SOHO CISCO ROUTER CONFIG TEMPLATE v0.1.2
!
! SOHO CISCO ROUTER CONFIG TEMPLATE v0.1.2 - 2013.04.13 1400 CET
!
! by Crok
!
! Change the default username mgmt; password mgmt; enable mgmt
!
username mgmt privilege 15 secret mgmt
enable secret mgmt
!
!
! Features:
!
! +ZBFW - quite default
! +LAN DHCP (DNS=Google) + ARP hardening (after router restart clients must renegotiate IP address via DHCP!)
! +ControlPlane policing
! +Only incoming SSHv2 allowed
! +IP SLA + tracker + Event Manager Applets monitor Internet connection (generate SYSLOG message if fail)
! +NTP sync for proper SYSLOG message timestamps
! +To check the traffic flow on the router:
! -Netflow configured with top talkers
! -IP accounting configured
! -IP MAC accounting configured
! -IP NBAR protocol discovery configured
!
! Network:
! defgw 172.16.0.1--172.16.0.100[Fa0/0-NAT_OUT[ROUTER]NAT_IN-Fa0/1]10.10.10.1--HOSTS[DHCP:10.10.10.100-254]
!
! Copy from the top, including the username and enable config
crypto key generate rsa label SSH modulus 2048
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname SOHOROUTER
boot-start-marker
boot-end-marker
logging buffered 512000
aaa new-model
aaa authentication login default local-case enable
aaa authentication login console line enable none
aaa authentication enable default enable
aaa authorization exec default local
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.99
ip dhcp pool LAN
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 8.8.8.8
lease 0 1
update arp
ip name-server 8.8.8.8
login block-for 300 attempts 3 within 60
multilink bundle-name authenticated
parameter-map type inspect AGAINST_DOS
max-incomplete low 2500
max-incomplete high 3000
one-minute low 5000
one-minute high 5000
tcp max-incomplete host 300 block-time 0
sessions maximum 20000
ip tcp synwait-time 5
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
! and stop here - then paste to the router
! ----------------------------------------
! Copy from here
track 1 rtr 1
track 2 rtr 2
class-map type inspect match-any inspect-LAN-to-PUBLIC
match protocol http
match protocol bittorrent
match protocol ddns-v3
match protocol directconnect
match protocol edonkey
match protocol ftps
match protocol ftp
match protocol gnutella
match protocol https
match protocol ica
match protocol icabrowser
match protocol icmp
match protocol ipsec-msft
match protocol irc
match protocol ircs
match protocol isakmp
match protocol kazaa2
match protocol kerberos
match protocol l2tp
match protocol login
match protocol mgcp
match protocol ms-sql
match protocol ms-sna
match protocol ms-sql-m
match protocol mysql
match protocol netshow
match protocol netstat
match protocol nfs
match protocol ntp
match protocol oracle
match protocol oracle-em-vp
match protocol oraclenames
match protocol rtsp
match protocol shell
match protocol cuseeme
match protocol h323
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol tcp
match protocol udp
match protocol vdolive
match protocol icmp
match protocol dns
match protocol imap
match protocol imap3
match protocol isakmp
match protocol pop3
match protocol sip
match protocol sip-tls
match protocol skinny
match protocol ssh
match protocol telnet
match protocol pptp
match protocol smtp
match protocol snmp
match protocol snmptrap
match protocol sql-net
match protocol sqlserv
match protocol sqlsrv
match protocol sshell
match protocol socks
match protocol stun
match protocol uucp
match protocol syslog
match protocol syslog-conn
match protocol telnets
match protocol telnet
match protocol x11
match protocol ymsgr
match access-group name LAN
class-map match-all CoPP_traffic
match access-group name CoPP_traffic
class-map type inspect match-any PUBLIC-to-LAN
match access-group name WAN_hardening
class-map type inspect match-any LAN-to-PUBLIC
match access-group name LAN
policy-map type inspect LAN-to-PUBLIC
class type inspect inspect-LAN-to-PUBLIC
inspect AGAINST_DOS
class class-default
drop
policy-map type inspect PUBLIC-to-LAN
class type inspect PUBLIC-to-LAN
pass
class class-default
drop
!
