Wednesday, April 18, 2018

SOHO CISCO ROUTER CONFIG TEMPLATE v0.1.2

SOHO CISCO ROUTER CONFIG TEMPLATE v0.1.2
!
!   SOHO CISCO ROUTER CONFIG TEMPLATE v0.1.2 - 2013.04.13 1400 CET
!
!   by Crok
!
!   Change the default username mgmt; password mgmt; enable mgmt
!
    username mgmt privilege 15 secret mgmt
    enable secret mgmt
!
!
!   Features:
!
! +ZBFW - quite default
! +LAN DHCP (DNS=Google) + ARP hardening (after router restart clients must renegotiate IP address via DHCP!)
! +ControlPlane policing
! +Only incoming SSHv2 allowed
! +IP SLA + tracker + Event Manager Applets monitor Internet connection (generate SYSLOG message if fail)
! +NTP sync for proper SYSLOG message timestamps
! +To check the traffic flow on the router:
!  -Netflow configured with top talkers
!  -IP accounting configured
!  -IP MAC accounting configured
!  -IP NBAR protocol discovery configured
!
! Network:
! defgw 172.16.0.1--172.16.0.100[Fa0/0-NAT_OUT[ROUTER]NAT_IN-Fa0/1]10.10.10.1--HOSTS[DHCP:10.10.10.100-254]
!
! Copy from the top, including the username and enable config
crypto key generate rsa label SSH modulus 2048
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname SOHOROUTER
boot-start-marker
boot-end-marker
logging buffered 512000
aaa new-model
aaa authentication login default local-case enable
aaa authentication login console line enable none
aaa authentication enable default enable
aaa authorization exec default local
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.99
ip dhcp pool LAN
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   dns-server 8.8.8.8
   lease 0 1
   update arp
ip name-server 8.8.8.8
login block-for 300 attempts 3 within 60
multilink bundle-name authenticated
parameter-map type inspect AGAINST_DOS
 max-incomplete low  2500
 max-incomplete high 3000
 one-minute low 5000
 one-minute high 5000
 tcp max-incomplete host 300 block-time 0
 sessions maximum 20000
ip tcp synwait-time 5
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
! and stop here - then paste to the router
! ----------------------------------------
! Copy from here
track 1 rtr 1
track 2 rtr 2
class-map type inspect match-any inspect-LAN-to-PUBLIC
 match protocol http
 match protocol bittorrent
 match protocol ddns-v3
 match protocol directconnect
 match protocol edonkey
 match protocol ftps
 match protocol ftp
 match protocol gnutella
 match protocol https
 match protocol ica
 match protocol icabrowser
 match protocol icmp
 match protocol ipsec-msft
 match protocol irc
 match protocol ircs
 match protocol isakmp
 match protocol kazaa2
 match protocol kerberos
 match protocol l2tp
 match protocol login
 match protocol mgcp
 match protocol ms-sql
 match protocol ms-sna
 match protocol ms-sql-m
 match protocol mysql
 match protocol netshow
 match protocol netstat
 match protocol nfs
 match protocol ntp
 match protocol oracle
 match protocol oracle-em-vp
 match protocol oraclenames
 match protocol rtsp
 match protocol shell
 match protocol cuseeme
 match protocol h323
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol tcp
 match protocol udp
 match protocol vdolive
 match protocol icmp
 match protocol dns
 match protocol imap
 match protocol imap3
 match protocol isakmp
 match protocol pop3
 match protocol sip
 match protocol sip-tls
 match protocol skinny
 match protocol ssh
 match protocol telnet
 match protocol pptp
 match protocol smtp
 match protocol snmp
 match protocol snmptrap
 match protocol sql-net
 match protocol sqlserv
 match protocol sqlsrv
 match protocol sshell
 match protocol socks
 match protocol stun
 match protocol uucp
 match protocol syslog
 match protocol syslog-conn
 match protocol telnets
 match protocol telnet
 match protocol x11
 match protocol ymsgr
 match access-group name LAN
class-map match-all CoPP_traffic
 match access-group name CoPP_traffic
class-map type inspect match-any PUBLIC-to-LAN
 match access-group name WAN_hardening
class-map type inspect match-any LAN-to-PUBLIC
 match access-group name LAN
policy-map type inspect LAN-to-PUBLIC
 class type inspect inspect-LAN-to-PUBLIC
  inspect AGAINST_DOS
 class class-default
  drop
policy-map type inspect PUBLIC-to-LAN
