-->

Soho Cisco Router Config Template V0.1.2

Soho Cisco Router Config Template V0.1.2

!
!   SOHO CISCO ROUTER CONFIG TEMPLATE v0.1.2 - 2013.04.13 1400 CET
!
!   past times Crok
!
!   Change the default username mgmt; password mgmt; enable mgmt
!
    username mgmt privilege xv clandestine mgmt
    enable clandestine mgmt
!
!
!   Features:
!
! +ZBFW - quite default
! +LAN DHCP (DNS=Google) + ARP hardening (after router restart clients must renegotiate IP address via DHCP!)
! +ControlPlane policing
! +Only incoming SSHv2 allowed
! +IP SLA + tracker + Event Manager Applets monitor Internet connective (generate SYSLOG message if fail)
! +NTP sync for proper SYSLOG message timestamps
! +To banking concern check the traffic flow on the router:
!  -Netflow configured amongst altitude talkers
!  -IP accounting configured
!  -IP MAC accounting configured
!  -IP NBAR protocol regain configured
!
! Network:
! defgw 172.16.0.1--172.16.0.100[Fa0/0-NAT_OUT[ROUTER]NAT_IN-Fa0/1]10.10.10.1--HOSTS[DHCP:10.10.10.100-254]
!
! Copy from the top, including the username in addition to enable config
crypto telephone commutation generate rsa label SSH modulus 2048
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname SOHOROUTER
boot-start-marker
boot-end-marker
logging buffered 512000
aaa new-model
aaa authentication login default local-case enable
aaa authentication login console line of piece of occupation enable none
aaa authentication enable default enable
aaa potency exec default local
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip dhcp purpose vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.99
ip dhcp puddle LAN
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   dns-server 8.8.8.8
   lease 0 1
   update arp
ip name-server 8.8.8.8
login block-for 300 attempts iii within 60
multilink bundle-name authenticated
parameter-map type inspect AGAINST_DOS
 max-incomplete low  2500
 max-incomplete high 3000
 one-minute depression 5000
 one-minute high 5000
 tcp max-incomplete host 300 block-time 0
 sessions maximum 20000
ip tcp synwait-time 5
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
! in addition to halt hither - therefore glue to the router
! ----------------------------------------
! Copy from here
track 1 rtr 1
track 2 rtr 2
class-map type inspect match-any inspect-LAN-to-PUBLIC
 match protocol http
 match protocol bittorrent
 match protocol ddns-v3
 match protocol directconnect
 match protocol edonkey
 match protocol ftps
 match protocol ftp
 match protocol gnutella
 match protocol https
 match protocol ica
 match protocol icabrowser
 match protocol icmp
 match protocol ipsec-msft
 match protocol irc
 match protocol ircs
 match protocol isakmp
 match protocol kazaa2
 match protocol kerberos
 match protocol l2tp
 match protocol login
 match protocol mgcp
 match protocol ms-sql
 match protocol ms-sna
 match protocol ms-sql-m
 match protocol mysql
 match protocol netshow
 match protocol netstat
 match protocol nfs
 match protocol ntp
 match protocol oracle
 match protocol oracle-em-vp
 match protocol oraclenames
 match protocol rtsp
 match protocol shell
 match protocol cuseeme
 match protocol h323
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol tcp
 match protocol udp
 match protocol vdolive
 match protocol icmp
 match protocol dns
 match protocol imap
 match protocol imap3
 match protocol isakmp
 match protocol pop3
 match protocol sip
 match protocol sip-tls
 match protocol skinny
 match protocol ssh
 match protocol telnet
 match protocol pptp
 match protocol smtp
 match protocol snmp
 match protocol snmptrap
 match protocol sql-net
 match protocol sqlserv
 match protocol sqlsrv
 match protocol sshell
 match protocol socks
 match protocol stun
 match protocol uucp
 match protocol syslog
 match protocol syslog-conn
 match protocol telnets
 match protocol telnet
 match protocol x11
 match protocol ymsgr
 match access-group cite LAN
class-map match-all CoPP_traffic
 match access-group cite CoPP_traffic
class-map type inspect match-any PUBLIC-to-LAN
 match access-group cite WAN_hardening
class-map type inspect match-any LAN-to-PUBLIC
 match access-group cite LAN
policy-map type inspect LAN-to-PUBLIC
 class type inspect inspect-LAN-to-PUBLIC
  inspect AGAINST_DOS
 class class-default
  drop
policy-map type inspect PUBLIC-to-LAN
 class type inspect PUBLIC-to-LAN
  pass
 class class-default
