!
! SOHO CISCO ROUTER CONFIG TEMPLATE v0.1.2 - 2013.04.13 1400 CET
!
! past times Crok
!
! Change the default username mgmt; password mgmt; enable mgmt
!
username mgmt privilege xv clandestine mgmt
enable clandestine mgmt
!
!
! Features:
!
! +ZBFW - quite default
! +LAN DHCP (DNS=Google) + ARP hardening (after router restart clients must renegotiate IP address via DHCP!)
! +ControlPlane policing
! +Only incoming SSHv2 allowed
! +IP SLA + tracker + Event Manager Applets monitor Internet connective (generate SYSLOG message if fail)
! +NTP sync for proper SYSLOG message timestamps
! +To banking concern check the traffic flow on the router:
! -Netflow configured amongst altitude talkers
! -IP accounting configured
! -IP MAC accounting configured
! -IP NBAR protocol regain configured
!
! Network:
! defgw 172.16.0.1--172.16.0.100[Fa0/0-NAT_OUT[ROUTER]NAT_IN-Fa0/1]10.10.10.1--HOSTS[DHCP:10.10.10.100-254]
!
! Copy from the top, including the username in addition to enable config
crypto telephone commutation generate rsa label SSH modulus 2048
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname SOHOROUTER
boot-start-marker
boot-end-marker
logging buffered 512000
aaa new-model
aaa authentication login default local-case enable
aaa authentication login console line of piece of occupation enable none
aaa authentication enable default enable
aaa potency exec default local
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip dhcp purpose vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.99
ip dhcp puddle LAN
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 8.8.8.8
lease 0 1
update arp
ip name-server 8.8.8.8
login block-for 300 attempts iii within 60
multilink bundle-name authenticated
parameter-map type inspect AGAINST_DOS
max-incomplete low 2500
max-incomplete high 3000
one-minute depression 5000
one-minute high 5000
tcp max-incomplete host 300 block-time 0
sessions maximum 20000
ip tcp synwait-time 5
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
! in addition to halt hither - therefore glue to the router
! ----------------------------------------
! Copy from here
track 1 rtr 1
track 2 rtr 2
class-map type inspect match-any inspect-LAN-to-PUBLIC
match protocol http
match protocol bittorrent
match protocol ddns-v3
match protocol directconnect
match protocol edonkey
match protocol ftps
match protocol ftp
match protocol gnutella
match protocol https
match protocol ica
match protocol icabrowser
match protocol icmp
match protocol ipsec-msft
match protocol irc
match protocol ircs
match protocol isakmp
match protocol kazaa2
match protocol kerberos
match protocol l2tp
match protocol login
match protocol mgcp
match protocol ms-sql
match protocol ms-sna
match protocol ms-sql-m
match protocol mysql
match protocol netshow
match protocol netstat
match protocol nfs
match protocol ntp
match protocol oracle
match protocol oracle-em-vp
match protocol oraclenames
match protocol rtsp
match protocol shell
match protocol cuseeme
match protocol h323
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol tcp
match protocol udp
match protocol vdolive
match protocol icmp
match protocol dns
match protocol imap
match protocol imap3
match protocol isakmp
match protocol pop3
match protocol sip
match protocol sip-tls
match protocol skinny
match protocol ssh
match protocol telnet
match protocol pptp
match protocol smtp
match protocol snmp
match protocol snmptrap
match protocol sql-net
match protocol sqlserv
match protocol sqlsrv
match protocol sshell
match protocol socks
match protocol stun
match protocol uucp
match protocol syslog
match protocol syslog-conn
match protocol telnets
match protocol telnet
match protocol x11
match protocol ymsgr
match access-group cite LAN
class-map match-all CoPP_traffic
match access-group cite CoPP_traffic
class-map type inspect match-any PUBLIC-to-LAN
match access-group cite WAN_hardening
class-map type inspect match-any LAN-to-PUBLIC
match access-group cite LAN
policy-map type inspect LAN-to-PUBLIC
class type inspect inspect-LAN-to-PUBLIC
inspect AGAINST_DOS
class class-default
drop
policy-map type inspect PUBLIC-to-LAN
class type inspect PUBLIC-to-LAN
pass
class class-default
drop
!
