SHOW:
|
|
- or go back to the newest paste.
| 1 | ! | |
| 2 | - | ! SOHO CISCO ROUTER CONFIG TEMPLATE v0.1.2 - 2013.04.13 1300 CET |
| 2 | + | ! SOHO CISCO ROUTER CONFIG TEMPLATE v0.1.2 - 2013.04.13 1330 CET |
| 3 | ! | |
| 4 | ! by Crok | |
| 5 | ! | |
| 6 | ! Change the default username mgmt; password mgmt; enable mgmt | |
| 7 | ! | |
| 8 | username mgmt privilege 15 secret 5 $1$KWL7$PcIDMRcRXAemWgJZ/HTvS1 | |
| 9 | enable secret 5 $1$vOvr$/GFbYa081OyyeaSFP0v/C0 | |
| 10 | ! | |
| 11 | ! | |
| 12 | ! Features: | |
| 13 | ! | |
| 14 | ! +ZBFW - quite default | |
| 15 | - | ! +LAN DHCP (DNS=Google) + ARP hardening |
| 15 | + | ! +LAN DHCP (DNS=Google) + ARP hardening (after router restart clients must renegotiate IP address via DHCP!) |
| 16 | ! +ControlPlane policing | |
| 17 | ! +Only incoming SSHv2 allowed | |
| 18 | ! +IP SLA + tracker + Event Manager Applets monitor Internet connection (generate SYSLOG message if fail) | |
| 19 | ! +NTP sync for proper SYSLOG message timestamps | |
| 20 | ! +To check the traffic flow on the router: | |
| 21 | ! -Netflow configured with top talkers | |
| 22 | ! -IP accounting configured | |
| 23 | ! -IP MAC accounting configured | |
| 24 | ! -IP NBAR protocol discovery configured | |
| 25 | ! | |
| 26 | ! Network: | |
| 27 | ! defgw 172.16.0.1--172.16.0.100[Fa0/0-NAT_OUT[ROUTER]NAT_IN-Fa0/1]10.10.10.1--HOSTS[DHCP:10.10.10.100-254] | |
| 28 | ! | |
| 29 | ! | |
| 30 | crypto key generate rsa label SSH modulus 2048 | |
| 31 | service timestamps debug datetime msec | |
| 32 | service timestamps log datetime msec | |
| 33 | service password-encryption | |
| 34 | hostname SOHOROUTER | |
| 35 | boot-start-marker | |
| 36 | boot-end-marker | |
| 37 | logging buffered 512000 | |
| 38 | aaa new-model | |
| 39 | aaa authentication login default local-case enable | |
| 40 | aaa authentication login console line enable none | |
| 41 | aaa authentication enable default enable | |
| 42 | aaa authorization exec default local | |
| 43 | aaa session-id common | |
| 44 | memory-size iomem 5 | |
| 45 | no ip icmp rate-limit unreachable | |
| 46 | ip cef | |
| 47 | no ip dhcp use vrf connected | |
| 48 | ip dhcp excluded-address 10.10.10.1 10.10.10.99 | |
| 49 | ip dhcp pool LAN | |
| 50 | network 10.10.10.0 255.255.255.0 | |
| 51 | default-router 10.10.10.1 | |
| 52 | dns-server 8.8.8.8 | |
| 53 | lease 0 1 | |
| 54 | update arp | |
| 55 | ip name-server 8.8.8.8 | |
| 56 | login block-for 300 attempts 3 within 60 | |
| 57 | multilink bundle-name authenticated | |
| 58 | parameter-map type inspect AGAINST_DOS | |
| 59 | max-incomplete low 2500 | |
| 60 | max-incomplete high 3000 | |
| 61 | one-minute low 5000 | |
| 62 | one-minute high 5000 | |
| 63 | tcp max-incomplete host 300 block-time 0 | |
| 64 | sessions maximum 20000 | |
| 65 | archive | |
| 66 | log config | |
| 67 | hidekeys | |
| 68 | ip tcp synwait-time 5 | |
| 69 | ip ssh time-out 60 | |
| 70 | ip ssh authentication-retries 2 | |
| 71 | ip ssh version 2 | |
| 72 | track 1 rtr 1 | |
| 73 | track 2 rtr 2 | |
| 74 | class-map type inspect match-any inspect-LAN-to-PUBLIC | |
| 75 | match protocol cuseeme | |
| 76 | match protocol ftp | |
| 77 | match protocol h323 | |
| 78 | match protocol netshow | |
| 79 | match protocol shell | |
| 80 | match protocol realmedia | |
| 81 | match protocol rtsp | |
| 82 | match protocol sql-net | |