 class type inspect PUBLIC-to-LAN
  pass
 class class-default
  drop
!
! and stop here - then paste to the router
! ----------------------------------------
! Copy from here
policy-map CoPP_policy
 class CoPP_traffic
   police cir 32000
     conform-action transmit
     exceed-action drop
zone security LAN
 description LAN
zone security PUBLIC
 description PUBLIC
zone-pair security LAN-to-PUBLIC source LAN destination PUBLIC
 description source LAN destination PUBLIC
 service-policy type inspect LAN-to-PUBLIC
zone-pair security PUBLIC-to-LAN source PUBLIC destination LAN
 description source PUBLIC destination LAN
 service-policy type inspect PUBLIC-to-LAN
interface FastEthernet0/0
 description WAN
 ip address 172.16.0.100 255.255.255.0
 ip access-group no_LAN_IP_from_WAN in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting output-packets
 ip accounting mac-address input
 ip accounting mac-address output
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly
 zone-member security PUBLIC
 ip route-cache flow
 duplex auto
 speed auto
 no shut
interface FastEthernet0/1
 description LAN
 ip address 10.10.10.1 255.255.255.0
 ip access-group LAN in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting output-packets
 ip accounting mac-address input
 ip accounting mac-address output
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly
 zone-member security LAN
 ip route-cache flow
 duplex auto
 speed auto
 arp probe interval 10 count 3
 arp authorized
 arp timeout 3600
 no shut
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.0.1
ip flow-top-talkers
 top 20
 sort-by bytes
 cache-timeout 3600000
no ip http server
no ip http secure-server
ip nat inside source list LAN interface FastEthernet0/0 overload
ip access-list extended CoPP_traffic
 permit tcp any any eq telnet
 permit tcp any any eq 22
 permit icmp any any
ip access-list extended LAN
 remark LAN addresses allowed
 permit ip 10.10.10.0 0.0.0.255 any
 remark DHCP requests allowed
 permit udp host 0.0.0.0 host 255.255.255.255 range bootps bootpc
!
! and stop here - then paste to the router
! ----------------------------------------
! Copy from here
ip access-list extended WAN_hardening
 permit gre any any
 permit esp any any
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit icmp any any unreachable
 permit icmp any any echo-reply
 permit icmp any any packet-too-big
 permit icmp any any time-exceeded
 permit icmp any any traceroute
 permit icmp any any administratively-prohibited
 permit udp any any eq bootpc
 permit udp any eq domain any
 deny   ip any any
ip access-list extended no_LAN_IP_from_WAN
 remark No LAN IPs from the WAN allowed
 deny   ip 10.10.10.0 0.0.0.255 any
 remark No private IPs from the WAN allowed
 deny   ip 0.0.0.0 0.255.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 169.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 224.0.0.0 15.255.255.255 any
 deny   ip host 255.255.255.255 any
 remark The rest will be checked by Zone Based Firewall
 permit ip any any
ip sla 1
 icmp-echo 8.8.8.8
 frequency 30
ip sla schedule 1 start-time now life forever
ip sla 2
 dns ntp.ubuntu.com name-server 8.8.8.8
 frequency 30
ip sla schedule 2 start-time now life forever
no cdp run
control-plane
 service-policy input CoPP_policy
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 exec-timeout 5 0
 transport input ssh
 transport output all
ntp clock-period 17179978
ntp server 91.189.94.4
event manager applet Internet_access_tracker_1_down
 event track 1 state down
 action 1.0 syslog msg "Possible Internet access outage or WAN link overload"
event manager applet Internet_access_tracker_2_down
 event track 2 state down
 action 1.0 syslog msg "Possible Internet access outage or WAN link overload"
event manager applet Internet_access_tracker_1_up
 event track 1 state up
 action 1.0 syslog msg "Internet access came back or utilisation fell back"
event manager applet Internet_access_tracker_2_up
 event track 2 state up
 action 1.0 syslog msg "Internet access came back or utilisation fell back"
end
! Save the configuration
wr
!
! and stop here - then paste to the router


from BITCOIN NEWS https://ift.tt/2HKXFoj
via Bitcoin News Update