! in addition to halt hither - therefore glue to the router
! ----------------------------------------
! Copy from here
policy-map CoPP_policy
class CoPP_traffic
constabulary cir 32000
conform-action transmit
exceed-action drop
zone safety LAN
description LAN
zone safety PUBLIC
description PUBLIC
zone-pair safety LAN-to-PUBLIC root LAN goal PUBLIC
description root LAN goal PUBLIC
service-policy type inspect LAN-to-PUBLIC
zone-pair safety PUBLIC-to-LAN root PUBLIC goal LAN
description root PUBLIC goal LAN
service-policy type inspect PUBLIC-to-LAN
interface FastEthernet0/0
description WAN
ip address 172.16.0.100 255.255.255.0
ip access-group no_LAN_IP_from_WAN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip accounting mac-address input
ip accounting mac-address output
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
zone-member safety PUBLIC
ip route-cache flow
duplex auto
speed auto
no shut
interface FastEthernet0/1
description LAN
ip address 10.10.10.1 255.255.255.0
ip access-group LAN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip accounting mac-address input
ip accounting mac-address output
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
zone-member safety LAN
ip route-cache flow
duplex auto
speed auto
arp probe interval 10 count 3
arp authorized
arp timeout 3600
no shut
ip forward-protocol nd
ip road 0.0.0.0 0.0.0.0 172.16.0.1
ip flow-top-talkers
top 20
sort-by bytes
cache-timeout 3600000
no ip http server
no ip http secure-server
ip nat within root listing LAN interface FastEthernet0/0 overload
ip access-list extended CoPP_traffic
permit tcp whatever any eq telnet
permit tcp whatever any eq 22
permit icmp whatever any
ip access-list extended LAN
remark LAN addresses allowed
permit ip 10.10.10.0 0.0.0.255 any
remark DHCP requests allowed
permit udp host 0.0.0.0 host 255.255.255.255 attain bootps bootpc
!
! in addition to halt hither - therefore glue to the router
! ----------------------------------------
! Copy from here
ip access-list extended WAN_hardening
permit gre whatever any
permit esp whatever any
permit udp whatever any eq isakmp
permit udp whatever any eq non500-isakmp
permit icmp whatever any unreachable
permit icmp whatever any echo-reply
permit icmp whatever any packet-too-big
permit icmp whatever any time-exceeded
permit icmp whatever any traceroute
permit icmp whatever any administratively-prohibited
permit udp whatever any eq bootpc
permit udp whatever eq domain any
deny ip whatever any
ip access-list extended no_LAN_IP_from_WAN
remark No LAN IPs from the WAN allowed
deny ip 10.10.10.0 0.0.0.255 any
remark No someone IPs from the WAN allowed
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip host 255.255.255.255 any
remark The balance volition live on checked past times Zone Based Firewall
permit ip whatever any
ip sla 1
icmp-echo 8.8.8.8
frequency 30
ip sla schedule 1 start-time instantly life forever
ip sla 2
dns ntp.ubuntu.com name-server 8.8.8.8
frequency 30
ip sla schedule 2 start-time instantly life forever
no cdp run
control-plane
service-policy input CoPP_policy
line con 0
exec-timeout 0 0
privilege grade 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege grade 15
logging synchronous
line vty 0 4
exec-timeout v 0
transport input ssh
transport output all
ntp clock-period 17179978
ntp server 91.189.94.4
event director applet Internet_access_tracker_1_down
event rails 1 dry reason down
action 1.0 syslog msg "Possible Internet access outage or WAN link overload"
event director applet Internet_access_tracker_2_down
event rails 2 dry reason down
action 1.0 syslog msg "Possible Internet access outage or WAN link overload"
event director applet Internet_access_tracker_1_up
event rails 1 dry reason up
action 1.0 syslog msg "Internet access came dorsum or utilisation savage back"
event director applet Internet_access_tracker_2_up
event rails 2 dry reason up
action 1.0 syslog msg "Internet access came dorsum or utilisation savage back"
end
! Save the configuration
wr
!
