API tools faq
paste
Advertisement
Guest User

SOHO CISCO ROUTER CONFIG TEMPLATE v0.1.2 - 2013.04.13 1330

a guest
Apr 13th, 2013
93
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 7.31 KB | None | 0 0
raw download clone embed print report diff
  1. !
  2. !   SOHO CISCO ROUTER CONFIG TEMPLATE v0.1.2 - 2013.04.13 1330 CET
  3. !
  4. !   by Crok
  5. !
  6. !   Change the default username mgmt; password mgmt; enable mgmt
  7. !
  8.     username mgmt privilege 15 secret 5 $1$KWL7$PcIDMRcRXAemWgJZ/HTvS1
  9.     enable secret 5 $1$vOvr$/GFbYa081OyyeaSFP0v/C0
  10. !
  11. !
  12. ! Features:
  13. !
  14. ! +ZBFW - quite default
  15. ! +LAN DHCP (DNS=Google) + ARP hardening (after router restart clients must renegotiate IP address via DHCP!)
  16. ! +ControlPlane policing
  17. ! +Only incoming SSHv2 allowed
  18. ! +IP SLA + tracker + Event Manager Applets monitor Internet connection (generate SYSLOG message if fail)
  19. ! +NTP sync for proper SYSLOG message timestamps
  20. ! +To check the traffic flow on the router:
  21. !  -Netflow configured with top talkers
  22. !  -IP accounting configured
  23. !  -IP MAC accounting configured
  24. !  -IP NBAR protocol discovery configured
  25. !
  26. ! Network:
  27. ! defgw 172.16.0.1--172.16.0.100[Fa0/0-NAT_OUT[ROUTER]NAT_IN-Fa0/1]10.10.10.1--HOSTS[DHCP:10.10.10.100-254]
  28. !
  29. !
  30. crypto key generate rsa label SSH modulus 2048
  31. service timestamps debug datetime msec
  32. service timestamps log datetime msec
  33. service password-encryption
  34. hostname SOHOROUTER
  35. boot-start-marker
  36. boot-end-marker
  37. logging buffered 512000
  38. aaa new-model
  39. aaa authentication login default local-case enable
  40. aaa authentication login console line enable none
  41. aaa authentication enable default enable
  42. aaa authorization exec default local
  43. aaa session-id common
  44. memory-size iomem 5
  45. no ip icmp rate-limit unreachable
  46. ip cef
  47. no ip dhcp use vrf connected
  48. ip dhcp excluded-address 10.10.10.1 10.10.10.99
  49. ip dhcp pool LAN
  50.    network 10.10.10.0 255.255.255.0
  51.    default-router 10.10.10.1
  52.    dns-server 8.8.8.8
  53.    lease 0 1
  54.    update arp
  55. ip name-server 8.8.8.8
  56. login block-for 300 attempts 3 within 60
  57. multilink bundle-name authenticated
  58. parameter-map type inspect AGAINST_DOS
  59.  max-incomplete low  2500
  60.  max-incomplete high 3000
  61.  one-minute low 5000
  62.  one-minute high 5000
  63.  tcp max-incomplete host 300 block-time 0
  64.  sessions maximum 20000
  65. archive
  66.  log config
  67.   hidekeys
  68. ip tcp synwait-time 5
  69. ip ssh time-out 60
  70. ip ssh authentication-retries 2
  71. ip ssh version 2
  72. track 1 rtr 1
  73. track 2 rtr 2
  74. class-map type inspect match-any inspect-LAN-to-PUBLIC
  75.  match protocol cuseeme
  76.  match protocol ftp
  77.  match protocol h323
  78.  match protocol netshow
  79.  match protocol shell
  80.  match protocol realmedia
  81.  match protocol rtsp
  82.  match protocol sql-net
  83.  match protocol streamworks
  84.  match protocol tftp
  85.  match protocol tcp
  86.  match protocol udp
  87.  match protocol vdolive
  88.  match protocol icmp
  89.  match protocol dns
  90.  match protocol imap
  91.  match protocol imap3
  92.  match protocol isakmp
  93.  match protocol pop3
  94.  match protocol sip
  95.  match protocol ssh
  96.  match protocol telnet
  97.  match protocol pptp
  98.  match protocol smtp
  99.  match access-group name LAN
  100. class-map match-all CoPP_traffic
  101.  match access-group name CoPP_traffic
  102. class-map type inspect match-any PUBLIC-to-LAN
  103.  match access-group name WAN_hardening
  104. class-map type inspect match-any LAN-to-PUBLIC
  105.  match access-group name LAN
  106. policy-map type inspect LAN-to-PUBLIC
  107.  class type inspect inspect-LAN-to-PUBLIC
  108.   inspect AGAINST_DOS
  109.  class class-default
  110.   drop
  111. policy-map type inspect PUBLIC-to-LAN
  112.  class type inspect PUBLIC-to-LAN
  113.   pass
  114.  class class-default
  115.   drop
  116. policy-map CoPP_policy
  117.  class CoPP_traffic
  118.    police cir 32000
  119.      conform-action transmit
  120.      exceed-action drop
  121. zone security LAN
  122.  description LAN
  123. zone security PUBLIC
  124.  description PUBLIC
  125. zone-pair security LAN-to-PUBLIC source LAN destination PUBLIC
  126.  description source LAN destination PUBLIC
  127.  service-policy type inspect LAN-to-PUBLIC