  drop
!
! in addition to halt hither - therefore glue to the router
! ----------------------------------------
! Copy from here
policy-map CoPP_policy
 class CoPP_traffic
   constabulary cir 32000
     conform-action transmit
     exceed-action drop
zone safety LAN
 description LAN
zone safety PUBLIC
 description PUBLIC
zone-pair safety LAN-to-PUBLIC root LAN goal PUBLIC
 description root LAN goal PUBLIC
 service-policy type inspect LAN-to-PUBLIC
zone-pair safety PUBLIC-to-LAN root PUBLIC goal LAN
 description root PUBLIC goal LAN
 service-policy type inspect PUBLIC-to-LAN
interface FastEthernet0/0
 description WAN
 ip address 172.16.0.100 255.255.255.0
 ip access-group no_LAN_IP_from_WAN in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting output-packets
 ip accounting mac-address input
 ip accounting mac-address output
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly
 zone-member safety PUBLIC
 ip route-cache flow
 duplex auto
 speed auto
 no shut
interface FastEthernet0/1
 description LAN
 ip address 10.10.10.1 255.255.255.0
 ip access-group LAN in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting output-packets
 ip accounting mac-address input
 ip accounting mac-address output
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly
 zone-member safety LAN
 ip route-cache flow
 duplex auto
 speed auto
 arp probe interval 10 count 3
 arp authorized
 arp timeout 3600
 no shut
ip forward-protocol nd
ip road 0.0.0.0 0.0.0.0 172.16.0.1
ip flow-top-talkers
 top 20
 sort-by bytes
 cache-timeout 3600000
no ip http server
no ip http secure-server
ip nat within root listing LAN interface FastEthernet0/0 overload
ip access-list extended CoPP_traffic
 permit tcp whatever any eq telnet
 permit tcp whatever any eq 22
 permit icmp whatever any
ip access-list extended LAN
 remark LAN addresses allowed
 permit ip 10.10.10.0 0.0.0.255 any
 remark DHCP requests allowed
 permit udp host 0.0.0.0 host 255.255.255.255 attain bootps bootpc
!
! in addition to halt hither - therefore glue to the router
! ----------------------------------------
! Copy from here
ip access-list extended WAN_hardening
 permit gre whatever any
 permit esp whatever any
 permit udp whatever any eq isakmp
 permit udp whatever any eq non500-isakmp
 permit icmp whatever any unreachable
 permit icmp whatever any echo-reply
 permit icmp whatever any packet-too-big
 permit icmp whatever any time-exceeded
 permit icmp whatever any traceroute
 permit icmp whatever any administratively-prohibited
 permit udp whatever any eq bootpc
 permit udp whatever eq domain any
 deny   ip whatever any
ip access-list extended no_LAN_IP_from_WAN
 remark No LAN IPs from the WAN allowed
 deny   ip 10.10.10.0 0.0.0.255 any
 remark No someone IPs from the WAN allowed
 deny   ip 0.0.0.0 0.255.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 169.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 224.0.0.0 15.255.255.255 any
 deny   ip host 255.255.255.255 any
 remark The balance volition live on checked past times Zone Based Firewall
 permit ip whatever any
ip sla 1
 icmp-echo 8.8.8.8
 frequency 30
ip sla schedule 1 start-time instantly life forever
ip sla 2
 dns ntp.ubuntu.com name-server 8.8.8.8
 frequency 30
ip sla schedule 2 start-time instantly life forever
no cdp run
control-plane
 service-policy input CoPP_policy
line con 0
 exec-timeout 0 0
 privilege grade 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege grade 15
 logging synchronous
line vty 0 4
 exec-timeout v 0
 transport input ssh
 transport output all
ntp clock-period 17179978
ntp server 91.189.94.4
event director applet Internet_access_tracker_1_down
 event rails 1 dry reason down
 action 1.0 syslog msg "Possible Internet access outage or WAN link overload"
event director applet Internet_access_tracker_2_down
 event rails 2 dry reason down
 action 1.0 syslog msg "Possible Internet access outage or WAN link overload"
event director applet Internet_access_tracker_1_up
 event rails 1 dry reason up
 action 1.0 syslog msg "Internet access came dorsum or utilisation savage back"
event director applet Internet_access_tracker_2_up
 event rails 2 dry reason up
 action 1.0 syslog msg "Internet access came dorsum or utilisation savage back"
end
! Save the configuration
wr
!
! in addition to halt hither - therefore glue to the router
Blogger
Disqus
Pilih Sistem Komentar

No comments

Advertiser