! in addition to halt hither - therefore glue to the router
! SOHO CISCO ROUTER CONFIG TEMPLATE v0.1.2 - 2013.04.13 1400 CET
!
! past times Crok
!
! Change the default username mgmt; password mgmt; enable mgmt
!
username mgmt privilege xv clandestine mgmt
enable clandestine mgmt
!
!
! Features:
!
! +ZBFW - quite default
! +LAN DHCP (DNS=Google) + ARP hardening (after router restart clients must renegotiate IP address via DHCP!)
! +ControlPlane policing
! +Only incoming SSHv2 allowed
! +IP SLA + tracker + Event Manager Applets monitor Internet connective (generate SYSLOG message if fail)
! +NTP sync for proper SYSLOG message timestamps
! +To banking concern check the traffic flow on the router:
! -Netflow configured amongst altitude talkers
! -IP accounting configured
! -IP MAC accounting configured
! -IP NBAR protocol regain configured
!
! Network:
! defgw 172.16.0.1--172.16.0.100[Fa0/0-NAT_OUT[ROUTER]NAT_IN-Fa0/1]10.10.10.1--HOSTS[DHCP:10.10.10.100-254]
!
! Copy from the top, including the username in addition to enable config
crypto telephone commutation generate rsa label SSH modulus 2048
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname SOHOROUTER
boot-start-marker
boot-end-marker
logging buffered 512000
aaa new-model
aaa authentication login default local-case enable
aaa authentication login console line of piece of occupation enable none
aaa authentication enable default enable
aaa potency exec default local
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip dhcp purpose vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.99
ip dhcp puddle LAN
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 8.8.8.8
lease 0 1
update arp
ip name-server 8.8.8.8
login block-for 300 attempts iii within 60
multilink bundle-name authenticated
parameter-map type inspect AGAINST_DOS
max-incomplete low 2500
max-incomplete high 3000
one-minute depression 5000
one-minute high 5000
tcp max-incomplete host 300 block-time 0
sessions maximum 20000
ip tcp synwait-time 5
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
! in addition to halt hither - therefore glue to the router
! ----------------------------------------
! Copy from here
track 1 rtr 1
track 2 rtr 2
class-map type inspect match-any inspect-LAN-to-PUBLIC
match protocol http
match protocol bittorrent
match protocol ddns-v3
match protocol directconnect
match protocol edonkey
match protocol ftps
match protocol ftp
match protocol gnutella
match protocol https
match protocol ica
match protocol icabrowser
match protocol icmp
match protocol ipsec-msft
match protocol irc
match protocol ircs
match protocol isakmp
match protocol kazaa2
match protocol kerberos
match protocol l2tp
match protocol login
match protocol mgcp
match protocol ms-sql
match protocol ms-sna
match protocol ms-sql-m
match protocol mysql
match protocol netshow
match protocol netstat
match protocol nfs
match protocol ntp
match protocol oracle
match protocol oracle-em-vp
match protocol oraclenames
match protocol rtsp
match protocol shell
match protocol cuseeme
match protocol h323
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol tcp
match protocol udp
match protocol vdolive
match protocol icmp
match protocol dns
match protocol imap
match protocol imap3
match protocol isakmp
match protocol pop3
match protocol sip
match protocol sip-tls
match protocol skinny
match protocol ssh
match protocol telnet
match protocol pptp
match protocol smtp
match protocol snmp
match protocol snmptrap
match protocol sql-net
match protocol sqlserv
match protocol sqlsrv
match protocol sshell
match protocol socks
match protocol stun
match protocol uucp
match protocol syslog
match protocol syslog-conn
match protocol telnets
match protocol telnet
match protocol x11
match protocol ymsgr
match access-group cite LAN
class-map match-all CoPP_traffic
match access-group cite CoPP_traffic
class-map type inspect match-any PUBLIC-to-LAN
match access-group cite WAN_hardening
class-map type inspect match-any LAN-to-PUBLIC
match access-group cite LAN
policy-map type inspect LAN-to-PUBLIC
class type inspect inspect-LAN-to-PUBLIC
inspect AGAINST_DOS
class class-default
drop
policy-map type inspect PUBLIC-to-LAN
class type inspect PUBLIC-to-LAN
pass
class class-default
drop
!
