SOHO CISCO ROUTER CONFIG TEMPLATE v0.1 - 2013.04.13 02:00CET

1. !
2. ! SOHO CISCO ROUTER CONFIG TEMPLATE v0.1 - 2013.04.13 02:00 CET
3. !
4. ! Features:
5. !
6. ! +ZBFW - quite default
7. ! +LAN DHCP (DNS=Google) + ARP hardening
8. ! +ControlPlane policing
9. ! +Only incoming SSHv2 allowed
10. ! +username mgmt; password mgmt; enable mgmt
11. ! +IP SLA + tracker + Event Manager Applets monitor Internet connection (generate SYSLOG message if fail)
12. ! +NTP sync for proper SYSLOG message timestamps
13. ! +To check the traffic flow on the router:
14. !  -Netflow configured with top talkers
15. !  -IP accounting configured
16. !  -IP MAC accounting configured
17. !  -IP NBAR protocol discovery configured
18. !
19. ! Network:
20. ! defgw 172.16.0.1--172.16.0.100[Fa0/0-NAT_OUT[ROUTER]NAT_IN-Fa0/1]10.10.10.1--HOSTS[DHCP:10.10.10.100-254]
21. !
22. service timestamps debug datetime msec
23. service timestamps log datetime msec
24. service password-encryption
25. hostname SOHOROUTER
26. boot-start-marker
27. boot-end-marker
28. logging buffered 512000
29. enable secret 5 $1$vOvr$/GFbYa081OyyeaSFP0v/C0
30. aaa new-model
31. aaa authentication login default local-case enable
32. aaa authentication login console line enable none
33. aaa authentication enable default enable
34. aaa authorization exec default local
35. aaa session-id common
36. memory-size iomem 5
37. no ip icmp rate-limit unreachable
38. ip cef
39. no ip dhcp use vrf connected
40. ip dhcp excluded-address 10.10.10.1 10.10.10.99
41. ip dhcp pool LAN
42.    network 10.10.10.0 255.255.255.0
43.    default-router 10.10.10.1
44.    dns-server 8.8.8.8
45.    lease 0 1
46.    update arp
47. ip name-server 8.8.8.8
48. login block-for 300 attempts 3 within 60
49. multilink bundle-name authenticated
50.  
51. parameter-map type inspect AGAINST_DOS
52.  max-incomplete low  2500
53.  max-incomplete high 3000
54.  one-minute low 5000
55.  one-minute high 5000
56.  tcp max-incomplete host 300 block-time 0
57.  sessions maximum 20000
58. username mgmt privilege 15 secret 5 $1$KWL7$PcIDMRcRXAemWgJZ/HTvS1
59. archive
60.  log config
61.   hidekeys
62. ip tcp synwait-time 5
63. ip ssh time-out 60
64. ip ssh authentication-retries 2
65. ip ssh version 2
66. track 1 rtr 1
67. track 2 rtr 2
68. class-map type inspect match-any inspect-LAN-to-PUBLIC
69.  match protocol cuseeme
70.  match protocol ftp
71.  match protocol h323
72.  match protocol netshow
73.  match protocol shell
74.  match protocol realmedia
75.  match protocol rtsp
76.  match protocol sql-net
77.  match protocol streamworks
78.  match protocol tftp
79.  match protocol tcp
80.  match protocol udp
81.  match protocol vdolive
82.  match protocol icmp
83.  match protocol dns
84.  match protocol imap
85.  match protocol imap3
86.  match protocol isakmp
87.  match protocol pop3
88.  match protocol sip
89.  match protocol ssh
90.  match protocol telnet
91.  match protocol pptp
92.  match protocol smtp
93.  match access-group name LAN
94. class-map match-all CoPP_traffic
95.  match access-group name CoPP_traffic
96. class-map type inspect match-any PUBLIC-to-LAN
97.  match access-group name WAN_hardening
98. class-map type inspect match-any LAN-to-PUBLIC
99.  match access-group name LAN
100. policy-map type inspect LAN-to-PUBLIC
101.  class type inspect inspect-LAN-to-PUBLIC
102.   inspect AGAINST_DOS
103.  class class-default
104.   drop
105. policy-map type inspect PUBLIC-to-LAN
106.  class type inspect PUBLIC-to-LAN
107.   pass
108.  class class-default
109.   drop
110. policy-map CoPP_policy
111.  class CoPP_traffic
112.    police cir 32000
113.      conform-action transmit
114.      exceed-action drop
115. zone security LAN
116.  description LAN
117. zone security PUBLIC
118.  description PUBLIC
119. zone-pair security LAN-to-PUBLIC source LAN destination PUBLIC
120.  description source LAN destination PUBLIC
121.  service-policy type inspect LAN-to-PUBLIC
122. zone-pair security PUBLIC-to-LAN source PUBLIC de
123.  description source PUBLIC destination LAN
124.  service-policy type inspect PUBLIC-to-LAN