  128. zone-pair security PUBLIC-to-LAN source PUBLIC destination LAN
  129.  description source PUBLIC destination LAN
  130.  service-policy type inspect PUBLIC-to-LAN
  131. interface FastEthernet0/0
  132.  description WAN
  133.  ip address 172.16.0.100 255.255.255.0
  134.  ip access-group no_LAN_IP_from_WAN in
  135.  no ip redirects
  136.  no ip unreachables
  137.  no ip proxy-arp
  138.  ip accounting output-packets
  139.  ip accounting mac-address input
  140.  ip accounting mac-address output
  141.  ip nbar protocol-discovery
  142.  ip nat outside
  143.  ip virtual-reassembly
  144.  zone-member security PUBLIC
  145.  ip route-cache flow
  146.  duplex auto
  147.  speed auto
  148.  no shut
  149. interface FastEthernet0/1
  150.  description LAN
  151.  ip address 10.10.10.1 255.255.255.0
  152.  ip access-group LAN in
  153.  no ip redirects
  154.  no ip unreachables
  155.  no ip proxy-arp
  156.  ip accounting output-packets
  157.  ip accounting mac-address input
  158.  ip accounting mac-address output
  159.  ip nbar protocol-discovery
  160.  ip nat inside
  161.  ip virtual-reassembly
  162.  zone-member security LAN
  163.  ip route-cache flow
  164.  duplex auto
  165.  speed auto
  166.  arp probe interval 10 count 3
  167.  arp authorized
  168.  arp timeout 3600
  169.  no shut
  170. ip forward-protocol nd
  171. ip route 0.0.0.0 0.0.0.0 172.16.0.1
  172. ip flow-top-talkers
  173.  top 20
  174.  sort-by bytes
  175.  cache-timeout 3600000
  176. no ip http server
  177. no ip http secure-server
  178. ip nat inside source list LAN interface FastEthernet0/0 overload
  179. ip access-list extended CoPP_traffic
  180.  permit tcp any any eq telnet
  181.  permit tcp any any eq 22
  182.  permit icmp any any
  183. ip access-list extended LAN
  184.  remark LAN addresses allowed
  185.  permit ip 10.10.10.0 0.0.0.255 any
  186.  remark DHCP requests allowed
  187.  permit udp host 0.0.0.0 host 255.255.255.255 range bootps bootpc
  188. ip access-list extended WAN_hardening
  189.  permit gre any any
  190.  permit esp any any
  191.  permit udp any any eq isakmp
  192.  permit udp any any eq non500-isakmp
  193.  permit icmp any any unreachable
  194.  permit icmp any any echo-reply
  195.  permit icmp any any packet-too-big
  196.  permit icmp any any time-exceeded
  197.  permit icmp any any traceroute
  198.  permit icmp any any administratively-prohibited
  199.  permit udp any any eq bootpc
  200.  permit udp any eq domain any
  201.  deny   ip any any
  202. ip access-list extended no_LAN_IP_from_WAN
  203.  remark No LAN IPs from the WAN allowed
  204.  deny   ip 10.10.10.0 0.0.0.255 any
  205.  remark No private IPs from the WAN allowed
  206.  deny   ip 0.0.0.0 0.255.255.255 any
  207.  deny   ip 10.0.0.0 0.255.255.255 any
  208.  deny   ip 127.0.0.0 0.255.255.255 any
  209.  deny   ip 169.0.0.0 0.255.255.255 any
  210.  deny   ip 172.16.0.0 0.15.255.255 any
  211.  deny   ip 192.168.0.0 0.0.255.255 any
  212.  deny   ip 224.0.0.0 15.255.255.255 any
  213.  deny   ip host 255.255.255.255 any
  214.  remark The rest will be checked by Zone Based Firewall
  215.  permit ip any any
  216. ip sla 1
  217.  icmp-echo 8.8.8.8
  218.  frequency 30
  219. ip sla schedule 1 start-time now life forever
  220. ip sla 2
  221.  dns ntp.ubuntu.com name-server 8.8.8.8
  222.  frequency 30
  223. ip sla schedule 2 start-time now life forever
  224. no cdp run
  225. control-plane
  226.  service-policy input CoPP_policy
  227. line con 0
  228.  exec-timeout 0 0
  229.  privilege level 15
  230.  logging synchronous
  231. line aux 0
  232.  exec-timeout 0 0
  233.  privilege level 15
  234.  logging synchronous
  235. line vty 0 4
  236.  exec-timeout 5 0
  237.  transport input ssh
  238.  transport output all
  239. ntp clock-period 17179978
  240. ntp server 91.189.94.4
  241. event manager applet Internet_access_tracker_1_down
  242.  event track 1 state down
  243.  action 1.0 syslog msg "Possible Internet access outage or WAN link overload"
  244. event manager applet Internet_access_tracker_2_down
  245.  event track 2 state down
  246.  action 1.0 syslog msg "Possible Internet access outage or WAN link overload"
  247. event manager applet Internet_access_tracker_1_up
  248.  event track 1 state up
  249.  action 1.0 syslog msg "Internet access came back or utilisation fell back"
  250. event manager applet Internet_access_tracker_2_up
  251.  event track 2 state up
  252.  action 1.0 syslog msg "Internet access came back or utilisation fell back"
  253. end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!