SHOW:
|
|
- or go back to the newest paste.
| 1 | ! | |
| 2 | - | ! SOHO CISCO ROUTER CONFIG TEMPLATE v0.1 - 2013.04.13 02:00 CET |
| 2 | + | ! SOHO ROUTER CONFIG TEMPLATE v0.1.1 - 2013.04.13 12:30 CET |
| 3 | ! | |
| 4 | ! Change the default username mgmt; password mgmt; enable mgmt | |
| 5 | ! | |
| 6 | ! Features: | |
| 7 | ! | |
| 8 | ! +ZBFW - quite default | |
| 9 | ! +LAN DHCP (DNS=Google) + ARP hardening | |
| 10 | - | ! +username mgmt; password mgmt; enable mgmt |
| 10 | + | |
| 11 | ! +Only incoming SSHv2 allowed | |
| 12 | ! +IP SLA + tracker + Event Manager Applets monitor Internet connection (generate SYSLOG message if fail) | |
| 13 | ! +NTP sync for proper SYSLOG message timestamps | |
| 14 | ! +To check the traffic flow on the router: | |
| 15 | ! -Netflow configured with top talkers | |
| 16 | ! -IP accounting configured | |
| 17 | ! -IP MAC accounting configured | |
| 18 | ! -IP NBAR protocol discovery configured | |
| 19 | ! | |
| 20 | ! Network: | |
| 21 | ! defgw 172.16.0.1--172.16.0.100[Fa0/0-NAT_OUT[ROUTER]NAT_IN-Fa0/1]10.10.10.1--HOSTS[DHCP:10.10.10.100-254] | |
| 22 | ! | |
| 23 | service timestamps debug datetime msec | |
| 24 | service timestamps log datetime msec | |
| 25 | service password-encryption | |
| 26 | hostname SOHOROUTER | |
| 27 | boot-start-marker | |
| 28 | boot-end-marker | |
| 29 | logging buffered 512000 | |
| 30 | enable secret 5 $1$vOvr$/GFbYa081OyyeaSFP0v/C0 | |
| 31 | aaa new-model | |
| 32 | aaa authentication login default local-case enable | |
| 33 | aaa authentication login console line enable none | |
| 34 | aaa authentication enable default enable | |
| 35 | aaa authorization exec default local | |
| 36 | aaa session-id common | |
| 37 | memory-size iomem 5 | |
| 38 | no ip icmp rate-limit unreachable | |
| 39 | ip cef | |
| 40 | no ip dhcp use vrf connected | |
| 41 | ip dhcp excluded-address 10.10.10.1 10.10.10.99 | |
| 42 | ip dhcp pool LAN | |
| 43 | network 10.10.10.0 255.255.255.0 | |
| 44 | default-router 10.10.10.1 | |
| 45 | dns-server 8.8.8.8 | |
| 46 | lease 0 1 | |
| 47 | update arp | |
| 48 | ip name-server 8.8.8.8 | |
| 49 | login block-for 300 attempts 3 within 60 | |
| 50 | multilink bundle-name authenticated | |
| 51 | ||
| 52 | parameter-map type inspect AGAINST_DOS | |
| 53 | max-incomplete low 2500 | |
| 54 | max-incomplete high 3000 | |
| 55 | one-minute low 5000 | |
| 56 | one-minute high 5000 | |
| 57 | tcp max-incomplete host 300 block-time 0 | |
| 58 | sessions maximum 20000 | |
| 59 | username mgmt privilege 15 secret 5 $1$KWL7$PcIDMRcRXAemWgJZ/HTvS1 | |
| 60 | archive | |
| 61 | log config | |
| 62 | hidekeys | |
| 63 | ip tcp synwait-time 5 | |
| 64 | ip ssh time-out 60 | |
| 65 | ip ssh authentication-retries 2 | |
| 66 | ip ssh version 2 | |
| 67 | track 1 rtr 1 | |
| 68 | track 2 rtr 2 | |
| 69 | class-map type inspect match-any inspect-LAN-to-PUBLIC | |
| 70 | match protocol cuseeme | |
| 71 | match protocol ftp | |
| 72 | match protocol h323 | |
| 73 | match protocol netshow | |
| 74 | match protocol shell | |
| 75 | match protocol realmedia | |
| 76 | match protocol rtsp | |
| 77 | match protocol sql-net | |
| 78 | match protocol streamworks | |
| 79 | match protocol tftp | |
| 80 | match protocol tcp | |
| 81 | match protocol udp | |
| 82 | match protocol vdolive | |