125. interface FastEthernet0/0
126.  description WAN
127.  ip address 172.16.0.100 255.255.255.0
128.  ip access-group no_LAN_IP_from_WAN in
129.  no ip redirects
130.  no ip unreachables
131.  no ip proxy-arp
132.  ip accounting output-packets
133.  ip accounting mac-address input
134.  ip accounting mac-address output
135.  ip nbar protocol-discovery
136.  ip nat outside
137.  ip virtual-reassembly
138.  zone-member security PUBLIC
139.  ip route-cache flow
140.  duplex auto
141.  speed auto
142. interface FastEthernet0/1
143.  description LAN
144.  ip address 10.10.10.1 255.255.255.0
145.  ip access-group LAN in
146.  no ip redirects
147.  no ip unreachables
148.  no ip proxy-arp
149.  ip accounting output-packets
150.  ip accounting mac-address input
151.  ip accounting mac-address output
152.  ip nbar protocol-discovery
153.  ip nat inside
154.  ip virtual-reassembly
155.  zone-member security LAN
156.  ip route-cache flow
157.  duplex auto
158.  speed auto
159.  arp probe interval 10 count 3
160.  arp authorized
161.  arp timeout 3600
162. ip forward-protocol nd
163. ip route 0.0.0.0 0.0.0.0 172.16.0.1
164. ip flow-top-talkers
165.  top 20
166.  sort-by bytes
167.  cache-timeout 3600000
168. no ip http server
169. no ip http secure-server
170. ip nat inside source list LAN interface FastEthernet0/0 overload
171. ip access-list extended CoPP_traffic
172.  permit tcp any any eq telnet
173.  permit tcp any any eq 22
174.  permit icmp any any
175. ip access-list extended LAN
176.  remark LAN addresses allowed
177.  permit ip 10.10.10.0 0.0.0.255 any
178.  remark DHCP requests allowed
179.  permit udp host 0.0.0.0 host 255.255.255.255 range bootps bootpc
180. ip access-list extended WAN_hardening
181.  permit gre any any
182.  permit esp any any
183.  permit udp any any eq isakmp
184.  permit udp any any eq non500-isakmp
185.  permit icmp any any unreachable
186.  permit icmp any any echo-reply
187.  permit icmp any any packet-too-big
188.  permit icmp any any time-exceeded
189.  permit icmp any any traceroute
190.  permit icmp any any administratively-prohibited
191.  permit udp any any eq bootpc
192.  permit udp any eq domain any
193.  deny   ip any any
194. ip access-list extended no_LAN_IP_from_WAN
195.  remark No LAN IPs from the WAN allowed
196.  deny   ip 10.10.10.0 0.0.0.255 any
197.  remark No private IPs from the WAN allowed
198.  deny   ip 0.0.0.0 0.255.255.255 any
199.  deny   ip 10.0.0.0 0.255.255.255 any
200.  deny   ip 127.0.0.0 0.255.255.255 any
201.  deny   ip 169.0.0.0 0.255.255.255 any
202.  deny   ip 172.16.0.0 0.15.255.255 any
203.  deny   ip 192.168.0.0 0.0.255.255 any
204.  deny   ip 224.0.0.0 15.255.255.255 any
205.  deny   ip host 255.255.255.255 any
206.  remark The rest will be checked by Zone Based Firewall
207.  permit ip any any
208. ip sla 1
209.  icmp-echo 8.8.8.8
210.  frequency 30
211. ip sla 2
212.  dns ntp.ubuntu.com name-server 8.8.8.8
213.  frequency 30
214. no cdp run
215. control-plane
216.  service-policy input CoPP_policy
217. line con 0
218.  exec-timeout 0 0
219.  privilege level 15
220.  password 7 15050A1F007B797768
221.  logging synchronous
222. line aux 0
223.  exec-timeout 0 0
224.  privilege level 15
225.  logging synchronous
226. line vty 0 4
227.  exec-timeout 5 0
228.  password 7 15050A1F007B797768
229.  transport input ssh
230.  transport output all
231. ntp clock-period 17179978
232. ntp server 91.189.94.4
233. event manager applet Internet_access_tracker_1_down
234.  event track 1 state down
235.  action 1.0 syslog msg "Possible Internet access outage or WAN link overload"
236. event manager applet Internet_access_tracker_2_down
237.  event track 2 state down
238.  action 1.0 syslog msg "Possible Internet access outage or WAN link overload"
239. event manager applet Internet_access_tracker_1_up
240.  event track 1 state up
241.  action 1.0 syslog msg "Internet access came back or utilisation felt back"
242. event manager applet Internet_access_tracker_2_up
243.  event track 2 state up
244.  action 1.0 syslog msg "Internet access came back or utilisation felt back"
245. end