Cisco 827/827H/SOHO97/837 Firewall Configuration

This recipe is designed for those Cisco 827’s that have the firewall and VPN feature set. Most Cisco 827’s in NZ should be using this configuration.

Recommendation: Take special note of the versions and memory requirements of the software we recommend.

To use this configuration, download the template file, 827_fw_nz.tpl, and use Cisco FastStep to install it.

A configuration created with this template will look something like:

                    no service pad
                    service timestamps debug uptime
                    service timestamps log uptime
                    service password-encryption
                    !
                    hostname router
                    !
                    logging buffered 4096 debugging
                    !
                    !
                    !
                    ip subnet-zero
                    ! This prevents the DHCP server from allocating these addresses. If you have any static IP
                    ! devices (printers, servers, etc), make their addresses 192.168.1.1 to 192.168.1.100.
                    ip dhcp excluded-address 192.168.1.1 192.168.1.100
                    ip dhcp excluded-address 192.168.1.254
                    !
                    ! This enables the DHCP server on interfaces in the
                    ! network 192.168.1.0/24 – the Ethernet interface.
                    ip dhcp pool dhcppool
                      import all
                      network 192.168.1.0 255.255.255.0
                      default-router 192.168.1.254
                      !
                    !
                    ! For those people who actually set their routers time; this causes it to be
                    ! displayed in local NZ time.
                    clock timezone NZST 12
                    clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00
                    !
                    ! This is the firewall inspection rules. It tells the router what traffic to take
                    ! a closer look at.
                    ip inspect name Dialer_0 tcp
                    ip inspect name Dialer_0 udp
                    ip inspect name Dialer_0 cuseeme
                    ip inspect name Dialer_0 ftp
                    ip inspect name Dialer_0 h323
                    ip inspect name Dialer_0 rcmd
                    ip inspect name Dialer_0 realaudio
                    ip inspect name Dialer_0 streamworks
                    ip inspect name Dialer_0 vdolive
                    ip inspect name Dialer_0 sqlnet
                    ip inspect name Dialer_0 tftp
                    !
                    !
                    interface Ethernet0
                      ip address 192.168.1.254 255.255.255.0
                      ip access-group 102 in
                      ip nat inside
                    !
                    interface ATM0
                      no ip address
                      no atm ilmi-keepalive
                      dsl operating-mode auto
                    !
                    interface ATM0.1 point-to-point
                      pvc 0/100
                      encapsulation aal5mux ppp dialer
                      dialer pool-member 1
                    !
                    interface Dialer0
                      bandwidth 640
                      ip address negotiated
                      ip inspect Dialer_0 out
                      ip access-group 101 in
                      no ip redirects
                      no ip unreachables
                      ip nat outside
                      encapsulation ppp
                      dialer pool 1
                      dialer-group 1
                      ppp pap sent-username <username>
                      password <password>
                      ppp ipcp dns request
                      no cdp enable
                    !
                    ip nat inside source list 1 interface Dialer0 overload
                    ip classless
                    ip route 0.0.0.0 0.0.0.0 Dialer0
                    no ip http server
                    !
                    banner motd |Original config (c)IFM Ltd sales@ifm.net.nz, prepared by IFM Ltd/sales@ifm.net.nz|
                    !
                    ! This is for telnet.  It is disabled by default.  Once enabled, access is
                    ! restricted to traffic coming in via the Ethernet interface.
                    line vty 0 4
                      ! This restricts where the telnet traffic can come from.
                      access-class 1 in
                      ! Add the below line to enable telnet.
                      ! password <password>
                      exit
                    !
                    ! This defines traffic that is considered local to the LAN
                    access-list 1 remark The local LAN.
                    access-list 1 permit 192.168.1.0 0.0.0.255
                    !
                    ! This controls what is allowed to come in from the Internet.
                    ! All private IP addresses are blocked, tunnel traffic is allowed through, and
                    ! ping/traceroute/MTU discovery traffic is allowed through.
                    access-list 101 remark Traffic allowed to enter the router from Internet
                    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
                    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
                    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
                    access-list 101 deny ip any host 255.255.255.255
                    access-list 101 permit udp any eq isakmp any eq isakmp
                    access-list 101 permit gre any any
                    access-list 101 permit icmp any any unreachable
                    access-list 101 permit icmp any any echo-reply
                    access-list 101 permit icmp any any packet-too-big
                    access-list 101 permit icmp any any time-exceeded
                    access-list 101 permit icmp any any traceroute
                    access-list 101 permit icmp any any administratively-prohibited
                    access-list 101 permit icmp any any echo
                    access-list 101 deny ip any any log
                    !
                    ! This controls what traffic is allow to go to the Internet from the local LAN.
                    ! TFTP is blocked (to stop NIMDA and the like).
                    ! Only traffic with a valid local IP is allowed through.
                    access-list 102 remark Traffic allowed to enter the router from the Ethernet
                    access-list 102 deny udp any any eq tftp
                    access-list 102 permit ip 192.168.1.0 0.0.0.255 any
                    access-list 102 permit ip any host 192.168.1.254
                    access-list 102 permit ip any host 255.255.255.255
                    access-list 102 deny ip any any log
                    !
                    dialer-list 1 protocol ip permit
                    

Cisco Systems Partner - Premier Certified