! in addition to halt hither - therefore glue to the router
! ----------------------------------------
! Copy from here
policy-map CoPP_policy
class CoPP_traffic
constabulary cir 32000
conform-action transmit
exceed-action drop
zone safety LAN
description LAN
zone safety PUBLIC
description PUBLIC
zone-pair safety LAN-to-PUBLIC root LAN goal PUBLIC
description root LAN goal PUBLIC
service-policy type inspect LAN-to-PUBLIC
zone-pair safety PUBLIC-to-LAN root PUBLIC goal LAN
description root PUBLIC goal LAN
service-policy type inspect PUBLIC-to-LAN
interface FastEthernet0/0
description WAN
ip address 172.16.0.100 255.255.255.0
ip access-group no_LAN_IP_from_WAN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip accounting mac-address input
ip accounting mac-address output
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
zone-member safety PUBLIC
ip route-cache flow
duplex auto
speed auto
no shut
interface FastEthernet0/1
description LAN
ip address 10.10.10.1 255.255.255.0
ip access-group LAN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip accounting mac-address input
ip accounting mac-address output
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
zone-member safety LAN
ip route-cache flow
duplex auto
speed auto
arp probe interval 10 count 3
arp authorized
arp timeout 3600
no shut
ip forward-protocol nd
ip road 0.0.0.0 0.0.0.0 172.16.0.1
ip flow-top-talkers
top 20
sort-by bytes
cache-timeout 3600000
no ip http server
no ip http secure-server
ip nat within root listing LAN interface FastEthernet0/0 overload
ip access-list extended CoPP_traffic
permit tcp whatever any eq telnet
permit tcp whatever any eq 22
permit icmp whatever any
ip access-list extended LAN
remark LAN addresses allowed
permit ip 10.10.10.0 0.0.0.255 any
remark DHCP requests allowed
permit udp host 0.0.0.0 host 255.255.255.255 attain bootps bootpc
!
! in addition to halt hither - therefore glue to the router
! ----------------------------------------
! Copy from here
ip access-list extended WAN_hardening
permit gre whatever any
permit esp whatever any
permit udp whatever any eq isakmp
permit udp whatever any eq non500-isakmp
permit icmp whatever any unreachable
permit icmp whatever any echo-reply
permit icmp whatever any packet-too-big
permit icmp whatever any time-exceeded
permit icmp whatever any traceroute
permit icmp whatever any administratively-prohibited
permit udp whatever any eq bootpc
permit udp whatever eq domain any
deny ip whatever any
ip access-list extended no_LAN_IP_from_WAN
remark No LAN IPs from the WAN allowed
deny ip 10.10.10.0 0.0.0.255 any
remark No someone IPs from the WAN allowed
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip host 255.255.255.255 any
remark The balance volition live on checked past times Zone Based Firewall
permit ip whatever any
ip sla 1
icmp-echo 8.8.8.8
frequency 30
ip sla schedule 1 start-time instantly life forever
ip sla 2
dns ntp.ubuntu.com name-server 8.8.8.8
frequency 30
ip sla schedule 2 start-time instantly life forever
no cdp run
control-plane
service-policy input CoPP_policy
line con 0
exec-timeout 0 0
privilege grade 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege grade 15
logging synchronous
line vty 0 4
exec-timeout v 0
transport input ssh
transport output all
ntp clock-period 17179978
ntp server 91.189.94.4
event director applet Internet_access_tracker_1_down
event rails 1 dry reason down
action 1.0 syslog msg "Possible Internet access outage or WAN link overload"
event director applet Internet_access_tracker_2_down
event rails 2 dry reason down
action 1.0 syslog msg "Possible Internet access outage or WAN link overload"
event director applet Internet_access_tracker_1_up
event rails 1 dry reason up
action 1.0 syslog msg "Internet access came dorsum or utilisation savage back"
event director applet Internet_access_tracker_2_up
event rails 2 dry reason up
action 1.0 syslog msg "Internet access came dorsum or utilisation savage back"
end
! Save the configuration
wr
!
! in addition to halt hither - therefore glue to the router