| 83 | match protocol streamworks | |
| 84 | match protocol tftp | |
| 85 | match protocol tcp | |
| 86 | match protocol udp | |
| 87 | match protocol vdolive | |
| 88 | match protocol icmp | |
| 89 | match protocol dns | |
| 90 | match protocol imap | |
| 91 | match protocol imap3 | |
| 92 | match protocol isakmp | |
| 93 | match protocol pop3 | |
| 94 | match protocol sip | |
| 95 | match protocol ssh | |
| 96 | match protocol telnet | |
| 97 | match protocol pptp | |
| 98 | match protocol smtp | |
| 99 | match access-group name LAN | |
| 100 | class-map match-all CoPP_traffic | |
| 101 | match access-group name CoPP_traffic | |
| 102 | class-map type inspect match-any PUBLIC-to-LAN | |
| 103 | match access-group name WAN_hardening | |
| 104 | class-map type inspect match-any LAN-to-PUBLIC | |
| 105 | match access-group name LAN | |
| 106 | policy-map type inspect LAN-to-PUBLIC | |
| 107 | class type inspect inspect-LAN-to-PUBLIC | |
| 108 | inspect AGAINST_DOS | |
| 109 | class class-default | |
| 110 | drop | |
| 111 | policy-map type inspect PUBLIC-to-LAN | |
| 112 | class type inspect PUBLIC-to-LAN | |
| 113 | pass | |
| 114 | class class-default | |
| 115 | drop | |
| 116 | policy-map CoPP_policy | |
| 117 | class CoPP_traffic | |
| 118 | police cir 32000 | |
| 119 | conform-action transmit | |
| 120 | exceed-action drop | |
| 121 | zone security LAN | |
| 122 | description LAN | |
| 123 | zone security PUBLIC | |
| 124 | description PUBLIC | |
| 125 | zone-pair security LAN-to-PUBLIC source LAN destination PUBLIC | |
| 126 | description source LAN destination PUBLIC | |
| 127 | service-policy type inspect LAN-to-PUBLIC | |
| 128 | zone-pair security PUBLIC-to-LAN source PUBLIC destination LAN | |
| 129 | description source PUBLIC destination LAN | |
| 130 | service-policy type inspect PUBLIC-to-LAN | |
| 131 | interface FastEthernet0/0 | |
| 132 | description WAN | |
| 133 | ip address 172.16.0.100 255.255.255.0 | |
| 134 | ip access-group no_LAN_IP_from_WAN in | |
| 135 | no ip redirects | |
| 136 | no ip unreachables | |
| 137 | no ip proxy-arp | |
| 138 | ip accounting output-packets | |
| 139 | ip accounting mac-address input | |
| 140 | ip accounting mac-address output | |
| 141 | ip nbar protocol-discovery | |
| 142 | ip nat outside | |
| 143 | ip virtual-reassembly | |
| 144 | zone-member security PUBLIC | |
| 145 | ip route-cache flow | |
| 146 | duplex auto | |
| 147 | speed auto | |
| 148 | no shut | |
| 149 | interface FastEthernet0/1 | |
| 150 | description LAN | |
| 151 | ip address 10.10.10.1 255.255.255.0 | |
| 152 | ip access-group LAN in | |
| 153 | no ip redirects | |
| 154 | no ip unreachables | |
| 155 | no ip proxy-arp | |
| 156 | ip accounting output-packets | |
| 157 | ip accounting mac-address input | |
| 158 | ip accounting mac-address output | |
| 159 | ip nbar protocol-discovery | |
| 160 | ip nat inside | |
| 161 | ip virtual-reassembly | |
| 162 | zone-member security LAN | |
| 163 | ip route-cache flow | |
| 164 | duplex auto | |
| 165 | speed auto | |
| 166 | arp probe interval 10 count 3 | |
| 167 | arp authorized | |
| 168 | arp timeout 3600 | |
| 169 | no shut | |
| 170 | ip forward-protocol nd | |
| 171 | ip route 0.0.0.0 0.0.0.0 172.16.0.1 | |
| 172 | ip flow-top-talkers | |
| 173 | top 20 | |
| 174 | sort-by bytes | |
| 175 | cache-timeout 3600000 | |
| 176 | no ip http server | |
