Cisco 827/827H/SOHO97/837 Firewall Configuration
This recipe is designed for those Cisco 827’s that have the firewall and VPN feature set. Most Cisco 827’s in NZ should be using this configuration.
Recommendation: Take special note of the versions and memory requirements of the software we recommend.
To use this configuration, download the template file, 827_fw_nz.tpl, and use Cisco FastStep to install it.
A configuration created with this template will look something like:
no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname router ! logging buffered 4096 debugging ! ! ! ip subnet-zero ! This prevents the DHCP server from allocating these addresses. If you have any static IP ! devices (printers, servers, etc), make their addresses 192.168.1.1 to 192.168.1.100. ip dhcp excluded-address 192.168.1.1 192.168.1.100 ip dhcp excluded-address 192.168.1.254 ! ! This enables the DHCP server on interfaces in the ! network 192.168.1.0/24 – the Ethernet interface. ip dhcp pool dhcppool import all network 192.168.1.0 255.255.255.0 default-router 192.168.1.254 ! ! ! For those people who actually set their routers time; this causes it to be ! displayed in local NZ time. clock timezone NZST 12 clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00 ! ! This is the firewall inspection rules. It tells the router what traffic to take ! a closer look at. ip inspect name Dialer_0 tcp ip inspect name Dialer_0 udp ip inspect name Dialer_0 cuseeme ip inspect name Dialer_0 ftp ip inspect name Dialer_0 h323 ip inspect name Dialer_0 rcmd ip inspect name Dialer_0 realaudio ip inspect name Dialer_0 streamworks ip inspect name Dialer_0 vdolive ip inspect name Dialer_0 sqlnet ip inspect name Dialer_0 tftp ! ! interface Ethernet0 ip address 192.168.1.254 255.255.255.0 ip access-group 102 in ip nat inside ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point pvc 0/100 encapsulation aal5mux ppp dialer dialer pool-member 1 ! interface Dialer0 bandwidth 640 ip address negotiated ip inspect Dialer_0 out ip access-group 101 in no ip redirects no ip unreachables ip nat outside encapsulation ppp dialer pool 1 dialer-group 1 ppp pap sent-username <username> password <password> ppp ipcp dns request no cdp enable ! ip nat inside source list 1 interface Dialer0 overload ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 no ip http server ! banner motd |Original config (c)IFM Ltd firstname.lastname@example.org, prepared by IFM Ltdemail@example.com| ! ! This is for telnet. It is disabled by default. Once enabled, access is ! restricted to traffic coming in via the Ethernet interface. line vty 0 4 ! This restricts where the telnet traffic can come from. access-class 1 in ! Add the below line to enable telnet. ! password <password> exit ! ! This defines traffic that is considered local to the LAN access-list 1 remark The local LAN. access-list 1 permit 192.168.1.0 0.0.0.255 ! ! This controls what is allowed to come in from the Internet. ! All private IP addresses are blocked, tunnel traffic is allowed through, and ! ping/traceroute/MTU discovery traffic is allowed through. access-list 101 remark Traffic allowed to enter the router from Internet access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip any host 255.255.255.255 access-list 101 permit udp any eq isakmp any eq isakmp access-list 101 permit gre any any access-list 101 permit icmp any any unreachable access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any packet-too-big access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any traceroute access-list 101 permit icmp any any administratively-prohibited access-list 101 permit icmp any any echo access-list 101 deny ip any any log ! ! This controls what traffic is allow to go to the Internet from the local LAN. ! TFTP is blocked (to stop NIMDA and the like). ! Only traffic with a valid local IP is allowed through. access-list 102 remark Traffic allowed to enter the router from the Ethernet access-list 102 deny udp any any eq tftp access-list 102 permit ip 192.168.1.0 0.0.0.255 any access-list 102 permit ip any host 192.168.1.254 access-list 102 permit ip any host 255.255.255.255 access-list 102 deny ip any any log ! dialer-list 1 protocol ip permit