! and stop here - then paste to the router
! ----------------------------------------
! Copy from here
policy-map CoPP_policy
class CoPP_traffic
police cir 32000
conform-action transmit
exceed-action drop
zone security LAN
description LAN
zone security PUBLIC
description PUBLIC
zone-pair security LAN-to-PUBLIC source LAN destination PUBLIC
description source LAN destination PUBLIC
service-policy type inspect LAN-to-PUBLIC
zone-pair security PUBLIC-to-LAN source PUBLIC destination LAN
description source PUBLIC destination LAN
service-policy type inspect PUBLIC-to-LAN
interface FastEthernet0/0
description WAN
ip address 172.16.0.100 255.255.255.0
ip access-group no_LAN_IP_from_WAN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip accounting mac-address input
ip accounting mac-address output
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
zone-member security PUBLIC
ip route-cache flow
duplex auto
speed auto
no shut
interface FastEthernet0/1
description LAN
ip address 10.10.10.1 255.255.255.0
ip access-group LAN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip accounting mac-address input
ip accounting mac-address output
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
zone-member security LAN
ip route-cache flow
duplex auto
speed auto
arp probe interval 10 count 3
arp authorized
arp timeout 3600
no shut
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.0.1
ip flow-top-talkers
top 20
sort-by bytes
cache-timeout 3600000
no ip http server
no ip http secure-server
ip nat inside source list LAN interface FastEthernet0/0 overload
ip access-list extended CoPP_traffic
permit tcp any any eq telnet
permit tcp any any eq 22
permit icmp any any
ip access-list extended LAN
remark LAN addresses allowed
permit ip 10.10.10.0 0.0.0.255 any
remark DHCP requests allowed
permit udp host 0.0.0.0 host 255.255.255.255 range bootps bootpc
!
! and stop here - then paste to the router
! ----------------------------------------
! Copy from here
ip access-list extended WAN_hardening
permit gre any any
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit icmp any any unreachable
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any traceroute
permit icmp any any administratively-prohibited
permit udp any any eq bootpc
permit udp any eq domain any
deny ip any any
ip access-list extended no_LAN_IP_from_WAN
remark No LAN IPs from the WAN allowed
deny ip 10.10.10.0 0.0.0.255 any
remark No private IPs from the WAN allowed
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip host 255.255.255.255 any
remark The rest will be checked by Zone Based Firewall
permit ip any any
ip sla 1
icmp-echo 8.8.8.8
frequency 30
ip sla schedule 1 start-time now life forever
ip sla 2
dns ntp.ubuntu.com name-server 8.8.8.8
frequency 30
ip sla schedule 2 start-time now life forever
no cdp run
control-plane
service-policy input CoPP_policy
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
exec-timeout 5 0
transport input ssh
transport output all
ntp clock-period 17179978
ntp server 91.189.94.4
event manager applet Internet_access_tracker_1_down
event track 1 state down
action 1.0 syslog msg "Possible Internet access outage or WAN link overload"
event manager applet Internet_access_tracker_2_down
event track 2 state down
action 1.0 syslog msg "Possible Internet access outage or WAN link overload"
event manager applet Internet_access_tracker_1_up
event track 1 state up
action 1.0 syslog msg "Internet access came back or utilisation fell back"
event manager applet Internet_access_tracker_2_up
event track 2 state up
action 1.0 syslog msg "Internet access came back or utilisation fell back"
end
! Save the configuration
wr
!
! and stop here - then paste to the router
from BITCOIN NEWS https://ift.tt/2HKXFoj
via Bitcoin News Update
Wednesday, April 18, 2018
SOHO CISCO ROUTER CONFIG TEMPLATE v0.1.2
Date - April 18, 2018
Bitcoin News
Share this
Related Articles :
Paling Dilihat
-
Three stories dominate this week’s initial coin offering (ICO) round up: It appears many ICO projects are reaching out to social media infl...
-
from BITCOIN NEWS http://bit.ly/2BAgGb6 via Bitcoin News Update
-
Google hacking master list Dan Morrill (Program Director CityU of Seattle) posted 11/14/2008 | Comments (2) This master list of Google Ha...