| 177 | no ip http secure-server | |
| 178 | ip nat inside source list LAN interface FastEthernet0/0 overload | |
| 179 | ip access-list extended CoPP_traffic | |
| 180 | permit tcp any any eq telnet | |
| 181 | permit tcp any any eq 22 | |
| 182 | permit icmp any any | |
| 183 | ip access-list extended LAN | |
| 184 | remark LAN addresses allowed | |
| 185 | permit ip 10.10.10.0 0.0.0.255 any | |
| 186 | remark DHCP requests allowed | |
| 187 | permit udp host 0.0.0.0 host 255.255.255.255 range bootps bootpc | |
| 188 | ip access-list extended WAN_hardening | |
| 189 | permit gre any any | |
| 190 | permit esp any any | |
| 191 | permit udp any any eq isakmp | |
| 192 | permit udp any any eq non500-isakmp | |
| 193 | permit icmp any any unreachable | |
| 194 | permit icmp any any echo-reply | |
| 195 | permit icmp any any packet-too-big | |
| 196 | permit icmp any any time-exceeded | |
| 197 | permit icmp any any traceroute | |
| 198 | permit icmp any any administratively-prohibited | |
| 199 | permit udp any any eq bootpc | |
| 200 | permit udp any eq domain any | |
| 201 | deny ip any any | |
| 202 | ip access-list extended no_LAN_IP_from_WAN | |
| 203 | remark No LAN IPs from the WAN allowed | |
| 204 | deny ip 10.10.10.0 0.0.0.255 any | |
| 205 | remark No private IPs from the WAN allowed | |
| 206 | deny ip 0.0.0.0 0.255.255.255 any | |
| 207 | deny ip 10.0.0.0 0.255.255.255 any | |
| 208 | deny ip 127.0.0.0 0.255.255.255 any | |
| 209 | deny ip 169.0.0.0 0.255.255.255 any | |
| 210 | deny ip 172.16.0.0 0.15.255.255 any | |
| 211 | deny ip 192.168.0.0 0.0.255.255 any | |
| 212 | deny ip 224.0.0.0 15.255.255.255 any | |
| 213 | deny ip host 255.255.255.255 any | |
| 214 | remark The rest will be checked by Zone Based Firewall | |
| 215 | permit ip any any | |
| 216 | ip sla 1 | |
| 217 | icmp-echo 8.8.8.8 | |
| 218 | frequency 30 | |
| 219 | ip sla schedule 1 start-time now life forever | |
| 220 | ip sla 2 | |
| 221 | dns ntp.ubuntu.com name-server 8.8.8.8 | |
| 222 | frequency 30 | |
| 223 | ip sla schedule 2 start-time now life forever | |
| 224 | no cdp run | |
| 225 | control-plane | |
| 226 | service-policy input CoPP_policy | |
| 227 | line con 0 | |
| 228 | exec-timeout 0 0 | |
| 229 | privilege level 15 | |
| 230 | logging synchronous | |
| 231 | line aux 0 | |
| 232 | exec-timeout 0 0 | |
| 233 | privilege level 15 | |
| 234 | logging synchronous | |
| 235 | line vty 0 4 | |
| 236 | exec-timeout 5 0 | |
| 237 | transport input ssh | |
| 238 | transport output all | |
| 239 | ntp clock-period 17179978 | |
| 240 | ntp server 91.189.94.4 | |
| 241 | event manager applet Internet_access_tracker_1_down | |
| 242 | event track 1 state down | |
| 243 | action 1.0 syslog msg "Possible Internet access outage or WAN link overload" | |
| 244 | event manager applet Internet_access_tracker_2_down | |
| 245 | event track 2 state down | |
| 246 | action 1.0 syslog msg "Possible Internet access outage or WAN link overload" | |
| 247 | event manager applet Internet_access_tracker_1_up | |
| 248 | event track 1 state up | |
| 249 | action 1.0 syslog msg "Internet access came back or utilisation fell back" | |
| 250 | event manager applet Internet_access_tracker_2_up | |
| 251 | event track 2 state up | |
| 252 | action 1.0 syslog msg "Internet access came back or utilisation fell back" | |
| 253 | end |