| 83 | match protocol icmp | |
| 84 | match protocol dns | |
| 85 | match protocol imap | |
| 86 | match protocol imap3 | |
| 87 | match protocol isakmp | |
| 88 | match protocol pop3 | |
| 89 | match protocol sip | |
| 90 | match protocol ssh | |
| 91 | match protocol telnet | |
| 92 | match protocol pptp | |
| 93 | match protocol smtp | |
| 94 | match access-group name LAN | |
| 95 | class-map match-all CoPP_traffic | |
| 96 | match access-group name CoPP_traffic | |
| 97 | class-map type inspect match-any PUBLIC-to-LAN | |
| 98 | match access-group name WAN_hardening | |
| 99 | class-map type inspect match-any LAN-to-PUBLIC | |
| 100 | match access-group name LAN | |
| 101 | policy-map type inspect LAN-to-PUBLIC | |
| 102 | class type inspect inspect-LAN-to-PUBLIC | |
| 103 | inspect AGAINST_DOS | |
| 104 | class class-default | |
| 105 | drop | |
| 106 | policy-map type inspect PUBLIC-to-LAN | |
| 107 | class type inspect PUBLIC-to-LAN | |
| 108 | pass | |
| 109 | class class-default | |
| 110 | drop | |
| 111 | policy-map CoPP_policy | |
| 112 | class CoPP_traffic | |
| 113 | police cir 32000 | |
| 114 | conform-action transmit | |
| 115 | exceed-action drop | |
| 116 | zone security LAN | |
| 117 | description LAN | |
| 118 | zone security PUBLIC | |
| 119 | description PUBLIC | |
| 120 | zone-pair security LAN-to-PUBLIC source LAN destination PUBLIC | |
| 121 | description source LAN destination PUBLIC | |
| 122 | service-policy type inspect LAN-to-PUBLIC | |
| 123 | zone-pair security PUBLIC-to-LAN source PUBLIC de | |
| 124 | description source PUBLIC destination LAN | |
| 125 | service-policy type inspect PUBLIC-to-LAN | |
| 126 | interface FastEthernet0/0 | |
| 127 | description WAN | |
| 128 | ip address 172.16.0.100 255.255.255.0 | |
| 129 | ip access-group no_LAN_IP_from_WAN in | |
| 130 | no ip redirects | |
| 131 | no ip unreachables | |
| 132 | no ip proxy-arp | |
| 133 | ip accounting output-packets | |
| 134 | ip accounting mac-address input | |
| 135 | ip accounting mac-address output | |
| 136 | ip nbar protocol-discovery | |
| 137 | ip nat outside | |
| 138 | ip virtual-reassembly | |
| 139 | zone-member security PUBLIC | |
| 140 | ip route-cache flow | |
| 141 | duplex auto | |
| 142 | speed auto | |
| 143 | interface FastEthernet0/1 | |
| 144 | description LAN | |
| 145 | ip address 10.10.10.1 255.255.255.0 | |
| 146 | ip access-group LAN in | |
| 147 | no ip redirects | |
| 148 | no ip unreachables | |
| 149 | no ip proxy-arp | |
| 150 | ip accounting output-packets | |
| 151 | ip accounting mac-address input | |
| 152 | ip accounting mac-address output | |
| 153 | ip nbar protocol-discovery | |
| 154 | ip nat inside | |
| 155 | ip virtual-reassembly | |
| 156 | zone-member security LAN | |
| 157 | ip route-cache flow | |
| 158 | duplex auto | |
| 159 | speed auto | |
| 160 | arp probe interval 10 count 3 | |
| 161 | arp authorized | |
| 162 | arp timeout 3600 | |
| 163 | ip forward-protocol nd | |
| 164 | ip route 0.0.0.0 0.0.0.0 172.16.0.1 | |
| 165 | ip flow-top-talkers | |
| 166 | top 20 | |
| 167 | sort-by bytes | |
| 168 | cache-timeout 3600000 | |
| 169 | no ip http server | |
| 170 | no ip http secure-server | |
| 171 | ip nat inside source list LAN interface FastEthernet0/0 overload | |
| 172 | ip access-list extended CoPP_traffic | |
