy from here
- ip access-list extended WAN_hardening
- permit gre any any
- permit esp any any
- permit udp any any eq isakmp
- permit udp any any eq non500-isakmp
- permit icmp any any unreachable
- permit icmp any any echo-reply
- permit icmp any any packet-too-big
- permit icmp any any time-exceeded
- permit icmp any any traceroute
- permit icmp any any administratively-prohibited
- permit udp any any eq bootpc
- permit udp any eq domain any
- deny ip any any
- ip access-list extended no_LAN_IP_from_WAN
- remark No LAN IPs from the WAN allowed
- deny ip 10.10.10.0 0.0.0.255 any
- remark No private IPs from the WAN allowed
- deny ip 0.0.0.0 0.255.255.255 any
- deny ip 10.0.0.0 0.255.255.255 any
- deny ip 127.0.0.0 0.255.255.255 any
- deny ip 169.0.0.0 0.255.255.255 any
- deny ip 172.16.0.0 0.15.255.255 any
- deny ip 192.168.0.0 0.0.255.255 any
- deny ip 224.0.0.0 15.255.255.255 any
- deny ip host 255.255.255.255 any
- remark The rest will be checked by Zone Based Firewall
- permit ip any any
- ip sla 1
- icmp-echo 8.8.8.8
- frequency 30
- ip sla schedule 1 start-time now life forever
- ip sla 2
- dns ntp.ubuntu.com name-server 8.8.8.8
- frequency 30
- ip sla schedule 2 start-time now life forever
- no cdp run
- control-plane
- service-policy input CoPP_policy
- line con 0
- exec-timeout 0 0
- privilege level 15
- logging synchronous
- line aux 0
- exec-timeout 0 0
- privilege level 15
- logging synchronous
- line vty 0 4
- exec-timeout 5 0
- transport input ssh
- transport output all
- ntp clock-period 17179978
- ntp server 91.189.94.4
- event manager applet Internet_access_tracker_1_down
- event track 1 state down
- action 1.0 syslog msg "Possible Internet access outage or WAN link overload"
- event manager applet Internet_access_tracker_2_down
- event track 2 state down
- action 1.0 syslog msg "Possible Internet access outage or WAN link overload"
- event manager applet Internet_access_tracker_1_up
- event track 1 state up
- action 1.0 syslog msg "Internet access came back or utilisation fell back"
- event manager applet Internet_access_tracker_2_up
- event track 2 state up
- action 1.0 syslog msg "Internet access came back or utilisation fell back"
- end
- ! Save the configuration
- wr
- !
- ! and stop here - then paste to the router
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement