Cisco 827/827H/837 Business Configuration

This recipe is designed for those Cisco 827’s that have the firewall and VPN feature set. PPTP has been enabled to allow remote users to VPN in. It is similar to the PPTP configuration, but is much more restrictive in the kinds of traffic that can be generated on the LAN. Generally, only WWW and FTP requests can be generated, and POP3 and SMTP traffic is restricted to just nominated servers. Generally, businesses want to restrict traffic much more. SNTP is enabled, to synchronise the time on the router.

This config should generally be used by more experienced engineers/installers, as it is more difficult to modify.

Gotcha #1: PPTP will NOT work if the user has the same local network numbering as the networking they are trying to VPN into. For example, if they use 192.168.1.x at home, then PPTP will NOT work if the network they are trying to VPN into also uses 192.168.1.x. Make sure they are different!

Gotcha #2: This configuration will NOT work on most 12.2(2) IOS images, or early 12.2(1) IOS images. Check our recommended software versions.

To use this configuration, download the template file, 827_business_nz.tpl, and use Cisco FastStep to install it. After installing the template, you need to use HyperTerminal to add some users accounts. This is done with the following commands:

                enable
                config terminal
                username <username> password <password>
                … repeat to create as many users as required …
                CTRL-Z
                copy running-config startup-config
                

A configuration created with this template will look something like:

                no service pad
                service timestamps debug datetime localtime
                service timestamps log datetime localtime
                service password-encryption
                !
                hostname router
                !
                logging buffered 4096 debugging
                !
                username <user 1> password <password 1>
                username <user 2> password <password 2>
                username <user 3> password <password 3>
                !
                !
                ip subnet-zero
                ip name-server 202.37.245.17
                ip name-server 202.37.245.20
                ip dhcp excluded-address 192.168.2.1 192.168.2.99
                ip dhcp excluded-address 192.168.2.254
                !
                ip dhcp pool dhcppool
                  import all
                  network 192.168.2.0 255.255.255.0
                  default-router 192.168.2.254
                !
                vpdn enable
                !
                vpdn-group pptp
                  ! Default PPTP VPDN group
                  accept-dialin
                    protocol pptp
                    virtual-template 1
                !
                clock timezone NZST 12
                clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00
                !
                ip inspect name Dialer_0 tcp
                ip inspect name Dialer_0 udp
                ip inspect name Dialer_0 cuseeme
                ip inspect name Dialer_0 ftp
                ip inspect name Dialer_0 h323
                ip inspect name Dialer_0 rcmd
                ip inspect name Dialer_0 realaudio
                ip inspect name Dialer_0 streamworks
                ip inspect name Dialer_0 vdolive
                ip inspect name Dialer_0 sqlnet
                ip inspect name Dialer_0 tftp
                !
                interface Loopback0
                  ip address 192.168.3.254 255.255.255.0
                !
                interface Ethernet0
                  ip address 192.168.2.254 255.255.255.0
                  ip access-group 102 in
                  ip nat inside
                !
                interface Virtual-Template1
                  ip unnumbered Loopback0
                  peer default ip address pool pptp
                  ppp encrypt mppe 40
                  ppp authentication ms-chap
                !
                interface ATM0
                  no ip address
                  no atm ilmi-keepalive
                  dsl operating-mode auto
                !
                interface ATM0.1 point-to-point
                  pvc 0/100
                    encapsulation aal5mux ppp dialer
                    dialer pool-member 1
                !
                interface Dialer0
                  bandwidth 640
                  ip address negotiated
                  ip inspect Dialer_0 out
                  ip access-group 101 in
                  no ip redirects
                  no ip unreachables
                  ip nat outside
                  encapsulation ppp
                  dialer pool 1
                  dialer-group 1
                  ppp pap sent-username <username> password <password>
                  ppp ipcp dns request
                  no cdp enable
                !
                ip nat inside source list 1 interface Dialer0 overload
                ip local pool pptp 192.168.3.1 192.168.3.253
                ip classless
                ip route 0.0.0.0 0.0.0.0 Dialer0
                no ip http server
                !
                banner motd |Original config (c)IFM Ltd sales@ifm.net.nz, prepared by IFM Ltd/pid@ifm.net.nz|
                !
                line vty 0 4
                  access-class 1 in
                !
                access-list 1 remark The local LAN.
                access-list 1 permit 192.168.2.0 0.0.0.255
                !
                access-list 101 remark Traffic allowed to enter the router from Internet
                access-list 101 deny ip 10.0.0.0 0.255.255.255 any
                access-list 101 deny ip 172.16.0.0 0.15.255.255 any
                access-list 101 deny ip 192.168.0.0 0.0.255.255 any
                access-list 101 deny ip any host 255.255.255.255
                access-list 101 permit udp any eq isakmp any eq isakmp
                access-list 101 permit tcp any any eq 1723
                access-list 101 permit gre any any
                access-list 101 permit udp host 130.123.128.253 any eq 123
                access-list 101 permit udp host 207.46.226.34 any eq 123
                access-list 101 permit udp host 202.37.245.17 eq 53 any
                access-list 101 permit udp host 202.37.245.20 eq 53 any
                access-list 101 permit icmp any any unreachable
                access-list 101 permit icmp any any echo-reply
                access-list 101 permit icmp any any packet-too-big
                access-list 101 permit icmp any any time-exceeded
                access-list 101 permit icmp any any traceroute
                access-list 101 permit icmp any any administratively-prohibited
                access-list 101 deny ip any any log
                !
                access-list 102 remark Traffic allowed to enter the router from the Ethernet
                access-list 102 remark Prevent TFTP traffic
                access-list 102 deny udp any any eq tftp
                access-list 102 remark DHCP traffic
                access-list 102 permit ip any host 255.255.255.255
                access-list 102 remark ICMP Traffic
                access-list 102 permit icmp 192.168.2.0 0.0.0.255 any unreachable
                access-list 102 permit icmp 192.168.2.0 0.0.0.255 any echo
                access-list 102 permit icmp 192.168.2.0 0.0.0.255 any echo-reply
                access-list 102 permit icmp 192.168.2.0 0.0.0.255 any packet-too-big
                access-list 102 permit icmp 192.168.2.0 0.0.0.255 any time-exceeded
                access-list 102 permit icmp 192.168.2.0 0.0.0.255 any traceroute
                access-list 102 permit icmp 192.168.2.0 0.0.0.255 any administratively-prohibited
                access-list 102 remark DNS traffic
                access-list 102 permit udp 192.168.2.0 0.0.0.255 any eq 53
                access-list 102 permit tcp 192.168.2.0 0.0.0.255 any eq 53
                access-list 102 remark E-mail traffic 
                access-list 102 permit tcp 192.168.2.0 0.0.0.255 host <pop3 server IP> eq pop3
                access-list 102 permit tcp 192.168.2.0 0.0.0.255 host <smtp server IP> eq smtp
                access-list 102 remark WWW and FTP Browsing
                access-list 102 permit tcp 192.168.2.0 0.0.0.255 any eq www
                access-list 102 permit tcp 192.168.2.0 0.0.0.255 any eq ftp
                access-list 102 deny ip any any log
                !
                dialer-list 1 protocol ip permit
                !
                sntp server 130.123.128.253
                

Cisco Systems Partner - Premier Certified