| 173 | permit tcp any any eq telnet | |
| 174 | permit tcp any any eq 22 | |
| 175 | permit icmp any any | |
| 176 | ip access-list extended LAN | |
| 177 | remark LAN addresses allowed | |
| 178 | permit ip 10.10.10.0 0.0.0.255 any | |
| 179 | remark DHCP requests allowed | |
| 180 | permit udp host 0.0.0.0 host 255.255.255.255 range bootps bootpc | |
| 181 | ip access-list extended WAN_hardening | |
| 182 | permit gre any any | |
| 183 | permit esp any any | |
| 184 | permit udp any any eq isakmp | |
| 185 | permit udp any any eq non500-isakmp | |
| 186 | permit icmp any any unreachable | |
| 187 | permit icmp any any echo-reply | |
| 188 | permit icmp any any packet-too-big | |
| 189 | permit icmp any any time-exceeded | |
| 190 | permit icmp any any traceroute | |
| 191 | permit icmp any any administratively-prohibited | |
| 192 | permit udp any any eq bootpc | |
| 193 | permit udp any eq domain any | |
| 194 | deny ip any any | |
| 195 | ip access-list extended no_LAN_IP_from_WAN | |
| 196 | remark No LAN IPs from the WAN allowed | |
| 197 | deny ip 10.10.10.0 0.0.0.255 any | |
| 198 | remark No private IPs from the WAN allowed | |
| 199 | deny ip 0.0.0.0 0.255.255.255 any | |
| 200 | deny ip 10.0.0.0 0.255.255.255 any | |
| 201 | deny ip 127.0.0.0 0.255.255.255 any | |
| 202 | deny ip 169.0.0.0 0.255.255.255 any | |
| 203 | deny ip 172.16.0.0 0.15.255.255 any | |
| 204 | deny ip 192.168.0.0 0.0.255.255 any | |
| 205 | deny ip 224.0.0.0 15.255.255.255 any | |
| 206 | deny ip host 255.255.255.255 any | |
| 207 | remark The rest will be checked by Zone Based Firewall | |
| 208 | permit ip any any | |
| 209 | ip sla 1 | |
| 210 | icmp-echo 8.8.8.8 | |
| 211 | frequency 30 | |
| 212 | ip sla 2 | |
| 213 | dns ntp.ubuntu.com name-server 8.8.8.8 | |
| 214 | frequency 30 | |
| 215 | no cdp run | |
| 216 | control-plane | |
| 217 | service-policy input CoPP_policy | |
| 218 | line con 0 | |
| 219 | exec-timeout 0 0 | |
| 220 | privilege level 15 | |
| 221 | password 7 15050A1F007B797768 | |
| 222 | logging synchronous | |
| 223 | line aux 0 | |
| 224 | exec-timeout 0 0 | |
| 225 | privilege level 15 | |
| 226 | logging synchronous | |
| 227 | line vty 0 4 | |
| 228 | exec-timeout 5 0 | |
| 229 | password 7 15050A1F007B797768 | |
| 230 | transport input ssh | |
| 231 | transport output all | |
| 232 | ntp clock-period 17179978 | |
| 233 | ntp server 91.189.94.4 | |
| 234 | event manager applet Internet_access_tracker_1_down | |
| 235 | event track 1 state down | |
| 236 | action 1.0 syslog msg "Possible Internet access outage or WAN link overload" | |
| 237 | event manager applet Internet_access_tracker_2_down | |
| 238 | event track 2 state down | |
| 239 | action 1.0 syslog msg "Possible Internet access outage or WAN link overload" | |
| 240 | event manager applet Internet_access_tracker_1_up | |
| 241 | - | action 1.0 syslog msg "Internet access came back or utilisation felt back" |
| 241 | + | |
| 242 | action 1.0 syslog msg "Internet access came back or utilisation fell back" | |
| 243 | event manager applet Internet_access_tracker_2_up | |
| 244 | - | action 1.0 syslog msg "Internet access came back or utilisation felt back" |
| 244 | + | |
| 245 | action 1.0 syslog msg "Internet access came back or utilisation fell back" | |
| 246 | end |
